Privacy management plan

Executive Summary

All NSW Government agencies are required to have a privacy management plan under section 33 of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).

The purpose of this Plan is to:

• demonstrate to the people of New South Wales how the Department upholds and respects the privacy of its staff and all those who deal with DCITHS
• explain how we manage personal information in line with the PPIP Act and health information in line with the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act)
• provide guidance and training for DCITHS staff in dealing with personal and health information. This helps to ensure that we comply with the PPIP Act and HRIP Act (together, the Acts).

This Plan indicates that DCITHS takes the privacy of its staff and the people of NSW seriously and we will protect privacy with the use of this Plan as a reference and guidance tool.

All overseas trade employees of DCITHS should, in addition to complying with this Plan consider and if necessary seek advice from DCITHS legal on any local law implications.

1. Introduction

This Plan has been developed by DCITHS as per section 33 of the PPIP Act.

This Plan identifies:

• the types of personal and health information (as defined at 2.3) that DCITHS holds or is responsible for
• the policies and practices used by DCITHS to comply with the Acts
• how details of those policies and practices are made known to staff of DCITHS and all engaged by the Department
• how DCITHS conducts Internal Reviews under section 53 of the PPIP Act.

DCITHS drives the New South Wales (NSW) Government’s commitment to economic transformation.

Growing investment and creating new jobs throughout NSW, DCITHS brings together enterprise and trade, tourism and hospitality, sports and the arts and Western Sydney to ensure NSW is the best place in the world to live, work, invest, visit, study, grow and play.

DCITHS propels the delivery of investment, business and lifestyle opportunities, by attracting and supporting innovative and prosperous industries and helping NSW business go global. Further information can be found on DCITHS’s website.

DCITHS collects, holds, uses and discloses personal and health information for the purpose of carrying out its functions. For instance, DCITHS may handle personal and health information for the purpose of:

• managing correspondence on behalf of cluster Ministers’ offices, and also the Premier and Deputy Premier;
• human resources management;
• recruitment;
• complaints handling; and
• managing applications for Government information (meaning information contained in a record held by the agency) under the Government Information (Public Access) Act 2009 (GIPA Act).

DCITHS takes the privacy of its staff and the people of NSW seriously and we will protect privacy with the use of this Plan as a reference and guidance tool. 

2. Personal and Health Information

2.1. Definitions

Collection is the method by which DCITHS acquires the information. This can be completed by any means including a written form; a verbal conversation; an online form; or taking a picture or video.

Disclosure is how DCITHS provides the personal or health information to an individual or body outside DCITHS. This includes the sharing of personal or health information with other public service agencies.  

Personal information is information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion (section 4 of the PPIP Act).

Health information is any personal information that is information or an opinion about a person’s physical or mental health or disability or the provision of health services to them, including an individual’s express wishes about the future provision of health services to them. It also includes genetic information that is or could be predictive of the health of a person or their genetic relative as well as any personal information that was collected to provide, or in providing, a health service, or in connect with donation of body parts, organs or body substances (section 6 of the HRIP Act).

2.2. Exclusions from the definition

Both the Acts exclude from the definition of personal and health information, information which:

• relates to a person who has been dead for more than 30 years; or
• is contained in a publicly available publication; or
• refers to a person’s suitability for employment as a public sector official.

2.2.1. Information in a publicly available publication

The definitions exclude information about named or identifiable people which is published in newspapers, books or the internet, broadcast on radio or television, posted on social media (such as Facebook or Twitter) or made known at a public event. Because such information is publicly available, it cannot be protected from use or further disclosure.

2.2.2. Employment-related information

Information referring to suitability for employment as an DCITHS member of staff (such as selection reports and references for appointment or promotions, or disciplinary records) is excluded from the definitions and therefore from the provisions of the Acts.

Such information is still stored, secured, used and disclosed by DCITHS with the same care as if it were protected by the Acts.

Other employee-related personal information is protected by the Acts.

For example, records or information about work activities, such as video or photographs of staff in their workplace, are protected and may only be used in compliance with the Acts’ provisions.

Other examples of work-related personal and health information are staff training records, leave applications and attendance records. All these are within the scope of the definitions and are protected by the Acts.

2.3. Types of personal and health information held by DCITHS

2.3.1. Employee records

Employee records for staff of DCITHS are held by the Department and GovConnect. This information includes, but is not limited to:

• records of dates of birth, addresses and contact details;
• payroll, attendance and leave records;
• performance management and evaluation records;
• training records;
• workers compensation records;
• work health and safety records; and
• records of gender, ethnicity, and disability of employees for equal employment opportunity recording purposes.

An employee of DCITHS may access their own file under the supervision of People & Culture (P&C) staff.

Apart from the employee the file relates to, the members of the P&C team at DCITHS are the only other members of the Department that have authorised access to personnel files.

Employee records are stored in soft copy in the SAP system and Objective files, maintained by GovConnect. These records include leave records, payroll processing information, leave accruals, medical certificates, and parental leave information.

People and Culture (P&C) also maintains separate personnel files in the Objective document management system for all current employees. These files include contracts, remuneration details, and any ongoing case being managed by P&C (such as conduct investigations and Work Cover claims). Access to these personnel files is controlled and limited only to authorised P&C employees.

DCITHS has an agreement with GovConnect, managed through the Department of Customer Service (DCS), that affects how GovConnect handles employee records in the SAP and Objective systems.

GovConnect is formed by two outsourced vendors managed by the Service Management Office, a division of DCS. Corporate services functions are managed by Infosys (Human Resources and Finance) and Unisys (Information Technology) on behalf of DCITHS.  Therefore, GovConnect holds and is responsible for more detailed personal and health information about DCITHS such as recruitment, payroll and leave records.

The Service Partnership Agreement between DCITHS and GovConnect notes that GovConnect will have access to information from and about DCITHS in the course of business, and that GovConnect is bound to comply with the PPIP Act.

2.3.2. Information collected relating to conflict of interest

DCITHS staff are required to disclose any actual, potential, or perceived conflicts of interest as part of the onboarding process. This information is reviewed and updated regularly, and as any conflicts arise or change.

2.3.3. Digital images

DCITHS holds digital images of all staff members which are used for the production of staff identification cards and other internal uses including publication on DCITHS’s intranet.

2.3.4. Contact Details

DCITHS holds contact details of various third parties, including for:

• government agency CEOs, members of inter-departmental working groups and similar, members of government boards and advisory committees;
• stakeholders participating in stakeholder consultation forums;
• businesses and individuals involved in DCITHS’s programs and schemes;
• businesses and individuals attending DCITHS hosted events and some business familiarisation programs;
• businesses and individuals that have registered to DCITHS newsletter and collaboration/networking platforms;
• businesses and individuals that have registered on DCITHS hosted procurement systems;
• businesses and individuals that are suppliers on DCITHS managed contracts and schemes;
• business and individuals that have applied to DCITHS for funding, grants or other assistance and/or services;
• businesses and individuals that have responded to a call for submissions on a particular project;
• individuals participating in surveys and community engagement events;
• individuals who have made a complaint, enquiry, compliment or suggestion through DCITHS’s websites or other mechanisms; and
• individuals who have made formal access applications under the GIPA Act.

DCITHS uses the contact details for the purposes for which they were collected. DCITHS does not use this information to contact people for secondary purposes, such as for unrelated marketing purposes. For example, where contact details have been provided as part of an enquiry made to DCITHS, those contact details will only be used in managing and responding to that enquiry and will not be used for any other purpose unless the individual concerned has expressly consented to that secondary use.

2.3.5. Identification documents

In some circumstances, DCITHS may hold identification documents for certain individuals. These documents are usually collected where individuals are required to prove their identity to access certain services or programs of DCITHS and are attached to the application or form. Proof of identity documents may also be required when making applications for information under the GIPA Act or PPIP Act.

2.3.6. Correspondence records

DCITHS holds the following correspondence records:

• contact details of people who have written to or emailed DCITHS or its responsible Ministers;
• details of the nature of their correspondence, which can include sensitive personal information about matters such as ethnicity, religion, health conditions, sexuality;
• copies of replies to correspondence; and
• records of to whom, if anyone, their correspondence was referred.

This information is only used for the purpose of communicating a reply to the correspondent either from DCITHS or the relevant Minister’s Office. Once a matter has been progressed and processed, it is closed and filed accordingly on relevant files stored and secured by GovConnect, as the Agency’s primary provider of records management services.

3. The Privacy Principles

DCITHS is guided by the principles in sections 8 to 19 of the PPIP Act and Schedule 1 of the HRIP Act.

Sections 8 to 19 of the PPIP Act provide set privacy standards that public sector agencies are expected to follow when dealing with personal information. They are the information protection principles (IPPs), and they govern the collection, retention, accuracy, use and disclosure of personal information, including rights of access and correction.

3.2. Liability and offences

It is important that all DCITHS staff understand the Information Protection Principles and the Health Privacy Principles set out below. Part 8 of the PPIP Act and HRIP Act contain criminal offences applicable to DCITHS’s staff who use or disclose personal or health information without authority. For example, there are criminal offences relating to:

• the corrupt disclosure and use of personal and health information by public sector officials; and
• offering to supply personal or health information that has been disclosed unlawfully.

DCITHS has policies and privacy controls to minimise the risk of staff committing an offence. For example:

• DCITHS’s Code of Conduct has specific provisions on privacy obligations, including in relation to the authorised access, disclosure and storage of personal information. The Code also has provisions on the handling of information, including in relation to the confidentiality, misuse and security of information, and on records management; and
• DCITHS’s Information Management Security Policy has provisions on information access and security, including that access to information and records held by ‘sensitive areas’ should be limited, and that staff must use information on a ‘need to see basis’.

DCITHS also provides compulsory privacy training to staff to ensure they are aware of their responsibilities in handling personal information appropriately.

Below is an overview of the IPPs:

Schedule 1 of the HRIP Act provides a similar set of privacy standards for health information. They are the health privacy principles (HPPs), and they are largely the same as the IPPs, however without an equivalent to IPP 12 (Sensitive) and with other additional obligations and standards instead.

Below is an overview of the HPPs:

3.2.1. Collecting personal or health information (IPPs 1-4 and HPPs 1-4)

DCITHS will only collect personal or health information if it is:

• for a lawful purpose that is directly related to one of our functions; and
• reasonably necessary for DCITHS to have the information.

DCITHS will ensure that when personal and health information is collected from an individual, either verbally or in written forms, the individual will be advised accordingly. This will be in the form of a collection notice that will include the purpose of the collection; any intended recipients of the information (where applicable); their right to access and correct the information; and the details of any agency that is collecting or holding the information on DCITHS’s behalf (if applicable).

DCITHS also advises individuals if the collection is voluntary or if it is lawfully required and informs individuals of any penalties or other possible consequences for not complying with DCITHS’s request.

When collecting personal or health information from an individual, DCITHS endeavours to ensure that the information is relevant, accurate, up to date and complete for the purposes for which it is being collected. DCITHS will also endeavour to ensure that the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual, having regard to the purposes for which it is being collected.

Collection tips:

• When designing a form, ask yourself: “do we really need each bit of this information?”
• By limiting the collection of personal and health information to only what you need, it is much easier to comply with the principles.
• If collecting personal or health information about someone, collect it from that person directly to ensure accuracy and to obtain any permission for disclosure of the information.
• Do not ask for information that is not relevant.
• Be mindful of whether you are asking for information that is sensitive, such as about a person’s ethnicity or race, political opinions, religious or philosophical beliefs, trade union membership or sexual activities. Treat this information with extra care and seek advice before disclosing it.
• Individuals providing their personal or health information to DEIT have a right to know the full extent of how the information they provide will be used and disclosed, and to choose whether or not they wish to go ahead with providing information on that basis.
• Think about whether you are collecting personal or health information from people living in the European Union (EU) with an intention of providing goods and services to them. If so, you might be subject to EU’s General Data Protection Regulation (GDPR), in which case you should make sure your collection meets the requirements of Articles 13-14 of the GDPR. This includes if you are collection information about, and tracking, web-based behaviour, where the behaviour is coming from the EU.

3.2.2. Storing personal and health information (IPP 5 and HPP 5)

DCITHS takes reasonable security safeguards against the loss, unauthorised access, use, modification and disclosure of personal information.

DCITHS has in place information security policies which provide guidance to staff around the handling and storage of personal information. This includes the use of unique user accounts and passwords to access our computer systems. In accordance with DCITHS’s Information Management Security Policy, our staff do not give out passwords to anyone or let anyone else use their computer login.

DCITHS’s security measures further include the use of restricted drives and authorised access. For example, correspondence containing personal information is stored in DCITHS’s record management system with restricted access and editing privileges.

Personal information is kept for no longer than is necessary and is disposed of in a secure manner once no longer required, in accordance with government requirements.

Storage and security tips:

• Check that document privileges are kept only to staff who require access to action or approve a task; and
• Take reasonable steps to prevent any unauthorised use or disclosure of the personal information by a contractor or service provider. This should be done with appropriate privacy clauses in the relevant contract. Those clauses should bind our contractors to the same privacy obligations DCITHS has under the PPIP Act.

3.2.3. Accessing personal or health information (IPPs 6-8 and HPPs 6-8)

DCITHS aims to make it as easy as possible for individuals to access their own personal information. Generally, requests by an individual to access their personal or health information can be made on an informal basis.

DCITHS will endeavour to ensure that all personal and health information is accurate, complete and current. Further, should an individual become aware of, or detect an error in DCITHS’s records about their personal affairs, DCITHS will make the necessary changes.

If DCITHS disagrees with the person about whether the information needs changing, we must instead allow the person to add a statement to our records.

Access tips:

• People should be able to easily see or find out what information we hold about them.
• We should let complainants, clients and staff see their own personal and health information at no cost and through an informal request process.
• We cannot charge people to lodge requests for access or amendment of their own personal or health information. We can charge reasonable fees for copying or inspection, if we tell people what the fees are up-front.

3.2.4. Using personal and health information (IPP 9-10 and HPP 9-10)

DCITHS will only use personal or health information for the purposes for which it was collected or for other directly related purposes. At the time DCITHS collects personal or health information from an individual, they will notify the individual of the primary purpose for which the information is collected. DCITHS will also take reasonable steps to check the accuracy and relevance of personal or health information before using it.

For example:

• If the primary purpose of collecting a complainant’s information was to investigate their workplace grievance, directly related secondary purposes within the reasonable expectations of the person for which their personal information could be used by DCITHS would include independent auditing of workplace grievance files.

Use tips:

• Passing personal or health information from one officer within DCITHS to another may amount to using that information. Think about the reason you are passing the personal information on, and whether it is for the same (or a directly related) reason that the information was collected for.
• When collecting personal or health information, think about how the information might be used down the line. Are all the uses directly related to the purpose of collection? Make sure the use of the information is clear in any privacy notice accompanying the collection.
• When using personal or health information, think about the purpose for which it was collected. The primary purpose for which DCITHS has collected the information should have been set out in a privacy notice. If you want to use the information for any purpose other than that primary purpose, check with the DCITHS Legal team.
• Before using personal or health information, think about how long ago the information was given. Could it now be outdated or misleading? When was the last time the information was used? Are there any processes in place to allow individuals to amend outdated information? Are there regular check-ins with the individuals to update their information if circumstances have changed?
• Only provide personal information to a contractor or service provider if they really need it to do their job and remember to bind them to the same privacy obligations DCITHS has. This will help us prevent any unauthorised use of the personal information by that contractor or service provider.
• If the information you collected and intend to use is subject to the EU’s GDPR (see Collection Tips above for more information), make sure that consent for that use (if required) is specific, informed, and freely given. There is a difference between positive opt-in and compulsory acceptance of standard terms and conditions.

3.2.5. Disclosing personal or health information (IPPs 11-12 and HPP 11)

DCITHS will only disclose personal or health information if:

• at the time DCITHS collected their information, the person was given a privacy notice to inform them their information would or might be disclosed to the proposed recipient, and that disclosure is directly related to the purpose for which the information was collected,
• the person concerned has consented to the proposed disclosure, or
• an exemption applies (see section 3.2.6 for more information).

In addition to the above, DCITHS can also disclose personal information (but not health information) if the person was notified of the disclosure at the time of collection – even if the purpose of that disclosure is not directly related to the purpose of collection. Notification of the disclosure is not enough in the case of health information unless the purpose of that disclosure is also directly related to the purpose of collection.

If an individual’s personal or health information is disclosed to other NSW public sector agencies, those agencies can only use information for the purpose for which it was disclosed to them. The information continues to be covered by the Acts.

Disclosure tips:

• You can usually disclose information if the person was notified about that disclosure at the time their personal information was collected. When disclosing personal information, try to track down the point that it was collected and see if the disclosure you are intending to make was referred to in an accompanying privacy notice.
• However, if DCITHS did not tell the person about the proposed disclosure in a privacy notice, or if it is health information being used for an unrelated secondary purpose or DCITHS wants to send health information outside of New South Wales, you will usually need to seek the individual’s consent.
• When collecting personal or health information, think about how the information might be disclosed – to who and for what purpose – and make sure to include this in the privacy notice.
• Only provide personal information to a contractor or service provider if they really need it to do their job and remember to bind them to the same privacy obligations DCITHS has. This will help us prevent unauthorised disclosure of the personal information by the contractor or service provider.
• If the information you collected and intend to disclose is subject to the EU’s GDPR (see Collection Tips above for more information), make sure that consent for that disclosure (if required) is specific, informed, and freely given. There is a difference between positive opt-in and compulsory acceptance of standard terms and conditions.

3.2.6. Exemptions

There are a number of exemptions to the IPPs that limit their coverage in a number of ways including:

• exchanges of information which are reasonably necessary for the purpose of referring inquiries between agencies (section 27A(b)(ii) of the PPIP Act);
• disclosure relating to law enforcement and related matters (section 23 of the PPIP Act);
• disclosure that would detrimentally affect complaint-handling or investigative functions (section 24 of the PPIP Act); and
• where non-compliance is lawfully authorised or required or otherwise lawfully permitted (section 25 of the PPIP Act).

Some additional exceptions apply to the collection, use and disclosure of health information, including for compassionate reasons, research training and the management of health services. Information about which exceptions apply to each HPP can be found in Schedule 1 of the HRIP Act.

4. Code of Practice and PPIP section 41 Directions

Under the PIPP Act, Privacy Codes of Practice can be developed by agencies that provide for the modification of the application of one or more IPPs to particular activities or categories of information.

This is undertaken to take account of particular circumstances relating to legitimate use of personal information by agencies that might otherwise be in contradiction to the IPPs under the PPIP Act.

The Information and Privacy Commission can also prepare Codes of Practice common to a number of agencies. All Codes are approved by the NSW Attorney-General.

In addition, under section 41 of the PPIP Act the Privacy Commissioner may make a direction to waive or modify the requirement for an agency to comply with an IPP.

The NSW Public Service Commission has developed a Privacy Code of Practice for the Public Service Commission to allow analysis and reporting about employment characteristics.

DCITHS provides personal information to the NSW Public Service Commission for this purpose. Confidentiality and privacy arrangements underpin the workforce profile.

5. Public Registers

Under section 3(1) of the PIPP Act, a Public Register is defined as ‘a register of personal information that is required by law to be, or is made, publicly available or open to public inspection (whether or not on payment of a fee).’

The PPIP Act requires that a public sector agency responsible for keeping a Public Register must not disclose any personal information contained in it unless the agency is satisfied that it is to be used for a purpose relating to the purpose of the register.

When collating personal information required for any Public Registers, DCITHS will only disclose this personal information where it is satisfied that the disclosure is for a purpose which relates to the register.

6. How to Access and Amend Personal Information

People have the right to access, amend and update personal information that DCITHS holds about them.

Under section 13 and 14 of the PPIP Act, DCITHS must assist a person to find out what personal and health information it holds about them, and then provide access to this information without excessive delay. DCITHS does not charge any fees to access or amend personal or health information.

DCITHS encourages staff wanting to access or amend their own personal or health information to contact the Department’s P&C Branch.

For members of the public, a request for access to any personal information held by DCITHS should made in writing to the DCITHS legal team (see below - Further Information and Contacts).

Any person can make a formal application to the DCITHS and this application should:

• include the person’s name and contact details (postal address, telephone number and email address if applicable);
• explain what the person is seeking, such as whether the person is enquiring about the personal information held about them, or whether the person is wishing to access and amend that information; and
• if the person is seeking to access or amend their information,
  • explain what personal or health information the person wants to access or amend; and
  • explain how the person wants to access or amend it.

DCITHS aims to respond in writing to formal applications within 20 business days and will advise the applicant how long the request is likely to take, particularly if it may take longer than expected.

7. Internal Review

Where DCITHS engages in certain conduct that adversely and unduly impacts an individual, that individual is entitled to seek internal review of the conduct. Conduct involving or claimed to involve any of the following is reviewable:

• the contravention by DCITHS of an IPP or HPP that applies to DCITHS;
• the contravention by DCITHS of a health or privacy code of conduct that applies to DCITHS; and
• the disclosure by DCITHS of personal information kept on a Public Register.

DCITHS encourages individuals to try to resolve privacy issues informally before going through the review process, or to at least contact the DCITHS General Counsel to discuss the issue before lodging an internal review.

An individual should remember that they have six months from when they become aware of the conduct to seek an internal review. The six month timeframe continues to apply even if attempts are being made to resolve privacy concerns informally. An individual may wish to consider this timeframe in deciding whether to make a formal request for internal review or continue with informal resolution.

7.1. Request for Internal Review

An individual who considers they have been unduly impacted by DCITHS’s conduct can contact DCITHS to try and resolve the issue informally. Alternatively, or if no information resolution can be reached, individuals can also make a complaint to DCITHS under section 53 of the PPIP Act and request a formal internal review of DCITHS’s conduct in relation to the privacy matter (Internal Review).

Applications for Internal Review must:

• be in writing addressed to DCITHS;
• include a return address in Australia; and
• be lodged with DCITHS within six months of the time the applicant first became aware of the conduct which is the subject of the application.

The form for applying for a review of conduct under section 53 of the PPIP Act is at Appendix B.

Requests for review must specify the alleged conduct by DCITHS which has resulted in a breach of the IPPs/HPPs or Code of practice applicable to DCITHS or disclosure of personal information from Public Registers held by DCITHS.

Applicants who are not satisfied with the findings of the review or the action taken by DCITHS in relation to the Internal Review, have the right to appeal to the NSW Civil and Administration Tribunal (NCAT) under section 55 of the PPIP Act.

7.2. Internal Review Process

The Privacy Coordinator is responsible for receiving, allocating and overseeing Internal Reviews in relation to privacy matters. The Privacy Coordinator provides a single point for individuals seeking further information on how DCITHS complies with the Acts. The Privacy Coordinator will receive all correspondence and enquiries regarding the Acts, including any Internal Review requests.

The Privacy Coordinator’s role also includes monitoring, recording and reporting on the progress of all Internal Review applications received.

Within DCITHS, the responsibilities of the Privacy Coordinator are currently held by the DCITHS General Counsel.

Internal Reviews will generally be conducted by a delegated officer with no involvement in the matter giving rise to the complaint of breach of privacy (the Reviewing Officer). The delegated officer may seek legal or other assistance in conducting the review, including from the Privacy Coordinator.

Under section 54(1) of the PPIP Act, DCITHS is required to notify the NSW Privacy Commissioner of the receipt of an Internal Review application and keep the NSW Privacy Commissioner informed of the progress reports of the Internal Review. In addition, the NSW Privacy Commissioner is entitled to make submissions to DCITHS in relation to the application for Internal Review (section 54(2) of the PPIP Act).

Under section 53(6) of the PPIP Act, an Internal Review must be completed within 60 days of the receipt of the application.

Under section 53(8) of the PPIP Act, as soon as practicable, or in any event within 14 days, after the completion of the Internal Review, DCITHS must inform the applicant of the:

• findings of the review (and the reasons for those findings); and
• action proposed to be taken by DCITHS (and the reasons for taking that action); and
• right of the person to have those findings, and DEIT’s proposed action, administratively reviewed by NCAT.

When DCITHS receives an Internal Review application, the Privacy Coordinator will send:

• an acknowledgment letter to the applicant and advise that if the Internal Review is not completed within 60 days, they have a right to seek a review of the conduct by NCAT; and
• a letter to the NSW Privacy Commissioner notifying them of the Internal Review application and provide a copy of the application.

There is an example of a letter of notification to the Privacy Commissioner of receipt of an application for an Internal Review.

The Reviewing Officer responsible for completing the final determination must consider any relevant material submitted by the applicant or the NSW Privacy Commissioner. Before completing the Internal Review, the Reviewing Officer should send a draft copy of the preliminary determination to the NSW Privacy Commissioner to invite any submissions.

DCITHS follows the model of the Internal Review process provided by the NSW Information and Privacy Commission (Appendix C).

In finalising the determination, the Reviewing Officer will prepare a report containing their findings and recommended actions.

DCITHS may:

• take no further action on the matter;
• make a formal apology to the applicant;
• take appropriate remedial action, which may include the payment of monetary compensation to the applicant;
• undertake that the conduct will not occur again; and/or
• implement administrative measures to ensure that the conduct will not occur again.

The Reviewing Officer will notify the applicant in writing of:

• the findings of the review;
• the reasons for the finding, described in terms of the IPPs and/or the HPPs;
• any action DCITHS proposes to take;
• the reasons for the proposed action (or no action); and/or
• their entitlement to have the findings and the reasons for the findings reviewed by NCAT.

7.3. Retention of Internal Reviews

DCITHS retains all applications for Internal Review in a secure Objective file and workflow. The workflow tracks the progress of the Internal Review process and the determination of the completed review.

The details retained in this system will provide the statistical information on Internal Review applications to be included in DCITHS’s Annual Report.

7.4. Extensions of time for lodgement

While the PPIP Act allows six months to apply for an internal review from the time the applicant first becomes aware of the conduct, DCITHS may accept late applications.

Possible acceptable reasons for delay may be:

• the applicant’s ill-health or other reasons relating to capacity, or
• the applicant only recently becoming aware of his or her right to seek an internal review, or the applicant reasonably believing that he or she would suffer ill-effects as a result of making an application at an earlier time.

However, late applications that cannot be investigated in a meaningful way because of their delay will be declined. In these cases, witnesses may no longer be available, documents may have been destroyed, and memories may have faded.

Final decisions on the acceptance of late applications will only be made by DCITHS’s General Counsel, or under his or her delegation. Where the decision is made not to accept an application because of delay, the reason will be explained in a letter to the applicant.

8. External Review

External review processes are also available through the Privacy Commissioner and NCAT.

8.1. Complaints to the Privacy Commissioner

Any individual who considers his or her privacy has been breached can make a complaint to the Privacy Commissioner under section 45 of the PPIP Act and this complaint can be made without going through the Internal Review process of DCITHS.  The complaint must be made within 6 months (or such later time as the Privacy Commissioner may allow) from the time the individual first became aware of the conduct or matter the subject of the complaint.

However, the Privacy Commissioner can decide not to deal with the complaint if it would be more appropriately dealt with as an Internal Review by DCITHS (section 46(3)(e) of the PPIP Act).

8.2. Administrative Review by NCAT

If the applicant is not satisfied with the outcome of DCITHS’s Internal Review, they may apply to NCAT to review the decision.  If DCITHS has not completed the Internal Review within 60 days, the applicant can also take the matter to NCAT.

A person must seek an Internal Review before they have the right to seek an external review with NCAT (section 55(1) of the PPIP Act).

To seek review by NCAT, the individual must apply within 28 days from the date of the Internal Review decision or within 28 days of the Internal Review not being completed within 60 days.

NCAT has the power to make binding decisions on an external review (section 55(2) of the PPIP Act). For more information including current forms and fees, please contact NCAT:

Website: https://www.ncat.nsw.gov.au/
Phone: 1300 006 228
Post: PO Box K1026, Haymarket NSW 1240
Visit: NSW Civil and Administrative Tribunal
Administrative and Equal Opportunity Division
Level 10 John Maddison Tower​
86-90 Goulburn Street
Sydney NSW 2000

NCAT cannot give legal advice; however, the NCAT website has general information about the process it follows and legal representation.

9. Data breaches

Data breaches may cause significant disruption, damage to individuals whose personal information has been affected, and compromise DCITHS’s ability to serve the public and its stakeholders. Good data breach management will assist in minimising these all of these harms and reduce the likelihood and severity of future data breaches.

The DCITHS Data Breach Policy (Policy) outlines the procedures and practices DCITHS must follow in relation to detecting, responding to, managing, assessing data breaches and if relevant, notifying and reporting ‘eligible data breaches’ in accordance with the Mandatory Notification of Data Breach Schedule (the MNDB Scheme) under Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).

The MNDB Scheme requires DCITHS to notify the Privacy Commissioner and affected individuals of certain data breaches being those the cause ‘serious harm’.

What is a data breach?

A data breach is an incident in which there has been unauthorised access to, unauthorised disclosure of, or loss of, personal information held by (or on behalf of) DCITHS or any accidental or unlawful destruction or alteration of personal information held by (or on behalf of) DCITHS.

Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of potential and actual harms (including serious harm) to individuals and agencies.

What is an eligible data breach?

If there are reasonable grounds to believe that the data breach has resulted in, or is likely to result in, serious harm to one or more of the individuals to whom the information relates, the data breach is an ‘eligible data breach’.

‘Serious harm’ occurs where the harm arising from the eligible data breach has, or may, result in a real and substantial detrimental effect to the individual. The effect on the individual must be more than mere irritation, annoyance or inconvenience. Harm to individual includes serious physical, psychological, emotional, financial or reputational harm. Examples of harms include identity theft, financial loss or blackmail, threats to personal safety, loss of business or employment opportunities, humiliation, stigma, embarrassment, damage to reputation or relationships, discrimination, bullying, marginalisation, or other forms of disadvantage or exclusion.

Assessment of the likelihood of serious harm from a data breach is an objective test. That is ‘likely to result’ means the risk of serious harm to an individual is more probable than not. To help assess this, it is the likelihood that an individual might suffer serious harm if their personal information was lost, or subject to unauthorised access or unauthorised disclosure.

If a data breach is assessed as an eligible data breach, then, in accordance with procedures and the MNDB Scheme, DCITHS will notify the Privacy Commissioner and affected individuals where required.

Data breach response and reporting

DCITHS will consider a number of factors in assessing a data breach including the NSW Privacy Commissioner’s statutory guidelines. In summary, DCITHS will engage the following steps in response to all data breaches:

Step 1: Contain the data breach and conduct a preliminary assessment

Step 2: Evaluate and mitigate the risks associated with the data breach

Step 3: Notify and communicate

Step 4: Prevent future data breaches

Step 5: Record keeping requirements

DCITHS will maintain an internal register of all eligible date breaches impacting DCITHS and maintain a public notification register on the DCITHS website.

For further detail on these steps, the approach and procedures DCITHS applies, the Policy provides detailed guidance on how DCITHS will respond to data breaches. The Policy is published at data breach policy.

10. Promoting the Plan

DCITHS’s executive leadership team is committed to transparency in relation to compliance with the Acts. The leadership team reinforces transparency and compliance with the Acts by:

• endorsing this Plan and making it publicly available;
• reviewing and updating the Plan every three years; and
• reporting on privacy issues in the DCITHS’s Annual Report in line with the Annual Reports (Departments) Act 1985 (NSW).

10.2. Staff Awareness

To ensure that DCITHS staff are aware of their rights and obligations under the Act, DCITHS will:

• publish this Plan and additional material in a prominent place on the DCITHS intranet and website. Publication of this Plan on the website also educates members of the public about their privacy rights in relation to personal and health information held by DCITHS;
• introduce this Plan as part of our staff induction with training provided as required to raise awareness and appreciation of the privacy requirements;
• provide refresher, and on-the-job training;
• highlight and promote the Privacy Management Plan;
• provide privacy briefing sessions at appropriate management forums; and
• notify staff of the privacy offence provisions.

11. Further information and contacts

For further information about this Plan, the personal and health information DCITHS holds, or if you have any concerns, please contact the Privacy Coordinator of DCITHS:

General Counsel
DCITHS
Level 9, 52 Martin Place
Sydney NSW 2001

Email: information@enterprise.nsw.gov.au

For more information on privacy rights and obligations in New South Wales, please contact the NSW Privacy Commissioner at:

NSW Information and Privacy Commission
Level 17, 201 Elizabeth Street
Sydney NSW 2000

Phone: 1800 472 679
Web: www.ipc.nsw.gov.au
Email: ipcinfo@ipc.nsw.gov.au

Variation

Last review date: December 2023

Next revision: December 2024