The Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) sets out how NESA must manage personal information.
Personal information is defined in Section 4 of the PPIP Act and is essentially any information or opinion about a person whose identity is apparent or can be reasonably ascertained from the information or opinion. Personal information can include a person’s name, address, family life, sexual preference, financial information, fingerprints and photos.
There are some kinds of information that are not personal information, for example information about:
Health information is generally excluded here as it is covered by the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act).
Part 2, Division 1 of the PPIP Act contains 12 Information Protection Principles (IPPs) with which NESA must comply. Here is an overview as they apply to us.
Only collect personal information for a lawful purpose, which is directly related to NESA’s activities and necessary for that purpose.
Only collect personal information directly from the person concerned, unless it is unreasonable or impracticable to do so.
Inform the person that you are collecting their personal information, why you are collecting it, what you will do with it and who else might see it. Tell the person how they can view and correct their personal information and any consequences that may apply if they decide not to provide their information to you.
Ensure that the personal information is relevant to the purpose for which it is collected and not excessive, that it is accurate and up-to-date and that the collection does not unreasonably intrude into the personal affairs of the person.
Store personal information securely, in accordance with this privacy management plan and NESA information security policies. Keep it no longer than necessary and dispose of it appropriately. It should also be protected from unauthorised access, use or disclosure.
Explain to the person what personal information about them is being stored, why it is being used and any rights they have to access it.
Allow the person to access their health information without unreasonable delay or expense. See the application form to request access to personal or health information (PDF 99KB).
Allow the person to update, correct or amend their health information where necessary. See the application form to request alteration of personal or health information (PDF 97.51KB).
Make sure that the personal information is relevant and accurate before using it.
Only use personal information for a purpose other than that for which it was collected if the person has given their consent, the purpose is directly related to the purpose for which it was collected or if it is necessary to prevent or lessen a serious and imminent threat to any person’s life or health. Other specific situations where personal information may be used are outlined under Exemptions.
Only disclose personal information if disclosure is directly related to the purpose of collection, or the person is reasonably likely to be aware the information is usually disclosed or with the person’s consent. Personal information can be disclosed without a person’s consent if it is necessary to prevent or lessen a serious and imminent threat to any person’s life or health. Other specific situations where personal information may be used are outlined under Exemptions.
Only disclose sensitive personal information, for example information about a person’s ethnic or racial origin, political opinions, religious or philosophical beliefs, sexual activities or trade union membership if it is necessary to prevent a serious and imminent threat to any person’s life or health.
Only disclose personal information outside NSW if there are similar privacy laws in that jurisdiction, or the disclosure is allowed under legislation, such as the PPIP Act, HRIP Act or the education and teaching legislation (Education Standards Authority Act 2013; Education Act 1990; Teacher Accreditation Act 2004 and respective regulations). NESA may also disclose information outside NSW if the disclosure will benefit the person, it is impracticable to obtain the person’s consent, and if NESA could obtain their consent, it is likely they would give it. For further details refer to Transborder Disclosures.
Some of the exemptions in the PPIP Act are listed in Sections 22-28 and include:
Section 23 of the PPIP Act provides exemptions relating to law enforcement and related matters. The term ‘law enforcement purposes’ refers only to criminal law enforcement, not breaches of professional standards or misconduct.
The exemption in Section 24 of the PPIP Act refers to investigative agencies, as defined in Section 3 of the Act, including the Ombudsman’s Office, ICAC and the HCCC, who are not required to comply with some of the IPPs if it would detrimentally affect those agencies’ complaint handling or investigative functions. The definition includes any NSW public sector agency with investigation functions, if those functions are exercisable under the authority of an Act or statutory rule and it may result in the agency taking or instituting disciplinary, criminal or other formal action or proceedings against a person or body under investigation.
The term ‘lawfully authorised’ in Section 25 of the PPIP Act has been found by various tribunal matters to include a number of issues, such as:
Although requirements under certain legislation enables the disclosure of personal information, staff must take care to only disclose the minimum amount of information required.
Where non-disclosure would prejudice the interests of the individual to whom the information relates or there has been express consent for another use or disclosure, Section 26 provides an exemption. Consent is only genuine if the person has the capacity to give or withhold consent. For consent to be valid it must be voluntary, informed, specific and current. Notifying the person of what NESA intends to do with their personal information is not express consent.
Section 27A of the PPIP Act provides an exemption relating to information exchanges between public sector agencies. Information can be provided to or by another public sector agency, if it is reasonably necessary:
This may arise in circumstances in which an application for a service has been submitted to one agency and action by another agency is needed to provide a response. Staff should if possible seek consent from the person involved, and/or ask for advice from the relevant agency’s Privacy Officer.
The Privacy Commissioner has released statutory guidelines on research in relation to health information under HPP 11(1)(f) of the HRIP Act and in relation to personal information under Section 27B of the PPIP Act. If a research proposal will involve both health and non-health personal information, then both guidelines must be followed.
Both sets of guidelines require that in order to use or disclose information for research, the research must be in the public interest and that a properly constituted Human Research Ethics Committee (HREC) has determined that the public interest in the proposed research 'substantially outweighs' the public interest in privacy.
Five criteria must be met to collect, use or disclose personal information relying on the Section 27B exemption for personal information:
The HRIP Act sets out how NESA must manage health information.
Health information is a more specific type of personal information and is defined in s6 of the HRIP Act. Health information can include information about a person’s physical or mental health such as a psychological report, blood tests or an X-ray, or information about a person’s medical appointment. It can also include personal information that is collected to provide a health service, such as a name and contact number on a medical record.
Schedule 1 to the HRIP Act contains 15 Health Privacy Principles (HPPs) that NESA must comply with. Here is an overview of them as they apply to us:
Only collect a person’s health information for a lawful purpose, which is directly related to NESA’s activities and necessary for that purpose.
Ensure that the health information collected is relevant, accurate, up-to-date and not excessive and that the collection does not unreasonably intrude into the personal affairs of the individual.
Only collect health information directly from the person concerned, unless it is unreasonable or impracticable to do so.
Inform the person why you are collecting their health information, what will be done with it and who else might access it. Tell the person how they can access and correct their health information and any consequences that may apply if they decide not to provide it.
Store health information securely. Keep it no longer than necessary and dispose of it appropriately. It should also be protected from unauthorised access, use or disclosure.
Explain to the person what health information about them is being stored, why it is being stored and any rights they have to access it.
Allow the person to access their health information without unreasonable delay or expense. See the application form to request access to personal or health information (PDF 99KB).
Allow the person to update, correct or amend their health information where necessary. See the application form to request alteration of personal or health information (PDF 97.51KB).
Make sure that the health information is relevant and accurate before using it.
Only use health information for the purpose for which it was collected, or for a directly related purpose that the person would expect. Otherwise you would generally need their consent to use the health information for a secondary purpose.
Only disclose health information for the purpose for which it was collected or a directly related purpose that a person would expect (unless one of the exemptions in HPP 11 applies). Otherwise you would generally need separate consent.
Only identify people by using unique identifiers if it is reasonably necessary to carry out your functions efficiently.
Give the person the option to receive services from you anonymously, where this is lawful and practicable.
Only transfer health information outside NSW or to the Commonwealth in accordance with HPP 14, where
Only use health records linkage systems (to link health records across more than one agency or organisation) if the person has provided or expressed their consent. There are instances when NESA are lawfully authorised not to comply with HPP15, or where non-compliance is otherwise permitted under an Act or other law, or the use complies with HPP 10(1)(f) and the disclosure complies with HPP 11(1)(f), (reasonably necessary for research purposes).
Exemptions are located mainly in Schedule 1 to the HRIP Act and may allow NESA not to comply with the HPPs in certain situations.
Some of these include:
A person may give us consent to not comply with any or some of the HPPs in particular circumstances.
It is a criminal offence, punishable by up to two years’ imprisonment for NESA staff to:
Part 8 of the PPIP Act and part 8 of the HRIP Act provide further details about offences regarding personal and health information.
Section 308H of the Crimes Act 1900 provides that it is an offence to access or modify computer records for purposes that are not connected with the duties of the person.
Following are the main laws that affect how NESA complies with the IPPs and HPPs.
The following policies and procedures support compliance with the Act:
In addition to this privacy management plan, NESA has a data breach policy that sets out NESA’s approach to managing a data breach. The policy outlines procedures used by NESA to ensure compliance with the requirements of the Mandatory Notification of Data Breach (MNDB) Scheme under Part 6A of the PPIP Act, including those related to assessment and notification.
The data breach policy provides guidance for NESA staff when responding to a breach of NESA-held data and contains five key steps:
All NESA staff members should notify their manager immediately and refer to the data breach policy if they suspect a data breach may have occurred.
Under Section 16 of the Education Standards Authority Act 2013, NESA can enter into an information sharing arrangement with a relevant agency to share or exchange any information that is held by the Authority or the agency. Information is limited to that which assists in the exercise of the functions of NESA or the Minister under the education and teaching legislation or of the agency concerned, data relating to the teaching workforce, or research on issues relating to teacher quality. Relevant agencies include:
The Data Sharing (Government Sector) Act 2015 (DS Act) enables sharing of government sector data with the Data Analytics Centre (DAC) and between other government sector agencies, for certain purposes. These include allowing the government to carry out data analytics to identify issues and solutions to better develop policy, program management, and service planning and delivery. The DS Act includes privacy protection as a safeguard in sharing data between agencies and with the DAC, both when information is shared voluntarily or at the direction of the Minister.
NESA is required to ensure that health and/or personal information contained in the data that is shared complies with privacy legislation. NESA are also obliged to ensure that any confidential and commercial-in confidence information contained in the data to be shared complies with any contractual or equitable obligations of the data provider concerning how it is dealt with.
Before responding to a request from DAC to provide information, staff should consult internally with the Access and Privacy Officer to obtain relevant advice. NESA may also ask the NSW Privacy Commissioner to guide us on the best way to comply with the request for information whilst upholding the IPPs and HPPs.
NESA may receive a request for personal or health information from another agency, such as NSW Police, the Ombudsman’s Office, ICAC or others. When such a request is made NESA ask for it in writing, either on letter-head or via email with sufficient details to identify the agency and requestor and for the request to nominate a contact person. Before releasing information to the other agency, NESA check the legislation relied upon to authorise the provision of information and usually contact the nominated officer by phone. If there is any doubt about the legitimacy of the request, staff should check with the Access and Privacy Officer, or contact the agency that made the request.
Section 19(2) of the PPIP Act provides additional requirements to disclosure of information outside of New South Wales and the NSW Privacy Commissioner has provided Guidance on this Section (Office of the Privacy Commissioner NSW, “Guidance: Transborder Disclosure Principle – the new Section 19(2), 30 June 2016). Where information needs to be disclosed outside the NSW jurisdiction or to a Commonwealth agency, additional criteria must be met, including that the recipient is subject to a privacy law that upholds principles for dealing with information in similar terms to the information protection principles.
Before any personal information is disclosed outside of NSW, staff should make enquiries with the recipient to ensure they have similar privacy laws. NESA may also draw up an agreement that meets the requirements of Section 19(2) of the PPIP Act or obtain legal advice.
A Privacy Impact Assessment (PIA) is a way of assessing the impacts on privacy of a project (including activities, products, policies, proposals or other initiatives) and, in consultation with stakeholders, of taking remedial actions to avoid or minimize negative impacts.
It may not be possible to eliminate or mitigate every identified risk, but ultimately a judgement will be made about whether the risk posed to privacy will be outweighed by the public benefit derived from a project.
Privacy risks can be avoided or mitigated by:
The greater the project’s complexity and privacy scope, the more likely it is that a PIA is required to identify and manage its privacy impacts. To know if a PIA is required, staff should talk to the Access and Privacy Officer for guidance about conducting a threshold assessment, which will determine if a PIA is necessary and can guide decisions about the scale and scope of a PIA if it is required. See Guide to Privacy Impact Assessments in NSW for more information.
NESA is obliged to provide a notification or privacy statement when personal or health information is collected from individuals, which explains what information NESA are collecting and for what purpose. The PPIP Act mandates certain minimum requirements for privacy notices and staff are encouraged to contact the Privacy Officer.
If an individual’s personal or health information is to be used or disclosed for a purpose not directly related to the primary purpose of collection, or a purpose not authorised by law or permitted under an exemption, their consent should be specifically sought.
For further details refer to the Information and Privacy Commissioner’s Guidance on Consent.
Privacy Officer
Email: privacy@nesa.nsw.edu.au
Post: GPO Box 5300, Sydney NSW 2001
Phone: +61 2 9367 8111
Address: Level 4, 117 Clarence Street, Sydney NSW 2000
Request accessible format of this publication.
