Privacy management plan
The Department of Enterprise, Investment and Trade (the ‘Department’ or DEIT) has developed this Privacy Management Plan to demonstrate and ensure that our organisation applies the correct procedures to manage the personal information of our stakeholders and staff.
All NSW Government agencies are required to have a privacy management plan under section 33 of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).
The purpose of this Plan is to:
- demonstrate to the people of New South Wales how the Department upholds and respects the privacy of its staff and all those who deal with DEIT
- explain how we manage personal information in line with the PPIP Act and health information in line with the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act)
- provide guidance and training for DEIT staff in dealing with personal and health information. This helps to ensure that we comply with the PPIP Act and HRIP Act (together, the Acts).
This Plan indicates that DEIT takes the privacy of its staff and the people of NSW seriously and we will protect privacy with the use of this Plan as a reference and guidance tool.
All overseas trade employees of DEIT should, in addition to complying with this Plan consider and if necessary seek advice from DEIT legal on any local law implications.
This Plan has been developed by DEIT as per section 33 of the PPIP Act.
This Plan identifies:
- the types of personal and health information (as defined at 2.3) that DEIT holds or is responsible for
- the policies and practices used by DEIT to comply with the Acts
- how details of those policies and practices are made known to staff of DEIT and all engaged by the Department
- how DEIT conducts Internal Reviews under section 53 of the PPIP Act.
1.1. The role and functions of DEIT
DEIT drives the New South Wales (NSW) Government’s commitment to economic transformation.
Growing investment and creating new jobs throughout NSW, DEIT brings together enterprise and trade, tourism and hospitality, sports and the arts and Western Sydney to ensure NSW is the best place in the world to live, work, invest, visit, study, grow and play.
DEIT propels the delivery of investment, business and lifestyle opportunities, by attracting and supporting innovative and prosperous industries and helping NSW business go global. Further information can be found on DEIT’s website.
DEIT collects, holds, uses and discloses personal and health information for the purpose of carrying out its functions. For instance, DEIT may handle personal and health information for the purpose of:
- managing correspondence on behalf of cluster Ministers’ offices, and also the Premier and Deputy Premier;
- human resources management;
- complaints handling; and
- managing applications for Government information (meaning information contained in a record held by the agency) under the Government Information (Public Access) Act 2009 (GIPA Act).
DEIT takes the privacy of its staff and the people of NSW seriously and we will protect privacy with the use of this Plan as a reference and guidance tool.
2. Personal and Health Information
Collection is the method by which DEIT acquires the information. This can be completed by any means including a written form; a verbal conversation; an online form; or taking a picture or video.
Disclosure is how DEIT provides the personal or health information to an individual or body outside DEIT. This includes the sharing of personal or health information with other public service agencies.
Personal information is information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion (section 4 of the PPIP Act).
Health information is any personal information that is information or an opinion about a person’s physical or mental health or disability or the provision of health services to them, including an individual’s express wishes about the future provision of health services to them. It also includes genetic information that is or could be predictive of the health of a person or their genetic relative as well as any personal information that was collected to provide, or in providing, a health service, or in connect with donation of body parts, organs or body substances (section 6 of the HRIP Act).
2.2. Exclusions from the definition
Both the Acts exclude from the definition of personal and health information, information which:
- relates to a person who has been dead for more than 30 years; or
- is contained in a publicly available publication; or
- refers to a person’s suitability for employment as a public sector official.
2.2.1. Information in a publicly available publication
The definitions exclude information about named or identifiable people which is published in newspapers, books or the internet, broadcast on radio or television, posted on social media (such as Facebook or Twitter) or made known at a public event. Because such information is publicly available, it cannot be protected from use or further disclosure.
2.2.2. Employment-related information
Information referring to suitability for employment as an DEIT member of staff (such as selection reports and references for appointment or promotions, or disciplinary records) is excluded from the definitions and therefore from the provisions of the Acts.
Such information is still stored, secured, used and disclosed by DEIT with the same care as if it were protected by the Acts.
Other employee-related personal information is protected by the Acts.
For example, records or information about work activities, such as video or photographs of staff in their workplace, are protected and may only be used in compliance with the Acts’ provisions.
Other examples of work-related personal and health information are staff training records, leave applications and attendance records. All these are within the scope of the definitions and are protected by the Acts.
2.3. Types of personal and health information held by DEIT
2.3.1. Employee records
Employee records for staff of DEIT are held by the Department and GovConnect. This information includes, but is not limited to:
- records of dates of birth, addresses and contact details;
- payroll, attendance and leave records;
- performance management and evaluation records;
- training records;
- workers compensation records;
- work health and safety records; and
- records of gender, ethnicity, and disability of employees for equal employment opportunity recording purposes.
An employee of DEIT may access their own file under the supervision of People & Culture (P&C) staff.
Apart from the employee the file relates to, the members of the P&C team at DEIT are the only other members of the Department that have authorised access to personnel files.
Employee records are stored in soft copy in the SAP system and Objective files, maintained by GovConnect. These records include leave records, payroll processing information, leave accruals, medical certificates, and parental leave information.
People and Culture (P&C) also maintains separate personnel files in the Objective document management system for all current employees. These files include contracts, remuneration details, and any ongoing case being managed by P&C (such as conduct investigations and Work Cover claims). Access to these personnel files is controlled and limited only to authorised P&C employees.
DEIT has an agreement with GovConnect, managed through the Department of Customer Service (DCS), that affects how GovConnect handles employee records in the SAP and Objective systems.
GovConnect is formed by two outsourced vendors managed by the Service Management Office, a division of DCS. Corporate services functions are managed by Infosys (Human Resources and Finance) and Unisys (Information Technology) on behalf of DEIT. Therefore, GovConnect holds and is responsible for more detailed personal and health information about DEIT such as recruitment, payroll and leave records.
The Service Partnership Agreement between DEIT and GovConnect notes that GovConnect will have access to information from and about DEIT in the course of business, and that GovConnect is bound to comply with the PPIP Act.
2.3.2. Information collected relating to conflict of interest
DEIT staff are required to disclose any actual, potential, or perceived conflicts of interest as part of the onboarding process. This information is reviewed and updated regularly, and as any conflicts arise or change.
2.3.3. Digital images
DEIT holds digital images of all staff members which are used for the production of staff identification cards and other internal uses including publication on DEIT’s intranet.
2.3.4. Contact Details
DEIT holds contact details of various third parties, including for:
- government agency CEOs, members of inter-departmental working groups and similar, members of government boards and advisory committees;
- stakeholders participating in stakeholder consultation forums;
- businesses and individuals involved in DEIT’s programs and schemes;
- businesses and individuals attending DEIT hosted events and some business familiarisation programs;
- businesses and individuals that have registered to DEIT newsletter and collaboration/networking platforms;
- businesses and individuals that have registered on DEIT hosted procurement systems;
- businesses and individuals that are suppliers on DEIT managed contracts and schemes;
- business and individuals that have applied to DEIT for funding, grants or other assistance and/or services;
- businesses and individuals that have responded to a call for submissions on a particular project;
- individuals participating in surveys and community engagement events;
- individuals who have made a complaint, enquiry, compliment or suggestion through DEIT’s websites or other mechanisms; and
- individuals who have made formal access applications under the GIPA Act.
DEIT uses the contact details for the purposes for which they were collected. DEIT does not use this information to contact people for secondary purposes, such as for unrelated marketing purposes. For example, where contact details have been provided as part of an enquiry made to DEIT, those contact details will only be used in managing and responding to that enquiry and will not be used for any other purpose unless the individual concerned has expressly consented to that secondary use.
2.3.5. Identification documents
In some circumstances, DEIT may hold identification documents for certain individuals. These documents are usually collected where individuals are required to prove their identity to access certain services or programs of DEIT and are attached to the application or form. Proof of identity documents may also be required when making applications for information under the GIPA Act or PPIP Act.
2.3.6. Correspondence records
DEIT holds the following correspondence records:
- contact details of people who have written to or emailed DEIT or its responsible Ministers;
- details of the nature of their correspondence, which can include sensitive personal information about matters such as ethnicity, religion, health conditions, sexuality;
- copies of replies to correspondence; and
- records of to whom, if anyone, their correspondence was referred.
This information is only used for the purpose of communicating a reply to the correspondent either from DEIT or the relevant Minister’s Office. Once a matter has been progressed and processed, it is closed and filed accordingly on relevant files stored and secured by GovConnect, as the Agency’s primary provider of records management services.
3. The Privacy Principles
3.1. Applying the privacy principles in NSW
Sections 8 to 19 of the PPIP Act provide set privacy standards that public sector agencies are expected to follow when dealing with personal information. They are the information protection principles (IPPs), and they govern the collection, retention, accuracy, use and disclosure of personal information, including rights of access and correction.
3.2. Liability and offences
It is important that all DEIT staff understand the Information Protection Principles and the Health Privacy Principles set out below. Part 8 of the PPIP Act and HRIP Act contain criminal offences applicable to DEIT’s staff who use or disclose personal or health information without authority. For example, there are criminal offences relating to:
- the corrupt disclosure and use of personal and health information by public sector officials; and
- offering to supply personal or health information that has been disclosed unlawfully.
DEIT has policies and privacy controls to minimise the risk of staff committing an offence. For example:
- DEIT’s Code of Conduct has specific provisions on privacy obligations, including in relation to the authorised access, disclosure and storage of personal information. The Code also has provisions on the handling of information, including in relation to the confidentiality, misuse and security of information, and on records management; and
- DEIT’s Information Management Security Policy has provisions on information access and security, including that access to information and records held by ‘sensitive areas’ should be limited, and that staff must use information on a ‘need to see basis’.
DEIT also provides compulsory privacy training to staff to ensure they are aware of their responsibilities in handling personal information appropriately.
Below is an overview of the IPPs:
12 Information Protection Principles
1. Lawful – We only collect personal information for a lawful purpose that is directly related to our functions and activities
2. Direct – We collect personal information from the person concerned
3. Open – When collecting personal information, we inform people why their personal information is being collected, what it will be used for, to whom it will be disclosed, how they can access and amend it and any possible consequences if they decide not to give it to us
4. Relevant – When collecting personal information, we ensure it is relevant, accurate, not excessive, and does not unreasonably intrude into people’s personal affairs
5. Secure – we store personal information securely, keep it no longer than necessary, destroy it appropriately, and protect it from unauthorised access, use or disclosure
6. Transparent – we are transparent about personal information that is stored, what it is used for and people’s right to access and amend it
7. Accessible – we allow people to access their own personal information without unreasonable delay or expense
8. Correct – we allow people to update, correct or amend their personal information where necessary
9. Accurate – we make sure that personal information is relevant and accurate before using it
10. Limited – we only use personal information for the purpose it was collected for unless the person consents to the information being used for an unrelated purpose
11. Restricted – we will only disclose personal information with people’s consent unless they were already informed of the disclosure when the personal information was collected
12. Sensitive – we do not disclose sensitive personal information (such as ethnicity or racial origin, political opinion, religious or philosophical beliefs, health or sexual activities, or trade union membership) without consent.
Schedule 1 of the HRIP Act provides a similar set of privacy standards for health information. They are the health privacy principles (HPPs), and they are largely the same as the IPPs, however without an equivalent to IPP 12 (Sensitive) and with other additional obligations and standards instead.
Below is an overview of the HPPs:
12 Health Privacy Principles
1. Lawful – We only collect health information for a lawful purpose that is directly related to our functions and activities
2. Direct – We collect health information from the person concerned unless it is unreasonable or impractical to do so
3. Open – When collecting health information, we inform people why their health information is being collected, what it will be used for, to whom it will be disclosed, how they can access and amend it and any possible consequences if they decide not to give it to us
4. Relevant – When collecting health information, we ensure it is relevant, accurate, not excessive, and does not unreasonably intrude into people’s personal affairs
5. Secure – we store health information securely, keep it no longer than necessary, destroy it appropriately, and protect it from unauthorised access, use or disclosure
6. Transparent – we are transparent about health information that is stored, what it is used for and people’s right to access and amend it
7. Accessible – we allow people to access their own health information without unreasonable delay or expense
8. Correct – we allow people to update, correct or amend their health information where necessary
9. Accurate – we make sure that health information is relevant and accurate before using it
10. Limited – we only use health information for the purpose it was collected for unless:
a. the person has consented to its use for another purpose,
b. it is being used for a purpose directly related to the purpose it was collected for,
c. we believe that there is a serious threat to health or welfare,
d. it is for the management of health services, training, research or to find a missing person, or
e. it is for law enforcement or investigative purposes.
11. Restricted – we will only disclose health information for the purpose it was collected for unless:
a. the person has consented to its disclosure for another purpose,
b. it is being used for a purpose directly related to the purpose it was collected for,
c. we believe that there is a serious threat to health or welfare,
d. it is for the management of health services, training, research, compassionate reasons or to find a missing person, or
e. it is for law enforcement or investigative purposes.
12. Identifiers – we do not use unique identifiers for health information, as they are not needed to carry out DEIT’s functions
13. Anonymity – we allow people to stay anonymous if it is lawful and practical for them to do so
14. Transborder – we do not usually transfer health information outside of New South Wales
15. Linkage – we do not currently use a health records linkage system and do not anticipate using one in the future. But if we were to use one in the future, we would not do so without people’s consent.
3.2.1. Collecting personal or health information (IPPs 1-4 and HPPs 1-4)
DEIT will only collect personal or health information if it is:
- for a lawful purpose that is directly related to one of our functions; and
- reasonably necessary for DEIT to have the information.
DEIT will ensure that when personal and health information is collected from an individual, either verbally or in written forms, the individual will be advised accordingly. This will be in the form of a collection notice that will include the purpose of the collection; any intended recipients of the information (where applicable); their right to access and correct the information; and the details of any agency that is collecting or holding the information on DEIT’s behalf (if applicable).
DEIT also advises individuals if the collection is voluntary or if it is lawfully required and informs individuals of any penalties or other possible consequences for not complying with DEIT’s request.
When collecting personal or health information from an individual, DEIT endeavours to ensure that the information is relevant, accurate, up to date and complete for the purposes for which it is being collected. DEIT will also endeavour to ensure that the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual, having regard to the purposes for which it is being collected.
- When designing a form, ask yourself: “do we really need each bit of this information?”
- By limiting the collection of personal and health information to only what you need, it is much easier to comply with the principles.
- If collecting personal or health information about someone, collect it from that person directly to ensure accuracy and to obtain any permission for disclosure of the information.
- Do not ask for information that is not relevant.
- Be mindful of whether you are asking for information that is sensitive, such as about a person’s ethnicity or race, political opinions, religious or philosophical beliefs, trade union membership or sexual activities. Treat this information with extra care and seek advice before disclosing it.
- Individuals providing their personal or health information to DEIT have a right to know the full extent of how the information they provide will be used and disclosed, and to choose whether or not they wish to go ahead with providing information on that basis.
- Think about whether you are collecting personal or health information from people living in the European Union (EU) with an intention of providing goods and services to them. If so, you might be subject to EU’s General Data Protection Regulation (GDPR), in which case you should make sure your collection meets the requirements of Articles 13-14 of the GDPR. This includes if you are collection information about, and tracking, web-based behaviour, where the behaviour is coming from the EU.
3.2.2. Storing personal and health information (IPP 5 and HPP 5)
DEIT takes reasonable security safeguards against the loss, unauthorised access, use, modification and disclosure of personal information.
DEIT has in place information security policies which provide guidance to staff around the handling and storage of personal information. This includes the use of unique user accounts and passwords to access our computer systems. In accordance with DEIT’s Information Management Security Policy, our staff do not give out passwords to anyone or let anyone else use their computer login.
DEIT’s security measures further include the use of restricted drives and authorised access. For example, correspondence containing personal information is stored in DEIT’s record management system with restricted access and editing privileges.
Personal information is kept for no longer than is necessary and is disposed of in a secure manner once no longer required, in accordance with government requirements.
Storage and security tips:
- Check that document privileges are kept only to staff who require access to action or approve a task; and
- Take reasonable steps to prevent any unauthorised use or disclosure of the personal information by a contractor or service provider. This should be done with appropriate privacy clauses in the relevant contract. Those clauses should bind our contractors to the same privacy obligations DEIT has under the PPIP Act.
3.2.3. Accessing personal or health information (IPPs 6-8 and HPPs 6-8)
DEIT aims to make it as easy as possible for individuals to access their own personal information. Generally, requests by an individual to access their personal or health information can be made on an informal basis.
DEIT will endeavour to ensure that all personal and health information is accurate, complete and current. Further, should an individual become aware of, or detect an error in DEIT’s records about their personal affairs, DEIT will make the necessary changes.
If DEIT disagrees with the person about whether the information needs changing, we must instead allow the person to add a statement to our records.
- People should be able to easily see or find out what information we hold about them.
- We should let complainants, clients and staff see their own personal and health information at no cost and through an informal request process.
- We cannot charge people to lodge requests for access or amendment of their own personal or health information. We can charge reasonable fees for copying or inspection, if we tell people what the fees are up-front.
3.2.4. Using personal and health information (IPP 9-10 and HPP 9-10)
DEIT will only use personal or health information for the purposes for which it was collected or for other directly related purposes. At the time DEIT collects personal or health information from an individual, they will notify the individual of the primary purpose for which the information is collected. DEIT will also take reasonable steps to check the accuracy and relevance of personal or health information before using it.
- If the primary purpose of collecting a complainant’s information was to investigate their workplace grievance, directly related secondary purposes within the reasonable expectations of the person for which their personal information could be used by DEIT would include independent auditing of workplace grievance files.
- Passing personal or health information from one officer within DEIT to another may amount to using that information. Think about the reason you are passing the personal information on, and whether it is for the same (or a directly related) reason that the information was collected for.
- When collecting personal or health information, think about how the information might be used down the line. Are all the uses directly related to the purpose of collection? Make sure the use of the information is clear in any privacy notice accompanying the collection.
- When using personal or health information, think about the purpose for which it was collected. The primary purpose for which DEIT has collected the information should have been set out in a privacy notice. If you want to use the information for any purpose other than that primary purpose, check with the DEIT Legal team.
- Before using personal or health information, think about how long ago the information was given. Could it now be outdated or misleading? When was the last time the information was used? Are there any processes in place to allow individuals to amend outdated information? Are there regular check-ins with the individuals to update their information if circumstances have changed?
- Only provide personal information to a contractor or service provider if they really need it to do their job and remember to bind them to the same privacy obligations DEIT has. This will help us prevent any unauthorised use of the personal information by that contractor or service provider.
- If the information you collected and intend to use is subject to the EU’s GDPR (see Collection Tips above for more information), make sure that consent for that use (if required) is specific, informed, and freely given. There is a difference between positive opt-in and compulsory acceptance of standard terms and conditions.
3.2.5. Disclosing personal or health information (IPPs 11-12 and HPP 11)
DEIT will only disclose personal or health information if:
- at the time DEIT collected their information, the person was given a privacy notice to inform them their information would or might be disclosed to the proposed recipient, and that disclosure is directly related to the purpose for which the information was collected,
- the person concerned has consented to the proposed disclosure, or
- an exemption applies (see section 3.2.6 for more information).
In addition to the above, DEIT can also disclose personal information (but not health information) if the person was notified of the disclosure at the time of collection – even if the purpose of that disclosure is not directly related to the purpose of collection. Notification of the disclosure is not enough in the case of health information unless the purpose of that disclosure is also directly related to the purpose of collection.
If an individual’s personal or health information is disclosed to other NSW public sector agencies, those agencies can only use information for the purpose for which it was disclosed to them. The information continues to be covered by the Acts.
- You can usually disclose information if the person was notified about that disclosure at the time their personal information was collected. When disclosing personal information, try to track down the point that it was collected and see if the disclosure you are intending to make was referred to in an accompanying privacy notice.
- However, if DEIT did not tell the person about the proposed disclosure in a privacy notice, or if it is health information being used for an unrelated secondary purpose or DEIT wants to send health information outside of New South Wales, you will usually need to seek the individual’s consent.
- When collecting personal or health information, think about how the information might be disclosed – to who and for what purpose – and make sure to include this in the privacy notice.
- Only provide personal information to a contractor or service provider if they really need it to do their job and remember to bind them to the same privacy obligations DEIT has. This will help us prevent unauthorised disclosure of the personal information by the contractor or service provider.
- If the information you collected and intend to disclose is subject to the EU’s GDPR (see Collection Tips above for more information), make sure that consent for that disclosure (if required) is specific, informed, and freely given. There is a difference between positive opt-in and compulsory acceptance of standard terms and conditions.
There are a number of exemptions to the IPPs that limit their coverage in a number of ways including:
- exchanges of information which are reasonably necessary for the purpose of referring inquiries between agencies (section 27A(b)(ii) of the PPIP Act);
- disclosure relating to law enforcement and related matters (section 23 of the PPIP Act);
- disclosure that would detrimentally affect complaint-handling or investigative functions (section 24 of the PPIP Act); and
- where non-compliance is lawfully authorised or required or otherwise lawfully permitted (section 25 of the PPIP Act).
Some additional exceptions apply to the collection, use and disclosure of health information, including for compassionate reasons, research training and the management of health services. Information about which exceptions apply to each HPP can be found in Schedule 1 of the HRIP Act.
4. Code of Practice and PPIP section 41 Directions
Under the PIPP Act, Privacy Codes of Practice can be developed by agencies that provide for the modification of the application of one or more IPPs to particular activities or categories of information.
This is undertaken to take account of particular circumstances relating to legitimate use of personal information by agencies that might otherwise be in contradiction to the IPPs under the PPIP Act.
The Information and Privacy Commission can also prepare Codes of Practice common to a number of agencies. All Codes are approved by the NSW Attorney-General.
In addition, under section 41 of the PPIP Act the Privacy Commissioner may make a direction to waive or modify the requirement for an agency to comply with an IPP.
4.1. Privacy Code of Practice for the Public Service Commission
The NSW Public Service Commission has developed a Privacy Code of Practice for the Public Service Commission to allow analysis and reporting about employment characteristics.
DEIT provides personal information to the NSW Public Service Commission for this purpose. Confidentiality and privacy arrangements underpin the workforce profile.
5. Public Registers
Under section 3(1) of the PIPP Act, a Public Register is defined as ‘a register of personal information that is required by law to be, or is made, publicly available or open to public inspection (whether or not on payment of a fee).’
The PPIP Act requires that a public sector agency responsible for keeping a Public Register must not disclose any personal information contained in it unless the agency is satisfied that it is to be used for a purpose relating to the purpose of the register.
When collating personal information required for any Public Registers, DEIT will only disclose this personal information where it is satisfied that the disclosure is for a purpose which relates to the register.
6. How to Access and Amend Personal Information
People have the right to access, amend and update personal information that DEIT holds about them.
Under section 13 and 14 of the PPIP Act, DEIT must assist a person to find out what personal and health information it holds about them, and then provide access to this information without excessive delay. DEIT does not charge any fees to access or amend personal or health information.
DEIT encourages staff wanting to access or amend their own personal or health information to contact the Department’s P&C Branch.
For members of the public, a request for access to any personal information held by DEIT should made in writing to the DEIT legal team (see below - Further Information and Contacts).
Any person can make a formal application to the DEIT and this application should:
- include the person’s name and contact details (postal address, telephone number and email address if applicable);
- explain what the person is seeking, such as whether the person is enquiring about the personal information held about them, or whether the person is wishing to access and amend that information; and
- if the person is seeking to access or amend their information,
- explain what personal or health information the person wants to access or amend; and
- explain how the person wants to access or amend it.
DEIT aims to respond in writing to formal applications within 20 business days and will advise the applicant how long the request is likely to take, particularly if it may take longer than expected.
7. Internal Review
Where DEIT engages in certain conduct that adversely and unduly impacts an individual, that individual is entitled to seek internal review of the conduct. Conduct involving or claimed to involve any of the following is reviewable:
- the contravention by DEIT of an IPP or HPP that applies to DEIT;
- the contravention by DEIT of a health or privacy code of conduct that applies to DEIT; and
- the disclosure by DEIT of personal information kept on a Public Register.
DEIT encourages individuals to try to resolve privacy issues informally before going through the review process, or to at least contact the DEIT General Counsel to discuss the issue before lodging an internal review.
An individual should remember that they have six months from when they become aware of the conduct to seek an internal review. The six month timeframe continues to apply even if attempts are being made to resolve privacy concerns informally. An individual may wish to consider this timeframe in deciding whether to make a formal request for internal review or continue with informal resolution.
7.1. Request for Internal Review
An individual who considers they have been unduly impacted by DEIT’s conduct can contact DEIT to try and resolve the issue informally. Alternatively, or if no information resolution can be reached, individuals can also make a complaint to DEIT under section 53 of the PPIP Act and request a formal internal review of DEIT’s conduct in relation to the privacy matter (Internal Review).
Applications for Internal Review must:
- be in writing addressed to DEIT;
- include a return address in Australia; and
- be lodged with DEIT within six months of the time the applicant first became aware of the conduct which is the subject of the application.
The form for applying for a review of conduct under section 53 of the PPIP Act is at Appendix B (DOCX 193.52KB).
Requests for review must specify the alleged conduct by DEIT which has resulted in a breach of the IPPs/HPPs or Code of practice applicable to DEIT or disclosure of personal information from Public Registers held by DEIT.
Applicants who are not satisfied with the findings of the review or the action taken by DEIT in relation to the Internal Review, have the right to appeal to the NSW Civil and Administration Tribunal (NCAT) under section 55 of the PPIP Act.
7.2. Internal Review Process
The Privacy Coordinator is responsible for receiving, allocating and overseeing Internal Reviews in relation to privacy matters. The Privacy Coordinator provides a single point for individuals seeking further information on how DEIT complies with the Acts. The Privacy Coordinator will receive all correspondence and enquiries regarding the Acts, including any Internal Review requests.
The Privacy Coordinator’s role also includes monitoring, recording and reporting on the progress of all Internal Review applications received.
Within DEIT, the responsibilities of the Privacy Coordinator are currently held by the DEIT General Counsel.
Internal Reviews will generally be conducted by a delegated officer with no involvement in the matter giving rise to the complaint of breach of privacy (the Reviewing Officer). The delegated officer may seek legal or other assistance in conducting the review, including from the Privacy Coordinator.
Under section 54(1) of the PPIP Act, DEIT is required to notify the NSW Privacy Commissioner of the receipt of an Internal Review application and keep the NSW Privacy Commissioner informed of the progress reports of the Internal Review. In addition, the NSW Privacy Commissioner is entitled to make submissions to DEIT in relation to the application for Internal Review (section 54(2) of the PPIP Act).
Under section 53(6) of the PPIP Act, an Internal Review must be completed within 60 days of the receipt of the application.
Under section 53(8) of the PPIP Act, as soon as practicable, or in any event within 14 days, after the completion of the Internal Review, DEIT must inform the applicant of the:
- findings of the review (and the reasons for those findings); and
- action proposed to be taken by DEIT (and the reasons for taking that action); and
- right of the person to have those findings, and DEIT’s proposed action, administratively reviewed by NCAT.
When DEIT receives an Internal Review application, the Privacy Coordinator will send:
- an acknowledgment letter to the applicant and advise that if the Internal Review is not completed within 60 days, they have a right to seek a review of the conduct by NCAT; and
- a letter to the NSW Privacy Commissioner notifying them of the Internal Review application and provide a copy of the application.
There is an example of a letter of notification to the Privacy Commissioner of receipt of an application for an Internal Review.
The Reviewing Officer responsible for completing the final determination must consider any relevant material submitted by the applicant or the NSW Privacy Commissioner. Before completing the Internal Review, the Reviewing Officer should send a draft copy of the preliminary determination to the NSW Privacy Commissioner to invite any submissions.
DEIT follows the model of the Internal Review process provided by the NSW Information and Privacy Commission (Appendix C).
In finalising the determination, the Reviewing Officer will prepare a report containing their findings and recommended actions.
- take no further action on the matter;
- make a formal apology to the applicant;
- take appropriate remedial action, which may include the payment of monetary compensation to the applicant;
- undertake that the conduct will not occur again; and/or
- implement administrative measures to ensure that the conduct will not occur again.
The Reviewing Officer will notify the applicant in writing of:
- the findings of the review;
- the reasons for the finding, described in terms of the IPPs and/or the HPPs;
- any action DEIT proposes to take;
- the reasons for the proposed action (or no action); and/or
- their entitlement to have the findings and the reasons for the findings reviewed by NCAT.
7.3. Retention of Internal Reviews
DEIT retains all applications for Internal Review in a secure Objective file and workflow. The workflow tracks the progress of the Internal Review process and the determination of the completed review.
The details retained in this system will provide the statistical information on Internal Review applications to be included in DEIT’s Annual Report.
7.4. Extensions of time for lodgement
While the PPIP Act allows six months to apply for an internal review from the time the applicant first becomes aware of the conduct, DEIT may accept late applications.
Possible acceptable reasons for delay may be:
- the applicant’s ill-health or other reasons relating to capacity, or
- the applicant only recently becoming aware of his or her right to seek an internal review, or the applicant reasonably believing that he or she would suffer ill-effects as a result of making an application at an earlier time.
However, late applications that cannot be investigated in a meaningful way because of their delay will be declined. In these cases, witnesses may no longer be available, documents may have been destroyed, and memories may have faded.
Final decisions on the acceptance of late applications will only be made by DEIT’s General Counsel, or under his or her delegation. Where the decision is made not to accept an application because of delay, the reason will be explained in a letter to the applicant.
8. External Review
External review processes are also available through the Privacy Commissioner and NCAT.
8.1. Complaints to the Privacy Commissioner
Any individual who considers his or her privacy has been breached can make a complaint to the Privacy Commissioner under section 45 of the PPIP Act and this complaint can be made without going through the Internal Review process of DEIT. The complaint must be made within 6 months (or such later time as the Privacy Commissioner may allow) from the time the individual first became aware of the conduct or matter the subject of the complaint.
However, the Privacy Commissioner can decide not to deal with the complaint if it would be more appropriately dealt with as an Internal Review by DEIT (section 46(3)(e) of the PPIP Act).
8.2. Administrative Review by NCAT
If the applicant is not satisfied with the outcome of DEIT’s Internal Review, they may apply to NCAT to review the decision. If DEIT has not completed the Internal Review within 60 days, the applicant can also take the matter to NCAT.
A person must seek an Internal Review before they have the right to seek an external review with NCAT (section 55(1) of the PPIP Act).
To seek review by NCAT, the individual must apply within 28 days from the date of the Internal Review decision or within 28 days of the Internal Review not being completed within 60 days.
NCAT has the power to make binding decisions on an external review (section 55(2) of the PPIP Act). For more information including current forms and fees, please contact NCAT:
Phone: 1300 006 228
Post: PO Box K1026, Haymarket NSW 1240
Visit: NSW Civil and Administrative Tribunal
Administrative and Equal Opportunity Division
Level 10 John Maddison Tower
86-90 Goulburn Street
Sydney NSW 2000
NCAT cannot give legal advice; however, the NCAT website has general information about the process it follows and legal representation.
9. Promoting the Plan
9.1. Executive and Governance
DEIT’s executive leadership team is committed to transparency in relation to compliance with the Acts. The leadership team reinforces transparency and compliance with the Acts by:
- endorsing this Plan and making it publicly available;
- reviewing and updating the Plan every three years; and
- reporting on privacy issues in the DEIT’s Annual Report in line with the Annual Reports (Departments) Act 1985 (NSW).
9.2. Staff Awareness
To ensure that DEIT staff are aware of their rights and obligations under the Act, DEIT will:
- publish this Plan and additional material in a prominent place on the DEIT intranet and website. Publication of this Plan on the website also educates members of the public about their privacy rights in relation to personal and health information held by DEIT;
- introduce this Plan as part of our staff induction with training provided as required to raise awareness and appreciation of the privacy requirements;
- provide refresher, and on-the-job training;
- highlight and promote the Privacy Management Plan;
- provide privacy briefing sessions at appropriate management forums; and
- notify staff of the privacy offence provisions.
10. Further information and contacts
For further information about this Plan, the personal and health information DEIT holds, or if you have any concerns, please contact the Privacy Coordinator of DEIT:
Level 9, 52 Martin Place
Sydney NSW 2001
For more information on privacy rights and obligations in New South Wales, please contact the NSW Privacy Commissioner at:
NSW Information and Privacy Commission
Level 17, 201 Elizabeth Street
Sydney NSW 2000
Last review date: March 2022
Next revision: October 2023