Peter A Clarke

In Privacy and Data Protection Commissioner has found that the University of Melbourne breached Information Privacy Principle (IPP) 1.3 in tracking its students who were engaged in a sit in protest in May 2024 and a direction by the Vice Chancellor to leave on 20 May 2024.

The investigation is a useful consideration of IPP 1.3 and 2.1 of the Privacy and Data Protection Act (Vic). The analysis and principles are applicable in relation to the extent to which the collector of personal information informs those who own that information what it will be used for.  It is considered whether the use was consistent with the purpose of gathering the information or a permissible secondary purpose.

Beyond making a finding against the University the Information Commissioner’s Office could take no action against the University notwithstanding an egregrious and serious breach of the Act.  The only action that could be taken is a Compliance Notice which is little more than a notice saying one should fix problems.  That’s it.  That highlights the fundamental weakness in the legislation. In the United Kingdom the Information Commissioner has the power to impose monetary penalties on agencies. 

Notwithstanding the lack of meaningful action taken against the University by the regulator that does not mean those whose privacy was interfered with don’t have causes of action in the courts.  

The Report is 31 pages long but some relevant points made include:

Regarding Function creep

Foreword

Social licence and function creep are two important concepts in interpretation of the relationship between human rights and technology. When governments or other official bodies implement technology, society expects them to respect human rights, including the right to privacy. This is usually achieved through the preparation of a Privacy Impact Assessment, and through communication with affected stakeholders about the purpose of the technology and the ways in which its use will be governed.

The University engaged in function creep by using surveillance of users of on-campus Wi-Fi in disciplinary proceedings it began after a protest. The University introduced the Wi-Fi tracking capability some years ago, for the purpose of network management, with a reassurance that it would not be used to surveil individuals. The University subsequently used the capability for disciplinary purposes, because it was already in place, without substantially considering the human rights or privacy impacts of doing so. In failing to consult with stakeholders about the policy change, the University failed to obtain a social licence for the use of this technology.

and 

The delivery method for the Notices related to Wi-Fi use – an on-screen pop-up – was also not an effective mechanism for explaining complex terms and conditions.

and 

…the governance and authorising processes the University used to authorise access to staff email accounts fell below the standard the Deputy Commissioner expects. This access occurred after the urgency of protest had passed, and could have been dealt with more carefully

These factors contributed to a breach of the Information Privacy Principles (IPPs). Because the collection and use of the data involved the surveillance of students and staff, and surveillance by its nature is antithetical to human rights, the breach was serious.

…Surveillance of individuals should only ever be undertaken in the most serious of circumstances, where clear guidelines are available, authorising processes are well-managed, and individuals understand the purpose and limitations of the use of the information. The University has undertaken to amend its Collection Notices, and its governance of the management of information collected, to remedy these defects

Executive Summary

Specifically, the Deputy Commissioner sought to determine:

• • whether the University properly informed students and staff about how their personal information – in the form of Wi-Fi location data and staff emails – would be used (IPP 1.3); and
  • whether the University’s use of Wi-Fi location data and staff emails for the purpose of identifying individuals in a misconduct investigation was consistent with the primary purpose of collecting this information or was for an authorised secondary purpose (IPP 2.1).

and 

A pivotal event during the sit-in protest was the issuing of the Vice-Chancellor’s Direction to Leave on

20 May 2024, which directed all persons occupying the Arts West Building to leave the University grounds and remove all personal property. It also advised that those refusing to comply with the direction would be subject to consequences such as suspension, internal disciplinary action, or referral to the police.

When it became clear that some individuals were not complying with the Direction, the University commenced investigations as to whether any student misconduct had occurred.

The University used a combination of student Wi-Fi location data, student card photographs and CCTV footage to identify students who failed to leave the Arts West Building after the Direction to Leave. In so doing, the University identified 22 students who were persistently in the building after the Direction to Leave was issued

and

The University also identified that some staff were involved in the protest through analysis of Wi-Fi location data, CCTV footage, and a review of 10 staff members’ email accounts. The email discovery process resulted in six staff being excluded from further investigation, and four staff being identified as having potentially failed to comply with the Direction to Leave.

and 

In terms of IPP 1.3, the Deputy Commissioner considered whether the University took reasonable steps to make students and staff aware of why their personal information was being collected, and how their personal information would be used. That is, that it could or would be used to determine their location as part of a misconduct investigation. Providing prior notice generally gives individuals the opportunity to consider whether they will proceed with their interaction knowing what information will be collected and how it will be used

and 

In terms of IPP 2.1, the Deputy Commissioner considered whether the University’s use of Wi-Fi location data to identify students and staff for potential misconduct proceedings was for the same purpose as that for which the information was originally collected or was for a permitted secondary purpose. The University asserted that this was the case.

and 

The Deputy Commissioner determined, however, that it could not be said that the University’s primary purpose or intention when it initially collected the Wi-Fi location data was to potentially investigate misconduct that was unrelated to the use of the University network. Therefore, for the University to establish that its use of personal information was permitted under the IPPs, it needed to demonstrate that it was for one of the limited permitted secondary purposes as set out in IPP 2.1(a)–(h). The University was unable to demonstrate this to the Deputy Commissioner’s satisfaction, and so she found that the use of Wi-Fi location data to identify individuals in the Arts West Building was not for a permitted secondary purpose

and 

In summary, the Deputy Commissioner found that the University contravened IPPs 1.3 and 2.1 in relation to the use of Wi-Fi data. Taking into account the number of individuals impacted and the level of impact on these individuals, the Deputy Commissioner determined that the contraventions were “serious”. The decision on whether to issue a compliance notice therefore required the Deputy Commissioner to consider the causes of the contraventions, any relevant changes implemented by the University, or undertakings to do so, and whether any additional action would be required to ensure future compliance with the IPPs.

In the final stages of this investigation, the University advised the Deputy Commissioner that it had taken a range of actions aimed at satisfying the requirements of a potential compliance notice. Actions included developing a surveillance policy and associated procedures (in progress), promoting the new surveillance policy to all staff and students, amending the Wireless Terms of Use and Provision and Acceptable Use of IT Policy, and implementing a process for providing all new users of the University email system with a notice of collection. The University also undertook to report to the Deputy Commissioner when each of these actions have been implemented.

How did the University identify protesters who participated in the sit-in?

Identification of students

20.As part of its investigation into whether there was any student misconduct, the University sought to identify those students who participated in the sit-in after it issued its Direction to Leave. The key sources for doing so were:

• • Wi-Fi location data was used to identify the usernames of individuals who logged on to the University network in the Arts West Building between 20 and 23 May 2024.
  • Student card photographs were located for relevant students based on the Wi-Fi
  • CCTV footage was used to verify students who were present – by reviewing limited sections of footage (based on the timing of Wi-Fi access) and matching footage of student faces against student card photographs.

The University’s decision to use Wi-Fi location data

23.  Much of the University’s discussion around using Wi-Fi location data as part of misconduct investigations was verbal, with little documentary evidence. The University acknowledged this, saying that “the authorisation and instructions for [using Wi-Fi location data] were largely verbal due to the dynamic and complex nature of the situation and operating environment at that point in time”. The proposal to use Wi-Fi location data to identify relevant students first arose on 20 May 2024, and the authorisation for doing so came on the same day

IPP 1.3 – Did the University take reasonable steps to make students and staff aware of the purposes for which their Wi-Fi location data was collected?

35. IPP 3 sets out that:

At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of—

• • • the identity of the organisation and how to contact it; and
    • the fact that the individual is able to gain access to the information; and
    • the purposes for which the information is collected; and
    • to whom (or the types of individuals or organisations to which) the organisation usually discloses information of that kind; and
    • any law that requires the particular information to be collected; and
    • the main consequences (if any) for the individual if all or part of the information is not provided.

and 

37. The main purpose of the IPP 1.3 requirement has been described by Bell J in the matter of Jurecek v Director Transport Safety Victoria as being “to promote governmental transparency and respect for autonomy and dignity of individuals with respect to their personal information”. This requirement is usually met by the organisation providing an individual with a notice of collection.

and 

40. The University referred to the following documents in asserting that it made individuals aware that Wi-Fi location data could be used to identify their whereabouts as part of a misconduct investigation:

• • • Wi-Fi ToU
    • Provision and Acceptable Use of IT Policy (Use of IT Policy)
    • Property Policy
    • Student Privacy Statement
    • Staff Privacy

and 

52.For the reasons below, the Deputy Commissioner found that the University failed to take reasonable steps to make individuals aware of the purposes for which their Wi-Fi location data was collected and may be used, in contravention of IPP 1.3.

53. Firstly, in assessing the relevant threshold of what would be reasonable in the circumstances, the Deputy Commissioner considered the nature of the practice in question.

54. Using Wi-Fi location data to determine a person’s physical whereabouts as part of a misconduct investigation is a form of surveillance.

55. Given this, the Deputy Commissioner considered that reasonable steps under IPP 1.3 would require the University to be clear, explicit, and unambiguous with students and staff that their Wi-Fi location data may be used for such purposes.

56. Applying this lens in the current circumstances, the Deputy Commissioner found that the University failed to take reasonable steps to provide notice to students and staff that their Wi-Fi location data could be used to identify their whereabouts as part of a misconduct investigation unrelated to their use of the network.

57. As noted above, the function of the Wi-Fi location data system had been amended since it was first introduced, without the University engaging in discussion with students and faculty about the changes before they were implemented. This function creep, while it happened over many years, would have necessitated clear and unambiguous guidance to people connected to the network.

58.In terms of the form of providing notice:

• • While it was intended that new users would be prompted to read and “accept” the Wi-Fi ToU, as noted above, it appears that this functionality may not have been working from April
  • It is not reasonable to assume that all individuals would have searched for and read the Use of IT Policy, Property Policy, Student Privacy Statement, Staff Privacy Statement or the Wi-Fi ToU (for staff with access to the Staff Hub) that the University relied upon.

62. The Deputy Commissioner determined that a single clause about compliance with other University policies included in a policy related to IT network use was an insufficient method of attempting to communicate the broader purposes of collection and use that the University felt it wanted to undertake. It represented an important moment of failure in the need for clear and specific

IPP 2.1 – Was the University’s use of Wi-fi location data for the primary purpose of collection?

68. In assessing whether an organisation’s use of personal information was consistent with the primary purpose of collection, the starting point is to ascertain what that primary purpose was.

69. In doing so, the concept of “purpose” should be understood as being “synonymous with the intent with which personal information was collected” and should be defined in a specific way.

70. The primary purpose of collection can be inferred from or implicit in the circumstances of collection, or it may be identified from the purposes listed in an organisation’s notice of collection (if one exists).

and

72. The University asserted that it collects Wi-Fi location data for the primary purposes of:

• • • facilitating access to the Wi-Fi service
    • maintaining the network
    • IT security and threat detection, including where necessary, identifying individuals as part of investigating activities that may indicate a realised or attempt to compromise any of the University’s systems or services
    • facilitating the investigation of an activity that may be contrary to University policy, or to substantiate an allegation of misuse
    • performing the powers of the University under the University of Melbourne Act 2009 (Vic) to control and manage its property, and to regulate persons entering onto the property of the University.

and 

77. While accepting that an organisation may have more than one primary purpose when collecting personal information, in the present circumstances the Deputy Commissioner could not accept that investigating misconduct was a primary purpose of collecting Wi-Fi location data.

78. The University confirmed to OVIC that it collects Wi-Fi location data on a continuous basis for every user who is connected to its Wi-Fi system, but that it had never previously used Wi-Fi location data to determine an individual’s whereabouts as part of a misconduct investigation.

79. Taking these facts into account, it clearly cannot be said that the University’s primary purpose or intention when it initially collected the Wi-Fi location data of staff and students was to investigate misconduct that was unrelated to the use of the University network. It was about the security and functionality of the network.

IPP 2.1(a) – Was the use of Wi-fi location data for a secondary purpose that an individual would reasonably expect?

82. Under IPP 1(a), an organisation may depart from the primary purpose rule and use personal information for a secondary purpose if:

Both of the following apply –

• • The secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;
  • The individual would reasonably expect the organisation to use or disclose the information for the secondary purpose.

and

88, It is possible that using Wi-Fi location data to investigate usage of the Wi-Fi network – investigating a network security breach, for example – would be considered a purpose related to the primary

89. However, the use of Wi-Fi location data in the circumstances was not focussed on how individuals used the Wi-Fi network. It was used to determine their physical whereabouts, as part of a misconduct investigation unrelated to how they used the Wi-Fi network.

90. Therefore, the connection between the primary purpose of collection of Wi-Fi location data and the secondary purpose for which it was used is too remote to be considered “related”.

IPP 2.1(e) – Was the use of Wi-fi location data a necessary part of an investigation into unlawful activity?

119. The Supreme Court of Victoria has recognised that the IPPs should be interpreted as beneficial human rights legislation, noting that they give domestic legal effect to Australia’s international human rights obligations.²⁹

120. In Jurecek v Director Transport Safety Victoria, the Supreme Court described that an interpretation of what is necessary³⁰ should be informed by the concept of “reasonable proportionality” which requires:

‘a consideration of what is at stake for the individual (including the nature of the personal information in question) and balancing, in a reasonably proportionate way, the nature and importance of any legitimate purpose and the extent of the interference’.

121. In the context of IPP 2.1(e), the proportionality test means that even where an organisation is investigating potentially unlawful activity in the furtherance of legitimate purposes, it cannot do so at all costs to individuals’ privacy.

and 

124. However, in order to be “necessary” for the purpose of IPP 2.1(e), it is not sufficient that the use of the Wi-Fi location data was relevant, useful, or convenient³² to achieving the ends pursued by the University, but whether it was a proportionate way of achieving such ends. This requires an assessment of the impacts on individuals’ privacy weighed against the nature and importance of any legitimate purposes being pursued by the University through the investigation.

125. In the Deputy Commissioner’s view, the extent of the impact on the individuals whose Wi-Fi location data was used to determine their physical whereabouts was significant. Each was subjected to a form of surveillance – in that they would not have expected that by choosing to avail of the Wi-Fi service provided by their University, their location may later be determined in an investigation unrelated to their use of the network. They are likely to have experienced a significant breach of trust.

and 

127. The Deputy Commissioner found that, while this was a generally legitimate purpose for the University to pursue, the nature and importance of it did not justify the extent of the impacts on individuals’ privacy in the In other words, the use of Wi-Fi location data was excessive and disproportionate.

128. The Deputy Commissioner’s focus in conducting this balancing exercise was on the impact to individuals’ privacy, rather than the disciplinary outcomes that resulted from using Wi-Fi-location data. The Deputy Commissioner’s position would remain the same regardless of whether not using Wi-Fi location data would mean:

• • the University could not have identified some individuals and could not have brought disciplinary action against them; or
  • all relevant individuals would still have been identified through other means and would have still faced disciplinary action.

How did the contraventions occur?

IPP 1.3 – Failure to make individuals aware of how Wi-Fi location data could be used

132. The materials that the University pointed to as providing notice to individuals in accordance with IPP 3 mentioned monitoring of the IT network and use of surveillance in a general sense. Where the materials referred to investigations specifically, the context indicated that these related to investigations into the misuse of the Wi-Fi network or other IT facilities.

133. These materials were not clear, explicit, and unambiguous in informing individuals that their Wi-Fi location data may be used to identify their whereabouts as part of a misconduct investigation unrelated to their use of the network.

IPP 2.1 – Use of Wi-Fi location data for an unauthorised secondary purpose

134. For such intrusive uses of personal information, the Deputy Commissioner would have expected that any decision to proceed would have been informed by a robust analysis of the privacy impacts of using Wi-Fi location data, and whether this would comply with IPP 2.1. This did not occur.

135. Rather, there was a series of emails between the CIO, General Counsel and other relevant staff members on 20 May 2024, at the height of the sit-in, seeking to determine whether there were relevant provisions in various University policies allowing the use of the Wi-Fi location data for the desired purpose. There was only superficial consideration of IPP 2.1 in these discussions.

136. In the Deputy Commissioner’s view, this lack of basic consideration of privacy impacts was a consequence of an absence of any University policy, process, or procedure to regulate its use of surveillance and to assess whether any proposed surveillance – such as the use of Wi-Fi location data – would comply with the IPPs.

137. The Deputy Commissioner expects that any organisation considering surveillance activities should have a policy articulating its approach to surveillance and setting out appropriate roles and responsibilities for assessing, approving, and monitoring surveillance activities. This should be accompanied by a procedure requiring relevant persons to conduct an assessment of relevant factors to evaluate whether any surveillance activity would comply with the IPPs.

What is extraordinary is that the University of Melbourne will now amend its Wireless Terms of use to make it clear that it ” may use information from the Wi-Fi network to determine or infer an individual’s location, and to explain the circumstances in which it may do so (including for misconduct investigations where an individual’s usage of the network is not the subject of misconduct allegations).” [145].  It will also amend its IT Policy wot allow for it to use information for the Wi Fi network to determine or infer location [250] and check emails [151].   In other words the Universities response, having been caught invading the privacy of its students is to make that sort of surveillance permissible by amending the terms of use of the Wi Fi and other policies.  Has anybody actually read the terms of use of Wi Fi’s.  They can be as dense and impenetrable as Privacy Policies.  But from a first principles perspective, what sort of University wants the right to surveil its students?  One that has no remembrance of the Enlightenment.   And OVIC is fine with this? 

While the focus of the investigation was the use of Wi Fi the University also searched staff emails.  While the Deputy Commissioner found that did not contravene the IPPs, which is quite an interesting finding, it is incredibly invasive and quite an unfortunate thing for a University to do.  It is unfortunately not an isolated incident.  Extraordinarily the Barrister Chambers Limited searched emails of Victorian Barristers who have a vicbar email account in response to a notice put up in lifts of Owen Dixon Chambers East on 10 August 2022.  Ten emails were identified by word search and one opened.  Disturbingly this very unfortunate action was kept quiet until 7 February 2023 when the Bar Council notified its members about the investigation.  It had to, word of this high handed, outrageous conduct and, in my view, probably illegal conduct had begun to leak out and spread within the Bar.  There was a huge backlash and the Bar Council took steps to update its terms and conditions.  It was a very regrettable event in the Bar’s history which involved a complete failure to leadership.  The events are covered by Lawyers Weekly in Barristers’ email accounts searched by Victorian Bar Council in homophobia investigation. I have never conducted my business through the Vic Bar. Ever.  It seems I was vindicated.

It has been reported in the Guardian with University of Melbourne breached students’ privacy by using wifi network to monitor pro-Palestine protest. The University of Melbourne’s statement is hardly gracious or contrite. In fact it is just short of a middle finger to the regulator. It maintains that the use of WiFi location data was “reasonable and proportionate.” It can say that with impunity given the legislation does not empower the Commissioner to issue fines or bring civil penalty proceedings.

The University of Melbourne statement provides:

Statement attributable to Ms Katerina Kapobassis, University of Melbourne Vice-President (Administration and Finance) and Chief Operating Officer.

The University takes its privacy obligations seriously and has cooperated openly and responsively to the Deputy Commissioner in the conduct of her investigation.

The University is pleased that the Deputy Commissioner concluded that the University did not contravene the Information Privacy Principles in relation to the review of staff emails.

The University acknowledges that it could have provided clearer active notice to students and staff members in relation to the use of WiFi location data, and a number of remedial actions are progressing.

However, we maintain that the use of WiFi location data in student misconduct cases was reasonable and proportionate in the circumstances, given the overriding need to keep our community safe and conduct our core activities of teaching, learning and research.

The University has already completed a number of actions that are proposed in the final report and all others are progressing. We will ensure the University community is kept informed as these changes are made.

The Guardian article provides:

The University of Melbourne (UoM) breached Victoria’s Privacy and Data Protection Act when it used its wifi network to surveil students and staff holding a pro-Palestine protest last May, which could have resulted in a “significant breach of trust”, the state’s deputy information commissioner has found.

The investigation, released on Wednesday, was prompted by media reports alleging UoM digitally tracked people at the sit-in to uncover potential misconduct.

The deputy commissioner found the university used a combination of wifi location data, student card photographs and CCTV footage to identify 22 students who failed to comply with orders to leave the university’s Arts West building on 20 May. The investigation found the university did not give adequate notice or justification for how the data would be used.

It took less than a day for the university to authorise the use of data for surveillance purposes and only “superficial” consideration was given to privacy protection, the report found.

The UoM used analysis of wifi location data, CCTV footage, and a review of 10 staff members’ email accounts to identify staff involved in the protest, the report found. As a result, three staff members received formal written warnings.

Misconduct proceedings were brought against 20 of the students, with 19 receiving a “reprimand and caution”.

The deputy commissioner found the UoM had not contravened information privacy principles (IPPs) in the state’s Privacy and Data Protection Act with its CCTV footage use.

But it found the UoM had breached two IPPs by failing to adequately inform students and staff about how their personal information had been used, and because using wifi location data to identify individuals in a misconduct investigation was an unauthorised reason.

It also found that the university’s accessing of staff email accounts for disciplinary proceedings “fell below the standard” expected.

“The university failed to obtain a social licence for the use of this technology,” the report found. “Because the collection and use of the data involved the surveillance of students and staff, and surveillance by its nature is antithetical to human rights, the breach was serious.”

 

The deputy commissioner did not issue a compliance notice because of the remedial steps taken by the UoM during the investigation, including developing a new surveillance policy and amending its terms of use and associated policies.

The chief operating officer of the UoM, Katerina Kapobassis, said the university acknowledged it could have provided “clearer active notice” to students and staff about its use of wifi location data.

“However, we maintain that the use of Wi-Fi location data in student misconduct cases was reasonable and proportionate in the circumstances, given the overriding need to keep our community safe and conduct our core activities of teaching, learning and research,” she said.

“The university takes its privacy obligations seriously and has cooperated openly and responsively to the deputy commissioner in the conduct of her investigation.

“The university has already completed a number of actions that are proposed in the final report, and all others are progressing.”

The investigation also found the university’s wifi terms of use, IT policies and privacy statements were “poorly presented, contained misleading headings and titles, and contained information that made the purpose of collection and use unclear”.

“The extent of the impact on the individuals whose Wi-Fi location data was used to determine their physical whereabouts was significant,” the report found. “Each was subjected to a form of surveillance … They are likely to have experienced a significant breach of trust.

 

“The deputy commissioner remains concerned by the university’s practices … and will continue to seek evidence and assurance that it has completed the actions it has agreed to.”

 

The Unimelb for Palestine group welcomed the investigation’s findings, which it said exposed the “deep structural failures in how the university governs data, communicates … and respects fundamental human rights”.

The group said it found the decision not to issue a compliance notice “deeply disappointing”.

“The report does not undo the harm the university has inflicted – through both its past mishandling of misconduct proceedings against Mahmoud’s Hall [Arts West] protesters, and its ongoing efforts to expel and suspend other student protesters based on unauthorised and unlawfully obtained data,” the group said.

“So-called liberal institutions – including the UoM – have acted exceptionally to suppress solidarity with Palestine amidst a genocide.”

In April, the Human Rights Law Centre, Human Rights Watch and Amnesty International wrote to the UoM’s vice chancellor, citing serious concerns over its wifi policy, which they said permitted the surveillance of all users without suspicion of wrongdoing or misuse of the network.

Principal lawyer Berndaette Zaydan is appealing the suspensions and expulsions of UoM student protestors and said she would use the findings to strengthen their legal fight.

The UoM branch president of the National Tertiary Education Union, David Gonzalez, said the deputy commissioner had reinforced what staff had been saying “all along”, that “they were misusing this information, and it was wrong”.

“There was never an expectation that we would be tracked using Wi-Fi previously,” Gonzalez, who sat in on disciplinary proceedings with staff as a result of the protest, said.

“A large amount of my members are very concerned with their privacy. This is validating for a lot of people who felt gaslit … It’s just an erosion of trust.”