Privacy Management Plan

Privacy and Personal Information Protection Act 1998

  1. Privacy Management Plan
  2. The Privacy and Personal Information Protection Act 1998
  3. Information to which the Act applies - personal information
  4. The Information Protection Principles and their impact on the Department's operations
    1. General
    2. Collection of personal information
    3. Retention and security of personal information
    4. Disclosure of personal information to the subject of the Information
    5. Use of personal information
    6. Disclosure of personal information to third parties
  5. Privacy Codes of Practice and Directions made by the Privacy Commissioner
  6. Restrictions on access to public registers
  7. Offence provisions of the Act
  8. Internal review of conduct
  9. Review of conduct by Privacy Commissioner
  10. Training and educating Department staff about privacy obligations
  11. Reviewing and reporting on plan

1.  Privacy Management Plan

The Privacy and Personal Information Protection Act 1998 ("the Act") requires the Department of Premier and Cabinet to implement a privacy management plan, which must include provisions relating to:
  • the devising of policies and practices to ensure compliance by the agency with the requirements of the Act;
  • the dissemination of those policies and practices to Departmental staff;
  • procedures for internal review under Part 5 of the Act;
  • such other matters as are considered relevant by the Premier's Department in relation to privacy and the protection of personal information held by the Department.

This document constitutes the Department of Premier and Cabinet's privacy management plan, as updated from time to time.

The Director-General shall appoint a Privacy Officer to maintain the privacy management plan and to carry out such other functions as are provided for in the plan.

^ Back to top

2.  The Privacy and Personal Information Protection Act 1998

The Act establishes a regime for public sector agency handling of personal information. The Department of Premier and Cabinet has obligations to ensure it deals with personal information in accordance with the Act.

The key provisions of the Act are the Information Protection Principles ("IPPs"), which create obligations and restrictions relating to the collection, retention, use and disclosure of personal information.

The application of the IPPs to Departmental operations may be modified by:

  • exemptions from the IPPs (see Chapter 4);
  • a privacy code of practice (see Chapter 5); or
  • a direction from the Privacy Commissioner, approved by the Attorney General (see Chapter 5).

It is important for all Department of Premier and Cabinet staff to familiarise themselves with the impact of the Act on Department's operations, as staff who breach the Act may be held accountable for their actions and, in some cases, be subject to substantial fines or imprisonment (see Chapters 7-9)).

^ Back to top

3.  Information to which the Act applies - personal information

The IPPs apply to "personal information", which is defined in section 4 of the Act as:

"information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion."

If information does not apply to such an individual, then Department staff need not consider the Act.

Section 4(3) of the Act defines various types of information which are not "personal information" for the purposes of the Act, even though they identify an individual.
The following is not personal information:

  • information about an individual who has been dead for more than 30 years,
  • information about an individual that is contained in a publicly available publication,
  • information about a witness who is included in a witness protection program under the Witness Protection Act 1995 or who is subject to other witness protection arrangements made under an Act,
  • information about an individual arising out of a warrant issued under the Telecommunications (Interception) Act 1979 (Cth),
  • information about an individual that is contained in a protected disclosure within the meaning of the Protected Disclosures Act 1994, or that has been collected in the course of an investigation arising out of a protected disclosure,
  • information about an individual arising out of, or in connection with, an authorised operation within the meaning of the Law Enforcement (Controlled Operations) Act 1997,
  • information about an individual arising out of a Royal Commission or Special Commission of Inquiry,
  • information about an individual arising out of a complaint made under Part 8A of the Police Service Act 1990,
  • information about an individual that is contained in a document of a kind referred to in clause 1 or 2 of Schedule 1 (restricted documents) to the Freedom of Information Act 1989 (ie Cabinet documents or Executive Council documents),
  • information or an opinion about an individual's suitability for appointment or employment as a public sector official,
  • information about an individual that is of a class, or is contained in a document of a class, prescribed by the regulations for the purposes of this subsection.

^ Back to top

4. The Information Protection Principles (IPPs) and their impact on Department of Premier and Cabinet operations

4.1 General

4.1.1  The IPPs at:
  • sections 8-11 (IPP 1- 4) of the Act impact on the Department's collection of personal information;
  • section 12 (IPP 5) of the Act impacts on the Department's security systems for handling personal information;
  • sections 13-15 (IPP 6- 8) impact on the Department's disclosure of personal information to the subject of that information;
  • sections 16-17 (IPP 9- 10) impact on the Department's use of personal information;
  • sections 18-19 (IPP 11- 12) impact on the Department's disclosure of personal information.

4.1.2  If the IPPs allow certain conduct that the Department is otherwise prohibited from doing, then the IPPs do not override that prohibition.

4.1.3 A Guide to the Information Principles is available on the Privacy Commission's website at www.lawlink.nsw.gov.au.

4.1.4 The application of each IPP to Department of Premier and Cabinet operations (as modified by the exceptions in the Act, privacy codes, or directions of the Privacy Commissioner) is addressed in turn.

^ Back to top

4.2  Collection of personal information

4.2.1  The Department of Premier and Cabinet is not taken to have collected personal information if the information received is unsolicited.  Therefore, the following four IPPs do not apply if Departmental staff receive personal information without asking for it.

IPP 1: Section 8 - Collection of personal information for lawful purposes

  1. A public sector agency must not collect personal information unless:
    1. the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and
    2. the collection of the information is reasonably necessary for that purpose.
  3. A public sector agency must not collect personal information by any unlawful means.

Department of Premier and Cabinet staff must not breach any law in collecting personal information.

Department of Premier and Cabinet staff should exercise particular caution in seeking criminal record information (eg for employment purposes).  If staff seek this class of information, they should consider the Criminal Records Act 1991, particularly the spent conviction provisions.

In order to determine the types of personal information that are collected by the Department of Premier and Cabinet, it is necessary to look at the Department's functions.

The Department of Premier and Cabinet's role is to:

  • provide strategic advice and services to the Premier;
    manage issues and projects of significance to the State;
  • provide direction and leadership to the NSW public sector, especially in relation to the effective management of public sector staff and resources; and
    ensure a whole of government approach to policy development and service provision within the public sector.

The Department achieves this by providing advice on:

  • people management and industrial relations policies and practices;
  • strategic planning on public sector reform;
  • reform of the management and policy framework for government administration;
  • major investment projects, special events and issues of significance (across the whole of Government) to maximise their economic, social and environmental benefits to the State;
  • co-ordinating infrastructure planning, delivery and management;
  • corporate services reform initiatives and related policy development;
  • undertaking agency program and management reviews, as well as performance measurement and reporting;
  • policy, advice and administrative services to support efficiency and continuity in State administration; and
  • management and co-ordination services for the Premier in community events, emergency and disaster response, official visits and executive and departmental administration.

Section 8 does not interfere with Department of Premier and Cabinet staff collecting personal information, as long as the collection is for the above purposes and is otherwise lawful.

IPP 2: Section 9 - Collection of personal information directly from individual

A public sector agency must, in collecting personal information, collect the information directly from the individual to whom the information relates unless:

  1. the individual has authorised collection of the information from someone else, or
  2. in the case of information relating to a person who is under the age of 16 years - the information has been provided by a parent or guardian of the person.

It is not possible or appropriate to collect personal information directly from the individual in many cases.  This is recognised by the Act, which provides a range of exemptions to section 9.

Department of Premier and Cabinet staff need not comply with section 9 where non-compliance is lawfully authorised or required, or is otherwise permitted, or is necessarily implied or reasonably contemplated, under an Act or any other law (s25 of the Act). If Departmental staff are uncertain whether non-compliance is authorised on this ground, they should seek the advice of the Privacy Officer.

Where another public sector agency may lawfully disclose personal information to the Department of Premier and Cabinet, then the Department may lawfully collect such information.  This is because the collection of such information has been clearly contemplated, either under the Act or other legislation.  Section 25 therefore exempts compliance with section 9.

Department of Premier and Cabinet staff need not comply with section 9 if the collection of personal information:

  • occurred prior to the commencement of the Privacy and Personal Information Act 1998 on 1 July 2000;
  • is from another Premier's Portfolio agency for the purpose of informing the Premier about matters relevant to the administration of the Premier's Portfolio (s28(3)(a));
  • is provided from any public sector agency, for the purpose of informing the Premier about any matter (s28(3)(b));
  • is in connection with proceedings, whether or not actually commenced, before any court or tribunal (s 23(2));
  • is lawfully authorised or required, or is otherwise permitted, or is necessarily implied or reasonably contemplated, under an Act or any other law (s25);
  • would prejudice the interests of the individual to whom the information relates (s26(1)).

IPP 3: Section 10 - Requirements when collecting personal information

If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected or as soon as practicable after collection, the individual to whom the information relates is made aware of the following:

  1. the fact that the information is being collected,
  2. the purposes for which the information is being collected,
  3. the intended recipients of the information,
  4. whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided,
  5. the existence of any right of access to, and correction of, the information,
  6. the name and address of the agency that is collecting the information and the agency that is to hold the information.

Department of Premier and Cabinet staff need not comply with section 10 if:

  • they do not collect information from an individual in accordance with section 9;
  • the individual consents (s26(2));
  • non-compliance is lawfully authorised or required, or is otherwise permitted, or is necessarily implied or reasonably contemplated, under an Act or any other law (s25);
  • compliance would prejudice the interests of the individual to whom the information relates (s26(1)).

IPP 4: Section 11 - Other requirements relating to collection of personal information

If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that:

  • the information collected is relevant to that purpose, is not excessive, and is accurate, up to date and complete, and
  • the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates.

This section only applies to personal information that must be collected from an individual in accordance with section 9.  If Department of Premier and Cabinet staff collected the information from a person other than the individual to whom the information relates, in accordance with the exemptions under section 9, they need not consider section 11.

The steps that are reasonable will vary from case to case.  In determining what steps are reasonable, Department of Premier and Cabinet staff should consider:

  • the purpose for which the information was collected;
    the sensitivity of the information;
  • how many people will have access to the information;
    (the importance of accuracy to the proposed use;
  • the potential effects to the individual concerned if the information is inaccurate, out of date, or irrelevant;
  • opportunities for subsequently correcting the information.

If Department of Premier and Cabinet staff are uncertain what to do in any given instance, they should consult the Department's Privacy Officer.

^ Back to top

4.3  Retention and security of personal information

IPP 5: Section 12 - Retention and security of personal information

A public sector agency that holds personal information must ensure:

  • that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and
  • that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and
  • that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and
  • that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.

The Department of Premier and Cabinet's policies and practices in respect of the retention and disposal of state records are, and will continue to be, in accordance with the State Records Act 1998.

The Central Corporate Services Unit (CCSU) of the Department of Public Works and Services provides a range of services to the Department of Premier and Cabinet.  Accordingly the Department of Public Works and Services is required to prepare a privacy management plan setting out how the Department, including CCSU will comply with the requirements of the Act.  The CCSU will be required to comply with the privacy management plan when providing personnel and records management services to the Department of Premier and Cabinet.

The Department of Premier and Cabinet will also take the following steps to ensure the security of personal information in its possession:

  • contracts with external service providers who may have access to personal information held by the Department of Premier and Cabinet will contain clauses requiring confidentiality, preventing the personal information being used for any other purpose, requiring the return or safe destruction of any personal information that is provided to, and held by, the contractor;
  • personal information held at the Department of Premier and Cabinet will be stored securely in an area not accessible to members of the general public;
  • personal information temporarily removed from the Premier's Department by a member of staff must be kept with that staff member or placed in secure premises;
  • personal information that is lawfully disposed of by the Department is to be shredded or placed in shredder bins;
  • access to Department of Premier and Cabinet computers will be effected by way of a secure password and computers will be turned off before staff go home;
  • access to databases within the Department of Premier and Cabinet will only be effected by a secure password, and a record of persons approved to access the database and an audit trail of access will be maintained; and
  • Department of Premier and Cabinet computers will only be linked to other computers through the NSW Government intranet, which contains extensive security safeguards.

^ Back to top

4.4 Disclosure of personal information to the subject of the information

IPP 6: Section 13 - Information about personal information held by agencies

A public sector agency that holds personal information must take such steps as are, in the circumstances, reasonable to enable any person to ascertain:

  1. whether the agency holds personal information, and
  2. whether the agency holds personal information relating to that person, and

if the agency holds personal information relating to that person:

  1. the nature of that information, and
  2. the main purposes for which the information issued, and
  3. that person's entitlement to gain access to the information.

IPP 7: Section 14 – Access to personal information held by agencies

A public sector agency that holds personal information must, at the request of the individual to whom the information relates and without excessive delay or expense, provide the individual with access to the information.

IPP 8: Section 15 – Alteration of personal information

A public sector agency that holds personal information must, at the request of the individual to whom the information relates, make appropriate amendments (whether by way of corrections, deletions or additions) to ensure that the personal information:

  1. is accurate, and
  2. having regard to the purpose for which the information was collected (or is to be used) and to any purpose that is directly related to that purpose, is relevant, up to date, complete and not misleading.

If a public sector agency is not prepared to amend personal information in accordance with a request by the individual to whom the information relates, the agency must, if so requested by the individual concerned, take such steps as are reasonable to attach to the information, in such a manner as is capable of being read with the information, any statement provided by that individual of the amendment sought.

If personal information is amended in accordance with this section, the individual to whom the information relates is entitled, if it is reasonably practicable, to have recipients of that information notified of the amendments made by the public sector agency.

Under these information protection principles, any person may apply to the Department of Premier and Cabinet to ascertain whether the Department holds personal information relating to that individual.  Applications should be made in writing and directed to the Privacy Officer, Level 32, Governor Macquarie Tower, I Farrer Place, Sydney, NSW, 2000.

The Privacy Officer will refer the written application to the relevant Business Unit responsible for locating the personal information, liasing with the applicant and taking appropriate steps to comply with Information Protection Principles 6, 7 and 8.

It should be noted that section 5 of the Act provides nothing in the Act affects the operation of the Freedom of Information Act 1989 ("FOI Act").  In particular the Act does not operate to modify any exemption under the FOI Act or to lessen any obligation under the FOI Act. 

Section 20 of the Act provides, without limiting the generality of section 5, the provisions of the FOI Act that impose conditions or limitations with respect to any matter referred to in sections 13-15 of the Act continue to apply.

Accordingly, the FOI exemptions will need to be considered when deciding whether to provide access to personal information.  The Department of Premier and Cabinet's FOI officer should be consulted in relation to the applicability of such exemptions.  The relevant business unit will be responsible for preparing any necessary submissions for consideration by the Director General of their nominee.  The Director General will be responsible for making any decision regarding the provision of access to personal information, or the making of any amendments to such information.

It is sufficient compliance with these IPPs for the Premier's Department to amend information in accordance with Part 4, Division 1, of the FOI Act 1989.
Where the Department of Premier and Cabinet becomes aware that it holds incorrect personal information, it may delete that information, notwithstanding any contrary provisions in the State Records Act 1998.

^ Back to top

4.5  Use of personal information

IPP 9: Section 16 – Agency must check accuracy of personal information before use

A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.

Before using personal information, Departmental staff should take reasonable steps to ensure the information is relevant, accurate, up to date, complete and not misleading.

The steps that are reasonable will vary from case to case.  In determining what steps are reasonable, staff should consider:

  • the purpose for which the information was collected;
    the sensitivity of the information;
  • how many people will have access to the information (generally Departmental information will be made available to the Premier and/or a small number of other persons);
  • the importance of accuracy or relevance to the proposed use;
  • the potential effects on the individual concerned if the information is inaccurate, out of date, or irrelevant;
    the difficulty in checking the information; and
    the cost of checking the information.

If Department of Premier and Cabinet staff require advice on what steps are reasonable, they should consult the Department's Privacy Officer.

Other public sector agencies or portfolio agencies provide a great deal of the personal information used by the Premier's Department.  The Department of Premier and Cabinet presumes that at the time this information is provided, it is relevant, accurate, up to date, complete and not misleading.

IPP 10: Section 17 – Limits on use of personal information

A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless:  

  • the individual to whom the information relates has consented to the use of the information for that other purpose, or
  • the other purpose for which the information is used is directly related to the purpose for which the information was collected, or
  • the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.

The Department of Premier and Cabinet generally uses personal information for the purpose of providing advice or support to the Premier, preparing correspondence for the Premier, or coordinating the activities of portfolio agencies.  The Department of Premier and Cabinet regards the above purposes as being directly related to each other, as they are all necessary to provide effective support to the Premier and providing leadership in the NSW public sector.

If there are circumstances where the information was collected for some other purpose, then the use of that information for some unrelated purpose is only permitted:

  • with the consent of the subject of the information (written consent should be obtained and kept);
  • where necessary to prevent or lessen a serious and imminent threat to the life or health of any person;
    where reasonably necessary for the protection of the public revenue (s23(4));
  • where investigating or otherwise handling a complaint or other matter that could be referred or made to, or could be referred from or made by, an investigative agency (s24(4));
  • non-compliance is lawfully authorised or required, or is otherwise permitted, or is necessarily implied or reasonably contemplated, under an Act or any other law (s25);
  • for the purpose of informing the Premier of a matter either within the Premier's administration or another public sector administration (s28(3)).

^ Back to top

4.6  Disclosure of personal information to third parties 

IPP 11: Section 18 - Limits on disclosure of personal information

A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:

  1. the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or
  2. the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or
  3. the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.

If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.

See section 19 for sensitive disclosures with tighter restrictions than section 18.

The Department of Premier and Cabinet generally collects personal information for the purpose of providing advice or support to the Premier, preparing correspondence for the Premier, or coordinating the activities of portfolio agencies. The Department of Premier and Cabinet regards the above purposes as being directly related to each other, as they all necessary to provide effective support to the Premier and leadership in the NSW public sector.

There are a large number of exemptions to section 18 to allow disclosures that are in the interests of government efficiency.  Department of Premier and Cabinet staff need not comply with section 18 if disclosure is:

  • to the Premier and the Premier's Office;
  • to another Premier's Portfolio agency for the purpose of informing the Premier about matters relevant to the Premier's portfolio (s28(3)(a));
  • to a law enforcement agency to locate a person who has been reported as missing to the police (s23(5)(b));
  • to any public sector agency which is investigating or otherwise handling a complaint which could be referred or made to an investigative agency (s24(4));
  • lawfully authorised or required, or is otherwise permitted, or is necessarily implied or reasonably contemplated, under an Act or any other law (s25);
  • authorised or required by subpoena, search warrant, or other statutory instrument (s23(5)(c));
  • reasonably necessary for the protection of public revenue (s25(5)(d)(i));
  • reasonably necessary in order to investigate an offence, where there are reasonable grounds to believe an offence may have been committed (s25(5)(d)(ii)); or
  • made with the express consent of the subject of the information (s26(2)).

IPP 12: Section 19 – Special restrictions on disclosure of personal information

A public sector agency must not disclose personal information relating to an individual's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual activities unless the disclosure is necessary to prevent a serious or imminent threat to the life or health of the individual concerned or another person.

A public sector agency that holds personal information must not disclose the information to any person or body who is in a jurisdiction outside New South Wales unless:

  1. a relevant privacy law that applies to the personal information concerned is in force in that jurisdiction, or
  2. the disclosure is permitted under a privacy code of practice.

For the purposes of subsection (2), a relevant privacy law means a law that is determined by the Privacy Commissioner, by notice published in the Gazette, to be a privacy law for the jurisdiction concerned.

The Privacy Commissioner is, within the year following the commencement of this section, to prepare a code relating to the disclosure of personal information by public sector agencies to persons or bodies outside New South Wales.

(5)  Subsection (2) does not apply:

  1. until after the first anniversary of the commencement of this section, or
  2. until a code referred to in subsection (4) is made, whichever is the later.

There are two distinct parts of section 19.

Section 19(1) deals with a number of categories of sensitive information which are subject to more stringent disclosure requirements than those which apply to other kinds of personal information under section 18.

Section 19(2), which relates to disclosures outside New South Wales, does not commence until 1 July 2001.
Exemptions to section 19 enable disclosure:

  • to the Premier and the Premier's Office;
  • to another Premier's Portfolio agency for the purpose of informing the Premier about matters relevant to the Premier's Portfolio (s28(3)(a));
  • from any public sector agency to an agency under the administration of the Premier for the purpose of informing the Premier about any matter (s28(3)(b));
  • where lawfully authorised or required, or otherwise permitted, or necessarily implied or reasonably contemplated, under an Act or any other law (s25);
  • reasonably necessary in order to investigate an offence, where there are reasonable grounds to believe an offence has been committed or may be committed (s25(7));
  • with the express consent of the subject of the information (s26(2));
  • of health information, where consent can't be obtained, to a medical practitioner, health worker, or other official or employee providing health or community services (where such persons are employed by a public sector agency).

However, a strong presumption against the disclosures at para 4.6.5 should remain.  Department of Premier and Cabinet staff should consult the Department's Privacy Officer if they wish to make such disclosures.

Privacy Codes of Practice and directions made by the Privacy Commissioner

The Act allows for privacy codes of practice to be made to vary the way the IPPs apply to the Department of Premier and Cabinet.

At this time, three Codes of Practice apply to the Premier's Department's operations.  These are:

Privacy NSW: Office of the Privacy Commissioner, "Inter- Agency Transfers of Information".

This Code is designed to facilitate transfers of information amongst New South Wales's public sector agencies (as defined in s3 of the Act).  Through this Code, the Privacy Commissioner has recognised that there are many transfers of personal information amongst Government agencies that are both legitimate and necessary.  These transfers of information facilitate the business of government and enable it to be carried out more efficiently.  However the expectation is always that these transfers will be carried out with the goal of protecting as far as possible, the integrity and confidentiality of the personal information concerned.

Part A of the Code, Ministers and Ministerial Staff is of particular importance to the Department of Premier and Cabinet.  Ministerial staffers do not form part of the agency for which their Minister is responsible rather they are employees of the Premier's Department.  The flow of information between the Department and the responsible Minister and their staff is obviously necessary for the effective briefing of Ministers and the efficient functioning of agencies.  In practice this means that the information is transferred between different agencies (relevant agency and the Department of Premier and Cabinet) in order that the Minister can be provided with information.

This Code therefore covers the collection, use and disclosure of personal information by both Ministers and ministerial staff.  Please see the attached Code for further details. 

^ Back to top

5. Privacy NSW: Office of the Privacy Commissioner, "Investigations Code"

This Code recognises that all public sector agencies have a mixture of implicit and explicit powers to conduct investigations in respect of their affairs.  While investigative functions that are clearly set out in legislation are exempted by the principles by section 25 of the Act, many investigations by public sector agencies rely upon implied powers or occur pursuant to administrative as opposed to legislative arrangements.  Examples of these include investigations of complaints, breaches of discipline and audit matters.

This Code therefore covers the collection, storage, use and disclosure of personal information during those investigative functions lawfully undertaken by the Department of Premier and Cabinet, for example grievances under the Public Sector Management Act 1984.

The NSW Department of Premier and Cabinet, "The Privacy Code of Practice for the NSW public sector Workforce Profile".

The Workforce Profile is an annual data collection conducted by the Department of Premier and Cabinet that allows analysis and reporting about the NSW public sector's employment characteristics.  It consists of a regular collection of anonymous data.

The collection of the data is managed in accord with the Code of Practice, to the extent that the collection, storage, use and disclosure of the personal data for the purposes of the Workforce Profile involve departures from the IPPs in the Privacy and Personal Information Protection Act 1998.

The Privacy Commissioner, with the approval of the Attorney, may make a written direction that the Department of Premier and Cabinet is not required to comply with an IPP or privacy code, or that the application of an IPP/code is modified in respect of the Department.

^ Back to top

6.  Restrictions on access to public registers

A public register is a register of personal information that is required by law to be, or is made, publicly available or open to public inspection (whether or not on payment of a fee).

Part 6 of the Act prevents Department of Premier and Cabinet staff from accessing personal information held on public registers, unless the information is to be used for a purpose relating to the purpose of the register or the Act under which the register is kept.

If Department of Premier and Cabinet staff need to access public register information from an agency responsible for maintaining a register, they should consult with the Department's Privacy Officer.

^ Back to top

7.  Offence provisions of the Act

Section 62(1) of the Act establishes an offence for Premier's Department staff (including former Department staff) who, otherwise than in connection with the lawful exercise of their official functions, intentionally disclose or use personal information about another person to which they have had access in the exercise of their official functions.

Section 62(2) of the Act establishes an offence for a person to induce or attempt to induce the staff of the Department of Premier and Cabinet or any other public sector agency (by way of a bribe or other similar corrupt conduct) to disclose personal information about another person to which they have had access in the exercise of their official functions.

Section 63(1) of the Act establishes an offence for a person to offer to supply, or to claim they are able to supply, personal information they know, or ought reasonably know, has been or is proposed to be disclosed in contravention of section 62 of the Act.

These offences carry penalties of up to $11,000 and/or two years imprisonment. 

The court may also order the confiscation of any money or benefit obtained in connection with the above offences.

^ Back to top

8.  Internal Review of Conduct

Part 5 of the Act establishes procedures for a person to apply for a review of Department of Premier and Cabinet conduct that they believe breaches an IPP or a privacy code.

Applications for review must:

  • be in writing;
  • be addressed to the Privacy Officer, Department of Premier and Cabinet, Level 32, Governor Macquarie Tower, 1 Farrer Place, Sydney, 2000
  • be lodged within 6 months (or later, if the Privacy Officer considers appropriate) of the time the applicant became aware of the Department of Premier and Cabinet conduct the subject of the complaint.

The Privacy Officer will assist applicants by:

  • providing them with a copy of the Department of Premier and Cabinet's privacy management plan, upon request; and
  • explaining the internal review process.

The Privacy Officer will undertake the review, unless:

  • the Privacy Officer was substantially involved in any matter relating to the conduct that is the subject of the application, in which case the review will be undertaken by the Director-General of the Department of Premier and Cabinet or the nominee of the Director-General;
  • the Director-General was substantially involved in any matter relating to the conduct that is the subject of the application, in which case the Department of Premier and Cabinet will request that the Privacy Commissioner take over the review (see para 8.6).

The Privacy Officer must, as soon as practicable after receiving an application for review, notify the Privacy Commissioner in writing of the application, and must thereafter keep the Privacy Commissioner informed of progress of the review.

The Privacy Officer may request that the Privacy Commissioner take over the review, or report to the agency on the application.  The Privacy Commissioner may charge a fee for these services.

The Privacy Officer, in conducting the review, must consider any relevant material submitted by the applicant and Privacy Commissioner (whether a report requested by the Privacy Officer, or any other material the Commissioner may wish to submit).

The review must be completed as soon as practicable.  If the review is not completed within 60 days of receipt of the application, the applicant may apply to the Administrative Decisions Tribunal (ADT) for review.

Following the completion of the review, the Privacy Officer may determine if the Department of Premier and Cabinet should:

  • take no further action;
  • make a written apology to the applicant;
  • take remedial action (eg: compensation);
  • provide undertakings that the conduct will not occur again;
  • implement administrative measures to ensure the conduct will not occur again; or
  • undertake other appropriate action (eg: correct incorrect personal information held by the Department of Premier and Cabinet).

The Privacy Officer, within 14 days of finalising the review, must notify the applicant and Privacy Commissioner of:

  • the findings of the review, and the reasons for those findings;
  • the action to be taken by the Department of Premier and Cabinet, and the reasons for taking that action; and
  • the right of the applicant to apply to the ADT to review (a) and (b) immediately above, if he or she is not satisfied with those matters.

The ADT, in determining an application for review, may make orders in accordance with section 55 of the Act.

If the Director-General of the Department of Premier and Cabinet or the applicant are not satisfied with the decision or order of the ADT, they may appeal to the Appeal Panel of the ADT under Part 1 of Chapter 7 of the Administrative Decisions Tribunal Act 1997.

The Privacy Officer is to record all relevant details of applications and application outcomes, and is to make such information available to the Privacy Commissioner upon request.

^ Back to top

9.  Review of conduct by Privacy Commissioner

Complaints about Department of Premier and Cabinet conduct may also be made to the Privacy Commissioner.

The Privacy Commissioner may decide to deal with the complaint or to take no further action.

The Privacy Commissioner must inform the complainant of internal review processes and may refer a complaint to the Premier's Department's Privacy Officer for consideration, after discussing the appropriateness of referral with the complainant and the Privacy Officer.

The Privacy Commissioner may also decide to investigate the complaint.  Department of Premier and Cabinet staff are to offer the Commissioner all possible assistance in any such investigation.

The Privacy Commissioner must endeavour to resolve any such complaint by conciliation and may make a written direction that Department of Premier and Cabinet staff and the complainant are to appear before the Commissioner in conciliation proceedings.  If the Department of Premier and Cabinet fails to comply with the notice, then it is liable to a fine of up to $5,500.

If Department of Premier and Cabinet staff are called to appear in conciliation proceedings, another person may only represent them if the Privacy Commissioner consents to such an arrangement.

The Privacy Commissioner may make a written report on the complaint and provide the report to any person or body that appears to be materially involved in matters concerning the complaint.

^ Back to top

10. Training and education of Department of Premier and Cabinet staff about privacy obligations

10.1  The Privacy Officer shall be responsible for the ongoing training and education of Department of Premier and Cabinet staff (including any third party service providers or consultants) about their obligations under the Act, by:
  • ensuring the privacy management plan remains up to date;
  • making a copy of the plan available to all current and incoming staff;
  • informing staff of any changes to the plan;
  • ensuring relevant privacy documents are consolidated and made available through the Department of Premier and Cabinet's intranet;
  • conducting staff training sessions on privacy matters as required; and
  • being available to answer any questions staff may have about their privacy obligations.

10.2  Where Department of Premier and Cabinet staff feel uncertain as to whether certain conduct may breach the Act, they should raise this matter with the Privacy Officer.

^ Back to top

11. Reviewing and reporting on plan

11.1  The Department of Premier and Cabinet's Privacy Officer is to review the plan whenever:
  • the Department of Premier and Cabinet wishes to introduce a new procedure for the collection, retention, use and disclosure of personal information; or
  • a privacy code or a direction of the Privacy Commissioner, or the expiry of such a code or direction, modifies the application of the IPPs to the operations of the Department of Premier and Cabinet.

11.2  The Privacy Officer, in accordance with section 33(3) of the Act, is to ensure that the Department of Premier and Cabinet's Annual Report includes:

  • a statement of the action taken by the Department in complying with the requirements of the Act; and
  • statistical details of any review conducted by or on behalf of the Department under Part 5 of the Act.

11.3  The Director-General, on the advice of the Privacy Officer, may amend this plan as necessary.  A copy of the amended plan should be circulated to all Premiers' Department staff and the Privacy Commissioner as soon as possible after amendment.

^ Back to top