The University of Melbourne breached Victoria’s privacy laws when it used its wifi network to track students and staff during a pro-Palestine protest in May 2024. Victoria’s deputy information commissioner found the university violated the Privacy and Data Protection Act through secret surveillance.
The investigation was launched after media reports revealed the university digitally tracked people at a sit-in protest to uncover potential misconduct. The protest took place at the Arts West building, which students renamed “Mahmoud’s Hall” after Palestinian student Mahmoud Alnaouq who was killed in Gaza before he could attend the university.
According to the investigation by OVIC, the deputy commissioner found the university’s surveillance methods resulted in a “significant breach of trust” with its students and staff. The investigation showed the university used wifi location data, student card photos, and CCTV footage to identify 22 students who failed to leave the building on May 20. Officials found the university did not give proper notice or justification for how the data would be used.
University took less than a day to approve surveillance
The report found it took less than 24 hours for the university to authorize using data for surveillance purposes. Officials gave only “superficial” consideration to privacy protection during this process. The university also analyzed wifi location data, CCTV footage, and reviewed 10 staff members’ email accounts to identify staff involved in the protest.
“Privacy and Data Protection deputy commissioner Rachel Dixon found the university had introduced the tracking capability with the “reassurance it would not be used to surveil individuals”.”
— Jeremy Gans (@jeremy_gans) August 20, 2025
As a result of the surveillance, three staff members received formal written warnings. Misconduct proceedings were brought against 20 students, with 19 receiving a “reprimand and caution.” The deputy commissioner did not find the university violated privacy rules with its CCTV footage use, but social media platforms have faced similar scrutiny over data collection practices.
The investigation also found the university breached two information privacy principles. First, it failed to properly inform students and staff about how their personal information was used. Second, using wifi location data to identify individuals in misconduct investigations was an unauthorized reason. The report stated the university’s access to staff email accounts for disciplinary proceedings “fell below the standard” expected.
Student protesters faced serious consequences
The surveillance led to serious disciplinary action against student protesters. The university served “general misconduct” notices to 21 students for their involvement in the occupation of the Arts West building. Some students faced potential expulsion or suspension from their studies. The crackdown on protests mirrors similar controversies at other institutions.
The University of Melbourne’s chief operating officer, Katerina Kapobassis, acknowledged the university could have provided “clearer active notice” about its use of wifi location data. However, she maintained the surveillance was “reasonable and proportionate” given the need to keep the community safe and conduct core university activities.
The deputy commissioner did not issue a compliance notice because the university took steps during the investigation to address the problems. These included developing a new surveillance policy and changing its terms of use and related policies. However, the commissioner expressed ongoing concerns about the university’s practices and will continue seeking evidence the university has completed agreed actions.
