About the Privacy Management Plan

About the Department of Customer Service

DCS is an agency in the NSW Government. We are a service provider and regulator focused on improving customer experience across government agencies. We do this by improving laws, designing and implementing customer-centric services and initiatives informed by data analytics and behavioural insights, and making it easier to provide services to citizens and do business in NSW.

About the Privacy Management Plan

The DCS Privacy Management Plan (DCS PMP) explains how we manage personal and health information under NSW privacy laws. We have obligations to protect the privacy rights of customers, employees, and members of the public. It is designed based on principles outlined in our DCS Policy Framework. This Plan will be reviewed and updated as required to ensure ongoing compliance with all applicable privacy laws and to address any changes in processes, procedures or other events.

Why we need this policy

We have an obligation to protect the privacy rights of customers, employees, and members of the public. Section 33 of the Privacy and Personal Information Protection Act 1998 (PPIP Act) requires that we have this DCS PMP available.

Our DCS PMP shows what measures we take to comply with the Privacy and Personal Information Protection Act 1998 (NSW)(PPIPA) and the Health Records and Information Privacy Act 2002 (NSW) (HRIPA) to protect personal and health information. 

Provisions in the privacy legislation provide for penalties up to two years in prison, an $11000 fine or both for improperly using, disclosing, or providing access to personal or health information. The same penalties apply to interfering with the functions of the Privacy Commissioner such as by hindering the Privacy Commissioner or their staff.

Who this policy applies to 

The DCS PMP covers agencies within the department and other bodies including the Board of Surveying and Spatial Information, Geographical Names Board, Rental Bond Board and NSW Telco Authority. There are some business units within DCS that have developed their own PMP. 

All DCS employees and outsourced service providers performing work engaged by DCS are required to comply with privacy legislation while undertaking work for us. Additionally, they are required to comply with the DCS Code of Ethics and Conduct and the DCS Conflicts of Interest Policy.  

Privacy policies and practices 

At DCS, we have a range of policies to ensure compliance with privacy legislation, to manage privacy risks and to deal with other matters relevant to privacy and the protection of personal and health information held by DCS.  

Policies and procedures, including this DCS PMP, are communicated to employees in a range of ways, including through our intranet, printed copies and targeted training. Information about our privacy practices is also made available on our privacy intranet page.

For a full list, refer to Related Policies. 

What is personal information?

Personal information is defined in s4 of PPIPA as: ‘information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion’.
Personal information is broadly defined and includes information or an opinion that identifies a person or that would allow a person’s identity to be discovered, using moderate steps, including by reference to other information. Information which, on its face value, does not appear to identify an individual will still be personal information if the information can be combined with other information, including information held by DCS, to identify the person. For example, a customer reference number on its own may not be personal information but combined with other information it may be.

What is health information?

Health information is a specific type of personal information that is defined as 
Personal information that is also information or an opinion about:

• An individual’s physical or mental health or disability
• An individual’s express wishes about the future provision of health services to themselves
• A health service provided, or to be provided, to an individual.
• Other personal information collected to provide a health service
• Other personal information about an individual collected in connection with the donation of an individual’s body parts, organs or body substances
• Genetic information that is or could be predictive of the health or a person or their relatives or descendants
• Healthcare identifiers. 

What kind of personal information does DCS hold?

DCS undertakes a diverse range of functions and activities. The collection of customer information is a central part of many of these functions and activities. We also have substantial obligations in respect of maintaining personal files and records of our employees.
As a consequence, we hold a large amount of personal and health information about customers and employees in a number of different locations and formats. To fulfil our various functions and activities, we hold a broad range of personal and/or health information obtained through our business areas. These include the NSW tax system, fair trading or home building disputes, licences and certificate applications. The following personal and health information may be collected, depending on the specific needs of the customer and the agency:
 

• Name and contact details 
• Date of birth 
• Signatures 
• Wages/Income details 
• Correspondence 
• Complaints
• Tax file numbers 
• Payroll tax 
• Interpreter use
• Home address 
• Criminal records 
• Employment details
• Insurance claims history 
• Insurance information
• Job specifications 
• Land tax 
• Land title information
• Financial and bank accounts
• Bankruptcy information
• Compliance history
• Medical certificates and injuries

The above list is not exhaustive. 

We may also hold other personal or health information provided by customers for a range of specific functions of our divisions. We may collect information electronically, in hard copy, via email or over the phone.