Reviews, complaints and investigations

What do I do if I believe my privacy has been breached?

If a person has a complaint about the conduct of NESA or a member of its staff in relation to the collection, storage, use or disclosure of personal or health information, NESA will attempt to resolve it informally where possible, under the complaint handling policy. You can make a complaint online to NESA. 

Alternatively, if a person would like to have the matter dealt with as internal review under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act), (an investigation with review rights at the NSW Civil and Administrative Tribunal, overseen by the NSW Privacy Commissioner,) they should contact NESA in writing, noting the following requirements.

Under Section 53 (3) of the PPIP Act, an application for an internal review must:

• be in writing
• be addressed to NESA
• specify an address in Australia to which a notice can be sent
• be lodged with NESA within six (6) months (or such later date as NESA may allow) from the time the applicant first became aware of the conduct which is the subject of the application; and
• comply with such other requirements as may be prescribed by the regulations to the Act.

NESA may in some cases accept a late application for internal review, where the six month time limit has been exceeded.  Reasons for lateness should be clearly set out and evidenced in the written application, and may include:

• ill-health or other reasons relating to incapacity
• the applicant only recently became aware of the ability to seek an internal review
• the applicant reasonably believed they would suffer repercussions as a result of making an internal review application at an earlier time. 

If NESA are unable to accept a late application for internal review, NESA will communicate the reasons to the applicant, together with advice as to how their complaint will be handled instead, as well as their right to complain to the NSW Privacy Commissioner.

What does an internal review involve?

An application for an internal review will be dealt with by an officer authorised by delegation in the NESA Administrative and Financial Delegations Manual. This officer would not have been substantially involved in the matter that is the subject of the application.

In processing the review, the officer will follow guidelines provided by the NSW Information and Privacy Commission.

The review will be completed as soon as is reasonably practicable in the circumstances and within 60 days from the day on which the application was received.

As a result of the review NESA may:

• take no further action on the matter; or
• make a formal apology to the applicant; and/or
• take such remedial action as thought appropriate; and/or
• provide undertakings that the conduct will not occur again; and/or
• implement administrative measures to ensure that the conduct will not occur again.

NESA is required to:

• notify the NSW Privacy Commissioner of an application for an internal review
• provide reports to the Privacy Commissioner on the progress of the internal review
• inform the Privacy Commissioner of the findings of the review and of the action taken by NESA in relation to the matter.

If requested by NESA, the Privacy Commissioner may undertake the review.

How will I be informed of the outcome of an internal review?

NESA will acknowledge receipt of an internal review within five working days, write to an applicant within 14 days of completing the review and advise the applicant of:

• the findings of the review and the reasons for those findings
• action proposed to be taken and the reasons for taking that action, and
• the right of the applicant to have the findings, and NESA’s proposed action, reviewed by the NSW Civil and Administrative Tribunal.