The University of Melbourne has been reprimanded for using wi-fi location data to identify students involved in a sit-in protest last year.
An investigation by the Office of the Victorian Information Commissioner (OVIC) into the July 2024 incident found the use of wi-fi data amounted to a “serious” breach of privacy.
The university had previously said in 2016 that it could not track individuals with the technology, and was only interested in aggregate insights for campus planning, such as around people movements.
However, after protesters refused to move on, the university used a combination of CCTV, student card and wi-fi location data to identify them.
It also reviewed staff emails to identify any staff involved in the protest.
OVIC found the use of CCTV for this purpose was acceptable.
However, the internal authorisation process to access staff email accounts was “below the standard” that OVIC expected, while the use of wi-fi location data for surveillance amounted to a secondary use of that data – “function creep” that users had long feared would occur.
“The university introduced the wi-fi tracking capability some years ago, for the purpose of network management, with a reassurance that it would not be used to surveil individuals,” OVIC said.
“The university subsequently used the capability for disciplinary purposes, because it was already in place, without substantially considering the human rights or privacy impacts of doing so.
“In failing to consult with stakeholders about the policy change, the university failed to obtain a social licence for the use of this technology.”
Assertions by the university that its policies covered use of wi-fi location data in “misconduct investigations” were not accepted by OVIC.
“Even if individuals had read these policies, it is unlikely they would have clearly understood their wi-fi location data could be used to determine their whereabouts as part of a misconduct investigation unrelated to allegations of misuse of the wi-fi network,” OVIC found.
“Given that individuals would not have been aware of why their wi-fi location data was collected and how it may be used, they could not exercise an informed choice as to whether to use the wi-fi network during the sit-in [protest], and be aware of the possible consequences for doing so.”
The university escaped a formal compliance notice by taking some actions ahead of time.
These included “developing a surveillance policy and associated procedures (in progress), promoting the new surveillance policy to all staff and students, amending the wireless terms of use and and acceptable use of IT policy, and implementing a process for providing all new users of the university email system with a notice of collection.”
In a response to the investigation, the university disagreed that it had breached privacy principles, and stood by its use of wi-fi location data as “necessary” and “proportionate” in the circumstances.
Source link
