Fact Sheet - IPC Privacy Statement of Jurisdiction

This fact sheet appears below or can be viewed and downloaded here Fact Sheet - IPC Privacy Statement of Jurisdiction May 2019

This fact sheet has been developed to help citizens understand the Information and Privacy Commission’s (IPC) privacy jurisdiction in NSW, how their privacy is protected, and what to do if they think their privacy has been breached.

What is the NSW Privacy Commissioner’s jurisdiction?

The NSW Privacy Commissioner oversees two main privacy laws. They are:

  • The Privacy and Personal Information Protection Act 1998 (PPIP Act), and
  • The Health Records Information Privacy Act 2002 (HRIP Act)

The PPIP Act protects your personal information, whereas the HRIP Act protects your health information.

Both Acts aim to protect your privacy by setting out obligations for dealing with your information properly, and allowing you to complain if you think your privacy has been breached.

Other federal and NSW laws may also be relevant to privacy issues, including, but not limited to:

However, the NSW Privacy Commissioner does not have jurisdiction in relation to these laws and can only deal with privacy issues that arise under the PPIP and HRIP Acts.

What is the difference between my personal information and my health information?

Personal information is any information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. Personal information includes:

  • information or an opinion which is part of a database,
  • information or an opinion which may not be recorded in a material form,
  • a written record which may include your name, address and other personal details about you,
  • photographs, images, video or audio footage of individuals, and
  • a person’s fingerprints, blood or DNA samples.

Health information is a type of ‘personal information’ that is information or an opinion about:

  • an individual’s physical or mental health or disability,
  • an individual’s express wishes about the future provision of health services, or
  • a health service provided or to be provided to a person.

Health information also means other personal information:

  • collected to provide or in providing a health service,
  • collected in connection with the donation, or intended donation, of body parts, organs or body substances,
  • that is genetic information about an individual arising from a health service provided in a form that is or could be predictive of the health of the individual or of a genetic relative of the individual, or
  • healthcare identifiers (i.e. usually a number assigned to individuals and healthcare providers).
Who is bound by the NSW PPIP Act and HRIP Acts?

NSW public sector agencies are bound by both the PPIP Act and HRIP Act. This includes:

  • state government agencies,
  • local councils,
  • universities, and
  • Ministers and Minister’s offices,

but does not include state owned corporations, unless they elect to follow the PPIP Act.

Private sector persons (individuals, corporations, partnerships and trusts) are not bound by the PPIP Act, however they will be bound by the HRIP Act if they provide a health service or hold, collect or use health information, and:

  • have an annual turnover of more than $3 million, or
  • provide a health service and hold health information (except in an employee record), or
  • disclose personal information to anyone else for a benefit, service or advantage, or
  • collect personal information from anyone else by providing a benefit, service of advantage, or
  • is a contracted service provider for the federal government, or
  • is a credit reporting body.
Are there limits to the Privacy Commissioner’s Jurisdiction?

The Privacy Commissioner does not have privacy jurisdiction over the conduct of private sector persons (individuals, corporations, partnerships and trusts) except where they are bound by the HRIP Act.

How does this work in conjunction with federal legislation?

Organisations not covered by the PPIP and/or HRIP Acts (e.g. state owned corporations, federal government departments, and some private sector organisations) may be covered by the federal Privacy Act 1998 (Privacy Act) which is dealt with by the Office of the Australian Information Commissioner (OAIC).

The Privacy Act also applies to all health service providers in the private sector throughout Australia. That is, a person or entity providing a health service and holding health or personal information. It does not apply to public sector health service providers such as public hospitals which are instead covered by HRIP.

The OAIC is also the independent privacy regulator for the My Health Record system and Healthcare Identifier service and has functions and responsibilities under both the My Health Records Act 2012 and the Healthcare Identifiers Act 2010. More information regarding this is available through the OAIC here.

How is my privacy protected in NSW?

The PPIP Act and HRIP Act provide for the proper collection, holding, security, access to, amendment, disposal, use and disclosure of your personal and health information. 

The PPIP Act provides this through 12 Information Protection Principles (IPPs) for NSW public sector agencies to abide by. These IPPs are legal obligations that agencies must meet when dealing with your personal information.

You can find more information about the IPPs and their exceptions and exemptions here.

The HRIP Act similarly provides 15 (Health Privacy Principles (HPPs) for NSW public sector agencies and private sector persons to abide by. These HPPs are legal obligations that agencies and private sector persons must meet when dealing with your health information.

In addition to the HPPs, private sector persons have additional provisions about retention, access and amendment of health information that apply. These can be found at Part 4 of the HRIP Act.

You can find more information about the HPPs and their exceptions and exemptions here. 

The Privacy Commissioner has a role in ensuring that those bound by the legislation meet the IPPs and HPPs when dealing with your personal and health information.

What if I think my privacy has been breached?

If you have concerns that your privacy has been breached by a state government agency, local council, university or ministerial office that is governed by the PPIP and/or HRIP Acts, the following options may be available to you:

  • ask the agency to conduct an internal review of the conduct that is alleged to have breached your privacy. This is a fact finding investigation undertaken by the agency into your privacy complaint, or
  • make a complaint to the NSW Privacy Commissioner about the agency’s conduct

If you think that your privacy has been breached by a federal government department or private sector organisation that is governed by the Privacy Act, further information is available through the OAIC here.

You have 6 months from when you first become aware of the conduct to ask for an internal review or make a complaint the NSW Privacy Commissioner.

If you are seeking an internal review by the agency, you must be aggrieved by the conduct or complaining on behalf of someone else who is aggrieved.

If you are a member of a class of people whose privacy may have been breached, you can only make a complaint about the conduct in so far as you are personally aggrieved. Other members of that class are also able to make complaints about the conduct as it relates to them.

If you make a complaint to the NSW Privacy Commissioner that could also be dealt with as an internal review by the agency, the Privacy Commissioner may decide not to deal with your complaint because it would be more appropriate to make an application for internal review. Internal review provides you with rights of review which can then be exercised in the NSW Civil and Administrative Tribunal (NCAT).

The NSW Privacy Commissioner has an oversight role in the internal review process, and can make submissions to the agency about its draft findings. Therefore when you choose to have your concerns dealt with as an internal review by the agency, the NSW Privacy Commissioner still has a role in that process.

If you request an internal review by an agency, then at the completion of that review you will be informed of:

  • the findings of the review,
  • the action (if any) proposed by the agency in response to your complaint, and
  • your further review rights.

You can find more information about the internal review process here.

Under the legislation, the Privacy Commissioner is independent, and does not represent applicants or agencies in privacy internal reviews or NCAT administrative reviews.

You can also find more information about NCAT’s review process here.

Complaints about a private sector person under the NSW HRIP Act

If you are concerned that a private sector person has not met their privacy obligations under the HRIP Act, your first action should always be to contact the person or organisation directly and communicate your concerns.

If you are not able to resolve your complaint directly with the private sector person, you can also make a complaint to the NSW Privacy Commissioner.

A complaint must be made within 6 months (or such later time as the Privacy Commissioner may allow) from the time you first became aware of the conduct or matter the subject of the complaint.

If there is overlapping jurisdiction, you should carefully consider whether you wish to have your complaint dealt with under the HRIP Act or the federal Privacy Act. Both Acts provide different complaint processes, outcomes, and rights of review and once you have your complaint dealt with under one Act, you may not be able to later choose to have it dealt with under the other. Information about your rights under the Privacy Act is available from the OAIC’s website.

If you choose to make your complaint to the NSW Privacy Commissioner, you can do so by writing to the IPC about the conduct you believe has breached your privacy and how. You should also provide a copy of all your correspondence with the private sector person.

The NSW Privacy Commissioner will then:

  • assess your complaint,
  • determine whether the private sector person appears to have breached a HPP, provision of Part 4 of the HRIP Act, or a health privacy code of practice, and
  • decide how to deal with your complaint.

In most cases, the NSW Privacy Commissioner will deal with your complaint by resolving the issues through conciliation processes.

If however, the NSW Privacy Commissioner is not able to resolve the complaint, then we can investigate and provide a report. This report will allow you to apply to NCAT for a review of the conduct within 28 calendar days, unless otherwise stated.

If the NSW Privacy Commissioner deals with your complaint in any other way (including by determining that the matter has been resolved) and you do not receive a report from the NSW Privacy Commissioner in response to your complaint, NCAT will have no power to consider your matter.

What can the Privacy Commissioner do?

The functions of the Privacy Commissioner are set out in both the HRIP and PPIP Acts.

In an internal review conducted by an agency, the Privacy Commissioner exercises an oversight role. This means that the Privacy Commissioner is notified of applications for internal reviews made to agencies, kept informed of the progress of those reviews and informed of their findings and any action proposed to be taken by the agency in relation to the matter.

The Privacy Commissioner can also make submissions about the subject matter of any internal review, including, but not limited to whether:

  • the agency’s conduct did or did not constitute a breach of the IPPs/HPPs,
  • an apology should be made to the applicant,
  • changes should be considered to the agency’s practices or procedures, or
  • further or refresher training about the agency’s privacy obligations should be given to its staff. 

Any submissions made by the Privacy Commissioner are required to be considered by agencies when conducting the internal review.

In a complaint the Privacy Commissioner can endeavour to resolve the complaint (including by conciliation), determine the complaint has been resolved, or investigate the complaint, make recommendations and provide a report.

However, the Privacy Commissioner does not have jurisdiction to direct or award compensation to be paid in an internal review or a complaint.

What other privacy legislation can apply?

If you are concerned about the conduct of a private sector person breaching your privacy, it is likely that your concerns also allege a possible breach of one or more of the APPs under the federal Privacy Act.

The underlying principles and privacy protections of the HRIP Act and federal Privacy Act are similar.

You may therefore be able to have your complaint dealt with by the OAIC instead if the private sector person is covered by the Privacy Act. For more information, contact the OAIC on 1300 363 992 or via its website – www.oaic.gov.au

If you are complaining about a business that offers goods or services to European Union citizens, then they may also be subject to the General Data Protection Regulation (GDPR). This is a European privacy law.

You can find more information about the effect of the GDPR on Australian businesses on the OIAC website.

For more information

Contact the Information and Privacy Commission NSW (IPC):

Freecall:              1800 472 679

Email:                   ipcinfo@ipc.nsw.gov.au

Website:             www.ipc.nsw.gov.au