Publications

NSW public sector agencies are governed by an important set of rules regulating how they can collect and handle an individual’s personal information. These rules are set out in the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).

This article provides an overview of what the PPIP Act protects, the rules and principles it sets out, and what action can be taken by individuals who believe their personal information has been mishandled by a NSW public sector agency.

What information is protected under the PPIP Act?

The PPIP Act specifically aims to protect an individual’s personal information against misuse when it is being collected, stored, used, and/or disclosed by a NSW public sector agency.

What is ‘personal information’?

‘Personal information’ is defined in the PPIP Act as:

‘information or an opinion (including information or an opinion forming part of a database and whether or not in a recorded form) about an individual whose identity is apparent or can reasonably be ascertained from that information or opinion’.[1]

The key component here is that the information or opinion must be capable of identifying an individual for it to be deemed ‘personal information’. This could include an individual’s:

• name, address, contact details, date of birth, and signature;
• biometric information such as fingerprints, retina prints, blood and DNA samples;
• images, videos, and voice recordings;
• any other data, opinions, or evaluations that could identify the individual such as criminal records, education records, and employee records.

Information that does not reasonably identify an individual, such as aggregated statistics or general reports, is likely not covered by the PPIP Act.

There are also certain types of personal information which are not protected under the PPIP Act, including for instance, information about an individual who has not been alive for over 30 years, or which is contained in a publicly available publication.[2]

For the most part, ‘personal information’ under the PPIP Act typically does not include ‘health information’. This is information specifically protected under the Health Records and Information Privacy Act 2002 (NSW).[3] However, health information is included for the purposes of Part 6 of the PPIP Act concerning the disclosure of personal information contained in public registers and Part 6A which sets out mandatory data breach notification obligations.

What is a NSW ‘public sector agency’?

A NSW ‘public sector agency’ is broadly defined under the PPIP Act.[4] It refers to most organisations and bodies forming part of the NSW Government public sector, including:

• government departments (e.g., NSW Department of Education, NSW Department of Communities & Justice);
• the NSW Police Force;
• statutory authorities (e.g., Transport for NSW, SafeWork NSW);
• local councils (e.g., Council of the City of Sydney and Wollongong City Council); and
• state owned corporations (e.g., Essential Energy, Sydney Water).

The PPIP Act does not extend to private sector individuals or businesses. However, some public sector agencies may require others they deal with to comply with the same obligations.

The Information Privacy Principles (IPPs)[5]

The IPPs are at the core of the PPIP Act. They are intended to govern how NSW public sector agencies handle personal information throughout the “information lifecycle”, covering the collection, storage, use, and disclosure of information, and equipping individuals with certain rights to access and correct that information.

Collection:

1. Lawful

Agencies may only collect your personal information for a lawful purpose which is directly related to their function or activities and is necessary for that purpose.

2. Direct

Agencies may only collect your information directly from you (or a parent/guardian if you are under the age of 16) unless you have consented otherwise.

3. Open

Agencies must take reasonable steps to ensure that you are made aware of the following before your personal information is collected (or as soon as practicable thereafter):

• why they are collecting your personal information;
• how it will be used;
• who will receive it;
• whether giving the information is required or optional;
• what may happen if you do not provide the information;
• how you can access and correct your information later on;
• the agencies name and address.

4. Relevant

Agencies must take reasonable steps to ensure the personal information they collect from you is relevant to the purpose for which it is collected, and is accurate, complete, up to date, not excessive, and collected in a way that does not unreasonably intrude on your personal affairs.

Storage:

5. Secure

Agencies must store your personal information securely to ensure it is protected from unauthorised access, use, modification, or disclosure. They may also only keep your information for as long as it is needed and dispose of it appropriately.

Access and accuracy:

6. Transparent

Agencies must take reasonable steps to ensure you understand whether they hold your personal information, as well as the nature of that information, why it is being used, and any rights you have to access it.

7. Accessible

If you request to access your personal information held by an agency, the agency must provide access without excessive delay or cost.

8. Correct

If you request to update, correct, or amend your personal information held by an agency, the agency must make these amendments where appropriate or take reasonable steps to attach your correction request to the record.

Use:

9. Accurate

Agencies must take reasonable steps to ensure your personal information is relevant, accurate, up to date, and not misleading before using it in any way.

10. Limited

Agencies may only use your personal information for the purpose it was collected, unless you consent to it being use for that other purpose, or that purpose is directly related to the original purpose, or the use of your information for that other purpose is necessary to prevent a serious and imminent threat to a person’s life or health.

Disclosure:

11. Restricted

Agencies may not disclose your personal information without consent, unless it is directly related to the purpose for which it was collected and you would reasonably expect that disclosure, or in emergencies involving threats to a person’s life or health.

12. Safeguarded

Agencies generally may not disclose information about your ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, or sexual activities unless it is necessary to prevent a serious and imminent threat to a person’s life or health. Agencies also face strict limits on disclosing your personal information to any person or body who is in a jurisdiction outside NSW.

A NSW public sector agency is not permitted to do any thing, or engage in any practice, that contravenes any IPP applying to them.[6]

What can you do if you think your personal information has been mishandled by a NSW Public Agency?

Part 5 of the PPIP Act sets out important accountability mechanisms for individuals to employ in the event that their personal information has not been handled appropriately in accordance with the IPPs.[7]

Internal Review

Under s 53 of the PPIP Act, an individual who believes that a NSW public sector agency has breached one or more of the IPPs, and who is aggrieved by the alleged breach, is entitled to have that conduct internally reviewed by the agency concerned.

An internal review application under this provision must be lodged within 6 months of the individual first becoming aware of the contravention.[8] The public sector agency will then be required to complete their review as soon as reasonably practicable within the circumstances.[9]

Upon completing their internal review, the agency may decide to take any action as it thinks appropriate in the circumstances, including taking no further action.[10] Regardless of the outcome, the agency must, within 14 days of completing their review, notify the applicant of the findings of the review (with reasons for those findings), as well as any action proposed to be taken by the agency and why.[11]

Remedial action in this regard may include making a formal apology, implementing internal administrative measures to ensure the conduct will not occur again, and/or compensating the application (if permissible).

External Review

If the applicant, upon receiving the public sector agency’s internal review decision, is not satisfied with the findings of that review or the action taken by the agency in relation to the application, s 55(1) of the PPIP Act entitles the individual to apply to the NSW Civil and Administrative Tribunal (NCAT) for an administrative review of the agency’s conduct.

NCAT has much broader administrative powers in this regard. Whilst the Tribunal may decide not to take any action in the matter, it may also make any number of orders as set out in s 55(2) of the PPIP Act. Notably, this may include ordering the agency to pay the applicant damages not exceeding $40,000 for any loss or damage suffered as a result of the breach, or to take any other specified steps to remedy any loss or damage suffered by the applicant.

Speak to us if you ever have any privacy or privacy related concern.

This article was written by Selwyn Black, Lucy Han and Chelsea O’Grady and published on [DATE]  by Carroll & O’Dea Lawyers and is based on the relevant state of the law (legislation, regulations and case law) at that date for NSW. Please note this article does not constitute legal advice.

If you ever need legal advice or want to discuss a legal problem, please contact us to see if we can help. You can reach us on 1800 167 267 or via the Contact Us page on our website.

[1] PPIP Act s 4(1).

[2] PPIP Act s 4(3).

[3] PPIP Act s 4A.

[4] PPIP Act s 3 (definition of ‘public sector agency’). See also State Owned Corporations Act 1989 (NSW).

[5] PPIP Act Pt 2 Div 1.

[6] PPIP Act s 21.

[7] PPIP Act s 52(1)(a).

[8] PPIP Act s 52(3)(d).

[9] PPIP Act s 53(6).

[10] PPIP Act s 53(7).

[11] PPIP Act s 53(8).