The University of Melbourne has been found to have breached Victoria's privacy laws by using information to track students involved in a 2024 pro-Palestinian protest.
According to the state's deputy information commissioner, the university has breached two information privacy principles (IPPs) in the way it used "a combination of student Wi-Fi location data, student card photographs and CCTV footage to identify" student protesters.
"Because the collection and use of the data involved the surveillance of students and staff, and surveillance by its nature is antithetical to human rights, the breach was serious," the Office of the Victorian Information Commissioner (OVIC) stated.
In response, Katerina Kapobassis, the University of Melbourne's chief operating officer, said the university "acknowledges that it could have provided clearer active notice to students and staff members in relation to the use of WiFi location data, and a number of remedial actions are progressing".
How did the investigation start?
Following a sit-in protest at the university's Arts West Building on the Parkville campus in May last year, the university's vice-chancellor instructed everyone occupying the building to leave the premises.
According to OVIC's report, some demonstrators ignored the direction, resulting in the university starting an investigation into potential student misconduct.
The university identified 20 students and started misconduct proceedings against them.
After media reports in July 2024 revealed the university had tracked protesters using CCTV and Wi-Fi data, the Privacy and Data Protection deputy commissioner launched the investigation.
According to the OVIC's report, the university identified staff involvement in the protest through an analysis of Wi-Fi location data, CCTV footage, and a review of 10 staff members' email accounts. Source: AAP / James Ross
What did the investigation find?
The investigation focused on the university's "use of staff and students' Wi-Fi location data, and was expanded to include the university's review of a small group of staff members' email accounts".
The investigation found the university "contravened" two different IPPs when using the Wi-Fi data.
Considering the number of people impacted and the level of the impact, the deputy commissioner determined the breaches were "serious".
The privacy principles were about whether the university "properly informed students and staff about how their personal information would be used" and if the use of data was "consistent with the primary purpose of collecting this information or was for an authorised secondary purpose".
The investigation, however, did not find any breaches in relation to staff email accounts.
What did the university say?
Kapobassis said in a statement that the university "takes its privacy obligations seriously and has cooperated openly and responsively to the deputy commissioner in the conduct of her investigation".
While acknowledging the university could have provided clearer notice, she said "the use of WiFi location data in student misconduct cases was reasonable and proportionate in the circumstances".
"The university has already completed a number of actions that are proposed in the final report, and all others are progressing. We will ensure the university community is kept informed as these changes are made."
