Privacy Management Plan
This is the Privacy Management Plan for the Department of Regional NSW (the department).
Our plan shows what measures we take to comply with the NSW Privacy and Personal Information Protection Act 1998 (PPIPA) and the NSW Health Records and Information Privacy Act 2002 (HRIPA) to protect personal and health information. The plan also satisfies the requirements of section 33 of the PPIPA.
The 12 Information Protection Principles (IPPs) in the PPIPA and the 15 Health Privacy Principles (HPPs) in the HRIPA provide details on how to collect, store, use, disclose, provide you with access to, and/or amendment of, your personal and/or health information as well as when to destroy the information when it’s no longer needed.
This Privacy Management Plan applies to both personal and health information, unless otherwise stated.
The objectives of the plan are to:
- detail our commitment to protecting the privacy of our clients, staff and others about whom we hold personal or health information
- inform our employees about how to manage and protect personal and health information
- describe how to request access to and/or amendment of personal or health information about yourself, held by us
- integrate the IPPs and HPPs into existing and future policies, guidelines and procedures that address information issues
- set complaint handling and internal review procedures
- inform you on how to request an internal review
- explain your right to apply to the NSW Civil and Administrative Tribunal, in cases where you remain dissatisfied with internal review findings.
Your personal information relates to you personally and includes such things as your name, address, phone number, email address or any information from which your identity can be reasonably ascertained. Some examples include:
- a written record which may include your name, address, and other identifying details about you
- electronic records, photographs, images, video or audio footage
- biometric information such as fingerprints, blood and records of genetic material.
The department collects a variety of personal information about you depending on how you interact with us. Some examples of information that we collect include:
- Your email address, phone number and other contact details
- Information about your boat or vehicle, if you apply for boating licence or book a spot for hunting
- Your Resume or Curriculum Vitae (CV) if you apply for a job with us
- Bank account details, so we can pay you
- Tax file number, where required for salary, wages, or other payments
- Details of your property in relation to natural disasters, plagues, farming, biosecurity, or actions such as forestry and mining
- Health information of employees of our organisation or if you are involved in an incident that we need to deal with or investigate
- Footage or images taken during compliance action.
The PPIPA excludes certain information from the definition of personal information. The most significant exemptions are:
- information contained in publicly available publications
- information about a person’s suitability for public sector employment
- information about people who have been dead for more than 30 years
- a few exemptions relating to law enforcement investigations
- matters contained in Cabinet documents.
The collection of information is covered by IPPs 1-4 and HPPs 1-4. Personal information is collected directly from you, where possible. It would be rare for us to collect information about you from a third party. One example where this might occur, is if you were unable to provide us with the relevant information yourself.
We only collect the information which is required and relevant for a specific purpose. For example, we’ll only ask for your email address if we need to contact you via email. We will not ask you for personal or health information that we do not need. Please do not give us your personal information, until we ask for it.
When we collect information from you, we’ll explain why it’s being collected, what we will use it for, who is likely to receive it, and that you have a right to access, modify and suppress.
Staff members (including managing contractors and consultants) are responsible for meeting these requirements by including a collection notice. This could be on forms, surveys, or questionnaires, in web-based transactions or other instruments. The collection notice may also be given to you verbally.
We’re obliged to provide a collection notice or a privacy statement when personal information is collected from you. If your information is to be used for a purpose other than what it was collected for, your consent is required. This consent will be in addition to any privacy statement or collection notice.
Consent means ‘express consent or implied consent’ and should:
- adequately inform you prior to giving consent,
- be provided voluntarily,
- be current and specific, and
- consider your capacity to understand and communicate your consent.
You can provide express consent either orally or in writing.
Implied consent arises where consent may be reasonably inferred in the circumstances from your conduct. Silence is not considered consent.
Voluntarily should be understood to mean that there was a genuine opportunity for you to provide or withhold your consent. Consent is not voluntary where there is duress, coercion or pressure that could overpower your will.
Opting out is not an advisable way to seek consent. However, there are times when this is our most appropriate option. If an opt-out option is used, the following factors, where relevant, must be met:
- the opt-out option is clearly and prominently presented
- it is likely the information about collection, use or disclosure and opt-out was read (it formed part of a form filled out by you, for example)
- information about the implications of not opting out was given
- the opt-out option is freely available and not bundled with other purposes
- it is easy to choose the opt-out, e.g. little or no effort required to do so
- consequences of failing to opt-out are not serious
- if opting out later, it will appear as if opted out earlier (as far as practicable).
Having a privacy collection notice is one of the most important privacy obligations to comply with as it outlines what we may use or disclose the information for.
A privacy collection notice is a one-way form of communication. You do not need to indicate your agreement or consent, we are simply informing you of how we intend to use your information.
A privacy collection notice must inform you of:
- Why we are collecting the information (the purpose)
- What we will do with it (for example, process your request)
- Who else might see it (any third parties, for example)
- If the information is required by law, or is being provided voluntarily
- The consequences for not providing the information
- How to request access to and/or amend the information.
Two generic templates of a collection notice are provided here for use by staff. The first is where information is voluntary, the second where the information must be provided. A sample verbal collection notice is also included.
Sample collection notice – voluntary to provide personal information
When you contact the Department of Regional NSW, any personal information (such as your name, email or telephone number) that you provide will be used for the purpose of responding to you.
The supply of the information is voluntary. If you do not provide the information, we may not be able to properly respond to you.
We will not disclose information about you to any person except where required to fulfil the purpose for which you are providing the information, or where permitted by law.
If you want to gain access to, or amendment of your personal information, or want more details about privacy please contact us email@example.com.
Sample collection notice – Mandatory to provide personal information
In completing this form/application/online request, you will be prompted to provide personal information (such as your name, email or telephone number). This is so we can … (the purpose of collecting the information).
We may also use your information to … (any related secondary purpose).
You must provide this information, otherwise we are unable to transact with you.
We will not disclose information about you to any person except where required to fulfil the purpose for which you are providing the information, or where permitted by law.
If you would like to gain access to, or amend your personal information, or require more details about privacy please contact us firstname.lastname@example.org.
Sample collection notice – verbal
When collecting information verbally (e.g. during a telephone conversation) we can use less formal wording, so long as we explain how the personal information will be used, and to whom we are likely to disclose it. If the person asks further questions about whether the information is really needed, then we can go into more depth, mention the access and amendment rights and/or offer to let them speak with an officer from the Governance and Information Request team.
If we do need to obtain the person’s verbal consent to a secondary use or disclosure, we must explain what it is we are asking, and we must ensure that they understand they are free to say ‘no’. We must make a file note of what was said or record it in an appropriate way that can be referred to later, if required.
IPP 5 and HPP 5 refer to the safe storage (security) of personal information. Each business unit applies appropriate security to protect personal information. We have an Information and Communication Technology (ICT) policy, use passwords and, where possible, encrypt information to ensure it is protected and kept secure. All staff must also comply with the Code of Ethics and Conduct and are provided with training on privacy.
Personal information is only kept for as long as it is needed. In order to comply with the State Records Act 1998, we apply retention periods to information, to ensure it is disposed of when permitted under that Act.
IPPs 6-8 and HPPs 6-8 relate to the access and amendment of personal or health information.
If you wish to know whether we hold personal information about you, the nature of the information and the reason we hold it, you can contact us directly to enquire. If you believe that your personal information held by us is inaccurate, irrelevant, not up to date, incomplete and/or misleading, you can request that it be amended.
To make an access or amendment request, you should contact the business area holding the information (if known), use our Feedback Assist on right hand side of our website, or email us email@example.com.
Before use, we ensure that personal information is accurate, up-to-date, relevant, complete, and not misleading (IPPs 6-8 and HPPs 6-8). We do this by checking the date we last contacted you and if that has been a while, we may get in touch with you by phone or email to confirm the information we hold about you is accurate.
We only use personal information for the purposes for which it was collected, or a directly related purpose. For example, sending you a reminder that a bill, licence or other service is due, or to inform you of important information relevant to your interaction with us. It might also be for quality assurance activities, such as evaluating our services.
If there is a need to use the information for another purpose, not directly related, we are required to ask for consent. One exception to this is where the information is used to prevent danger to someone or in other specific situations set out in the PPIPA.
We only disclose (IPPs 11-12 and HPPs 11 and 14) information to other parties if:
- you agree to the disclosure; or
- you are aware that this sort of information is usually disclosed (because we informed you of that in our collection notice); or
- we need to disclose the information to fulfil the purpose for which it was first collected; or
- information is supplied by us to prevent danger to someone.
Information relating to ethnic or racial origin, political opinions, religious or philosophical beliefs or trade union membership, is never disclosed without consent, except to prevent death or injury.
Personal information is not given to anyone outside NSW unless there are similar privacy laws in that person's state or country or the disclosure is allowed under a privacy code of practice, or under legislation (such as HRIPA and PPIPA).
Health information is defined in the HRIPA and includes information or an opinion about your physical or mental health, health services provided to you, and other personal information that arises from a health service or relates to your health.
Any health information we may collect will be handled in line with personal information. There are additional HPPs to comply with as well. HPP 12 provides that an identifier can be assigned to you, if it is reasonably necessary to carry out our functions efficiently. There is currently no need for us to do that, as we do not provide health services.
HPP 13 means that where it is lawful and practicable, you will be given an opportunity to retain your anonymity when transacting with us. We can only link your health information if you agree (HPP 15).
We take extra care when handling health information, to ensure that it is kept secure, and that all the HPPs are complied with.
It is worth noting that both the PPIPA and the HRIPA provide some specific exemptions from the IPPs and the HPPs. Some of these are listed in sections 22-28 of the PPIPA:
- law enforcement and related matters (section 23)
- investigative agencies (section 24)
- where lawfully authorised or required (section 25)
- when it would benefit the individual concerned (section 26)
- specific exemptions in relation to ICAC, NSW Police Force, PIC and the NSW Crime Commission (section 27)
- exchanges between public sector agencies (section 27A)
- research (section 27B)
- credit information (section 27C)
- other exemptions (section 28).
The exemptions to the HPPs under the HRIPA include:
- where lawfully authorised or required
- where non-compliance is otherwise permitted under an Act or any other law
- there is a serious threat to health or welfare
- the use for a secondary purpose, such as management of health services, training and/or research will only be done where it is not possible to carry out that purpose using de-identified information and it is not reasonably practicable to seek your consent
- finding a missing person
- suspected unlawful activity or conduct grounds for disciplinary action.
Lastly you may give us consent to not comply with any or some of the IPPs or the HPPs, in particular circumstances.
Any of the exemptions set out in the PPIPA and HRIPA should only be relied on by staff after seeking advice – contact firstname.lastname@example.org
Under the PPIPA a public register is a register of personal information that is required by law to be, or is made, publicly available to public inspection. Information on public registers is only made available for a legitimate purpose, which relates to the reason for which the register exists, or of the Act or legislation under which the register is kept.
We are required under legislation to keep a number of public registers. For example, section 34S of the Fisheries Management Act 1994 requires us to maintain a register of fishing business determinations. Similarly, section 156A of the Mining Act 1992 provides that we must have a public register of access arrangements of holders of a prospecting title.
Before personal information on a public register can be released, we must have a satisfactory reason for doing so. The only exemption to these general rules is if the Attorney General makes a regulation or a privacy code of practice. For example, the public registers held by NSW Land Registry Services have been excluded from the public register provisions by regulation, and Privacy Codes of Practice have also been approved to modify the public register provisions for some registers.
Any person whose personal information is recorded in a register has the right to request that their personal details be suppressed. This is to protect people whose position or occupation requires a high level of personal security or people who have well-founded fears of violence or harm, for example, victims of domestic violence, police informants, judges, and/or senior police officers. To suppress your information in a public register held by us, please contact email@example.com.
In some of our work locations, cameras, computers or tracking devices may be used to carry out surveillance of our employees. When this occurs, the Workplace Surveillance Act 2005 must be complied with.
Members of the public are not affected by this, other than perhaps being captured by the video recordings, tracking or other surveillance in place.
Surveillance that employees are not properly notified about is automatically regarded as ‘covert surveillance’ and is generally prohibited by legislation, except for the purpose of establishing whether employees are involved in unlawful activity whilst at work. Covert surveillance can only be undertaken with authority provided by a Magistrate.
Recording of private conversations is covered by the Surveillance Devices Act 2007. Legal advice can be sought, internally or externally, by staff, in respect of both workplace surveillance and the recording of private conversations.
If overt surveillance is in place, employees must be given written notice that includes the following items:
- the kind of surveillance used (e.g., camera, computer, or tracking)
- how the surveillance will be carried out
- when it will start
- whether it will be continuous or intermittent, and
- whether the surveillance will be ongoing or for a specified limited period.
Information or the results collected through overt surveillance, cannot be used or disclosed unless the use or disclosure is:
- related to the employment of our employees,
- related to our business activities or functions,
- to a law enforcement agency in relation to an offence,
- related to civil or criminal proceedings, or
- reasonably believed necessary to avert an imminent threat of serious violence to persons or substantial damage to property.
A breach of the above restrictions carries a fine. Access to information can be requested by an employee or a person that was captured by the surveillance. Such requests can be made under the PPIPA or the Government Information (Public Access) Act 2009.
The Privacy Commissioner may make a direction to waive or modify the requirements for a public sector agency to comply with an IPP or HPP or a privacy code of practice.
Agencies can request a direction. The general intent is for the directions to apply temporarily. If a modification is required for longer, then a privacy code of practice may be more appropriate.
A privacy code of practice may be created to allow an agency to modify the application of one or more IPPs or HPPs or specify how they are to be applied to particular activities or classes of information.
The Data Sharing (Government Sector) Act 2015 (DSGS Act) was created to promote sharing of information for certain purposes which include allowing the government to carry out data analytics for the purposes of identifying issues and solutions to better develop government policy, program management, and service planning and delivery.
The DSGS Act provides for the expeditious sharing of information with the Data Analytics Centre (DAC) or between other government sector agencies. It also provides protections in connection with data sharing and ensures compliance with the requirements of PPIPA and HRIPA.
Before responding to a request from DAC to provide information, we may ask the Privacy Commissioner to guide us on the best way to comply with the request.
Other agencies, such as NSW Police, the Ombudsman’s Office, ICAC may send us a request for information. When such a request is received, we ask for it in writing, to include the relevant legislation that allows for the sharing of information, and for the request to nominate a contact person.
Before releasing information to the other agency, we check the named legislation and ensure the request is legitimate. This is often done by contacting the nominated officer by telephone, using the generic number for the agency, rather than the number provided in the letter or email.
Memorandum of understanding
There are times when it is necessary to have a Memorandum of understanding (MOU) with another agency or entity, to carry out our functions. For example, the Game Licensing Unit (GLU) of the Department of Primary Industry within the Department of Regional NSW has an MOU with Forestry Corporation of NSW (FCNSW) to share information in relation to the administration of licensed hunting on State forests.
Any MOU will always contain clauses that ensure that information continues to be protected and that both parties comply with the IPPs in the PPIPA and the HPPs in the HRIPA.
Sharing information outside NSW
Where the recipient of any personal or health information is outside NSW, we only provide it with your consent or where such disclosures are allowed under the provisions of the PPIPA and/ or the HRIPA.
Where possible, we enter into a contract or agreement that stipulates that the other party must comply with the IPPs and HPPs.
Privacy complaints and internal reviews
If you believe that we may have breached your privacy, or have not complied with an IPP, HPP or provided a response to a request for access or amendment, you can:
- raise an informal complaint, or
- apply for an internal review of our conduct.
If you want to resolve an issue informally, please contact the relevant area, if known, to discuss your issue. Your informal complaint may be handled under a relevant complaint handling procedure, if it is deemed that this would be a better way to respond.
Informal complaints are dealt with by our officers and there are no formal review rights.
Informal complaints may be referred for an internal review to be carried out, if it is considered that a serious breach of privacy has occurred, or that it is more appropriate to deal with your complaint on a formal basis.
You must lodge your request for an internal review within 6 months of becoming aware of the legal implications or significance of the alleged conduct. You should address your request to firstname.lastname@example.org.
Under the HRIPA and PPIPA, complaints or applications for internal review to us:
- should be lodged within six months of becoming aware of the legal implications/ significance of the alleged conduct
- should be in writing
- must have a return address in Australia (preferably an email).
There is no cost to lodge a complaint or request an internal review. Reviews must be completed within 60 days.
Under the formal process, known as an internal review, you can have the decision reviewed by the Administrative and Equal Opportunity Division of the NSW Civil and Administrative Tribunal.
An internal review is conducted by a senior officer who was not substantially involved in the matter. This officer is responsible for reviewing the action or decision and deciding if it is correct. The senior officer can seek advice from the Governance and Information Requests team.
A PIA may be required to assess any actual or potential effects that an activity, project or proposal may have on personal information. A PIA can also outline ways in which any identified risks can be mitigated, and any positive impacts enhanced. Public consultation and measuring community expectations is an important part of any thorough PIA.
It may not be possible to eliminate or mitigate every risk, but ultimately a judgement will be made as to whether the public benefit to be derived from the project will outweigh the risk posed to privacy.
To know if a PIA is required, staff should answer the following questions.
Will the project involve:
- the collection of personal information, compulsorily or otherwise?
- a new use of personal information that is already held?
- a new or changed system of regular disclosure of personal information, whether to another agency, another State, the private sector, or to the public at large?
- restricting access by individuals to their own personal information?
- new or changed confidentiality provisions relating to personal information?
- a new or amended requirement to store, secure or retain personal information?
- a new requirement to sight, collect or use existing ID, such as an individual’s driver’s licence?
- the creation of a new identification system, e.g. using a number, or a biometric?
- linking or matching personal information across or within agencies?
- exchanging or transferring personal information outside NSW?
- handling personal information for research or statistics, de-identified or otherwise?
- powers of entry, search or seize, or other reasons to touch another individual (e.g. taking a blood or saliva sample)?
- surveillance, tracking or monitoring of individuals’ movements, behaviour or communications?
- moving or altering premises which include private spaces?
- any other measures that may affect privacy?
If the answer to one or more of the above questions is “yes”, then advice should be sought from the Governance and Information Request team and a PIA should be seriously considered.
If a data breach is identified, whether serious or not, affected individuals will be notified, unless the breach is in relation to information that is not sensitive, poses little to no risk of harm, or if it is decided that notification is not required.
Notifying individuals can assist in mitigating any damage for those people and reflects positively on our organisation. If the data breach creates a real risk of harm to the individual, then they must be notified immediately, or as soon as possible.
A serious data breach is defined as unauthorised access to, unauthorised disclosure of, or loss of, personal information, and as a result, there is a real risk of serious harm to any of the individuals to whom the information relates.
Examples could be where information is sent to the wrong recipient, a cyber-attack has occurred, unauthorised use, access to or modification of data or information systems, compromised user account, malware infection, equipment failure, or a device is stolen which contains personal information.
The NSW Privacy Commissioner is notified of any privacy/data breach.
Staff may use and adapt the following breach notification to inform affected individuals.
I am writing to you with important information about a recent data breach involving your personal information / information about your organisation.
We became aware of this breach on [date]. The breach occurred on or about [date] and occurred as follows:
[describe the event, including as applicable, the following:
- A brief description of what happened
- Description of the data that was inappropriate accessed, collected, used or disclosed.
- Steps the individual/organisation should take to protect themselves from potential harm from the breach,
- A brief description of what the department is doing to investigate the breach, control or mitigate harm to individuals/ organisations and to protect against further breaches.]
Please call me with any questions or concerns you may have about the data breach.
[OPTIONAL - We have established a section on our website [insert link] with updated information and links to resources that offer information about this data breach.]
We take our role in safeguarding your data and using it in an appropriate manner very seriously. Please be assured that we are doing everything we can to rectify the situation.
Please note that you are entitled to register a complaint with the NSW Privacy Commissioner about this breach. Should you have any questions regarding this notice or if you would like more information, please contact me by telephone on [number], or via email [email address].
[name and signature block]
All staff have a duty to act in accordance with this plan. Staff are also required to comply with the Code of Ethics and Conduct.
If staff feel unsure as to whether certain conduct may breach their privacy obligations, they should seek advice from the Governance and Information Request team.
It is a criminal offence, punishable by up to two years’ imprisonment, for any employee (or former employee) of our organisation to intentionally use or disclose any personal information about another person, to which the employee has or had access in the exercise of his or her official functions, except as necessary for the lawful exercise of his or her official functions.
Section 308H of the Crimes Act 1900 provides that it is an offence to access or modify computer records for purposes that are not connected with the duties of the person.
Part 8 of the PPIPA and part 8 of the HRIPA provide further details about offences in respect of personal and health information. These parts also provide certain protections from liability where a person has acted in good faith.
The following broad strategies are used to ensure ongoing compliance with privacy legislation:
- As part of our induction program, new staff are provided with information to raise their awareness and appreciation of privacy requirements
- Refresher and on-the-job training are provided to specialist staff
- The plan is promoted during Privacy Awareness Week each year
- Specialist privacy advice is provided internally to staff
- A privacy e-learning module is available for all staff
- Privacy is discussed quarterly at our internal Community of Practice
- The plan is published on our website and reviewed/updated every two years
- Every five years we formally review/ audit our compliance with privacy legislation.
The next review of this plan is scheduled for 2023.
You can seek privacy advice from the Information and Privacy Commission (IPC):
You can lodge an appeal with the Administrative and Equal Opportunity Division of the New South Wales Civil and Administrative Tribunal (NCAT).
Phone: 1300 006 228