IDSupport NSW Privacy Statement
IDSupport NSW (IDSupport) is part of the NSW Department of Customer Service and has been established to provide identity support services to NSW government agencies and individuals who have been affected by a data breach.
About this statement
This Statement provides an overview of how we handle your personal information in line with our obligations under the Privacy and Personal Information Protection Act 1998 and Health Records and Information Privacy Act 2002.
This Statement should be read in conjunction with the NSW Department of Customer Service’s Privacy Statement and any privacy code of practice or health privacy code of practice that may apply.
Changes to this Statement
We may review and update this Privacy Statement from time to time to take account of new laws, technology and changes to our operations.
Personal information is information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
Why we collect personal information from you
We collect personal information from you for the following purposes:
- to undertake harm assessments, to enable us to form a view as to what harm to you, if any, may arise from a data breach or identity compromise
- to provide identity support services to you, including so that we can provide specific advice or support services to help you mitigate risks arising from a data breach or identity compromise
- to help with the remediation of your government issued identity documents and credentials where they have been compromised
- to develop an identity risk profile for you that will help us identify steps that can be taken to mitigate the risk of harm to you that has arisen from a data breach or identity compromise
- to create a “single view of customer” that enables us to provide you with tailored services, including by reference to your particular risk profile
- to provide identity support services to a government agency that has requested assistance from us, including by providing a recommended response to a particular data breach that involves your personal information
- to update your contact details or to otherwise ensure that the information about you that we hold is accurate, including (where relevant) by having regard to other information that DCS or another government agency holds.
We keep a record of the information we obtain through our interactions with you and use this information to decide what advice to give you and to identify any specific support services that can help you mitigate risks arising from a data breach or identity compromise.
We may share your personal information with a contracted service provider. If we do that, the privacy obligations that apply to our handling of your personal information also apply to the contracted service provider’s handling of your personal information.
In contacting IDSupport NSW, you are not required to provide your name or any other personal information to us. However, should you elect not to do so, IDSupport may be limited in the advice or support that we can provide you.
How we collect personal information
We collect personal information directly from you when you contact IDSupport NSW for assistance.
In some instances we may contact you at the request of an agency that has experienced a data breach, or where we have been provided with an unsecured data set that contains your identity information, and we may also collect personal information from you then.
IDSupport will automatically record the following details for all calls placed to our Call Centre:
- telephone number
- date, time and duration of telephone call
We may request other types of information from you, including to verify your identity.
Through our interactions with you, we may request information such as your name, contact details, the specific details of how you have been affected by a data breach or identity compromise, and other relevant information.
Telephone calls to IDSupport may also be recorded for quality control and training purposes. However, you can opt out from having your telephone conversation with a IDSupport Call Centre representative recorded at the commencement of the call.
When you visit the IDSupport website, IDSupport will collect the following information automatically:
- the IP (Internet Protocol) address of the machine which has accessed it
- your top-level domain name (for example .com, .gov, .au, .uk etc.)
- the address of your server
- the date and time of your visit to the site
- the pages accessed, documents downloaded and keywords searched on the website
- the previous website visited
- the type of browser and operating system you have used
- the number of screen colours displayed on the device
- the time spent on each page.
Disclosing your personal information
We may disclose your personal information:
- to another government agency, where that agency experienced a data breach involving your identity information, to enable that agency to respond to the breach
- to another government agency, to ascertain or confirm your up to date contact details
- to another government agency, to help you have government issued identity documents or credentials remediated
- to the New South Wales Police Force or another law enforcement agency (for example, where you are the victim of identity crime)
- to another person or body, to help prevent or lessen a serious and imminent threat to life or health
- to IDCARE to enable identity remediation support, guidance and counselling services
- to another person or body as otherwise authorised, required, necessarily implied or reasonably contemplated by law
In most cases, we will only disclose your personal information with your consent. We will only disclose your personal information without your consent if there is some other legal basis for us to do so.
If we disclose your personal information to another NSW public sector agency, it will also be bound by privacy law.
Protecting personal information
We take reasonable security measures to protect personal information from loss, unauthorised access, use, modification, disclosure or other misuse.
For example, we use:
- multi-factor authentication to authenticate employees before they can access our systems
- physical measures, such as building and equipment security
- digital technology, such as data encryption and firewalls, to minimise unauthorised access to information.
We ensure that personal is not kept longer than necessary, and disposed of appropriately, in accordance with the law.
References to personal information in this Statement may include health information. Health information is a specific type of personal information and includes information about your health and any disability.
We generally do not collect health information from individuals. However, if you provide us with your health information voluntarily (for example, if you tell us how a data breach has affected you, and you include details about any health impacts, or if you ask us to help you in relation to a data breach that involves your health information), we will keep a record of this information to the extent that it is relevant to the identity services that we provide to you.
By law, if we collect your health information from someone other than you, we are required to ensure that you are generally aware of the purposes for which we collect it, and other specified matters. We generally do not collect health information from third parties. However, it is possible that an unsecured data set may be provided to us that contains your health information. In that case, we would only use the health information in order to provide identity remediation services. If we do collect your health information from someone other than you, we only do so in accordance with any applicable law.
How to access or correct your personal information
We encourage you to contact IDSupport if you are trying to access or amend your information.
You can contact IDSupport by phone on 1800 00 10 40 or complete our contact form.
Privacy enquiries and complaints
If you wish to make an enquiry or complaint relating to the handling of your personal information by IDSupport, contact us using the details below. This includes if you are having difficulty accessing or correcting your information.
We may collect additional personal information to investigate and resolve your enquiry or complaint.
If you wish to make an enquiry or privacy complaint relating to the handling of your personal information by an NSW agency other than the Department of Customer Service, we recommend that you contact that relevant agency directly.
The website of the Information and Privacy Commission of NSW has further information and advice on complaints processes available to individuals:
Who to contact
If you would like to access, update or correct your personal information, please contact:
Privacy Coordinator - IDSupport NSW
- Post: Department of Customer Service, 2-24 Rawson Place, Sydney NSW 2000
- Phone: 1800 00 10 40
- Complete our contact form