NSW Privacy Laws

The Information and Privacy Commission NSW (IPC) oversees two laws that promote the protection of personal and health information in New South Wales (NSW) that is collected, stored and used by public sector agencies to provide services to the public.

Other pieces of legislation have provisions affecting personal information and privacy – for example, the Road Transport Act 2013.

The following laws and regulations are overseen by the IPC:

• Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act)
• Health Records and Information Privacy Act 2002 (NSW) (HRIP Act)
• Privacy and Personal Information Protection Regulation 2019 (NSW) (PPIP Regulation) 
• Privacy Codes of Practice made under PPIP Act (exemptions)
• Privacy Code of Practice (General) 2003 (NSW)
• Public Interest Directions made under PPIP Act (exemptions) 
   
• Health Records and Information Privacy Regulation 2022 (NSW) (HRIP Regulation)
• Health Records and Information Privacy Code of Practice 2005 (NSW)
• Health Public Interest Directions made under HRIP Act (exemptions) 

Who do these laws apply to?

The PPIP Act
The PPIP Act applies to NSW public sector agencies including government agencies, local councils, and universities.

The HRIP Act
The HRIP Act applies to NSW public sector agencies including government agencies, local councils, universities and public sector health organisations, as well as private sector organisations, health service providers and businesses with a turnover of more than $3 million which hold health information.

Are there other laws that protect privacy?

There are other laws that may apply to certain situations. The following links will take you to either the Commonwealth legislation website – ComLaw or NSW Legislation website.

• Workplace Surveillance Act 2005 (NSW)
• Surveillance Devices Act 2007 (NSW)
• Adoption Act 2000 (NSW)
• Assisted Reproductive Technology Act 2007 (NSW)
• Crimes (Forensic Procedures) Act 2000 (NSW)
• Criminal Records Act 1991 (NSW)
• Privacy Act 1988 (Cth)
• Telecommunications (Interception and Access) Act 1979 (Cth)

What exemptions are there to the PPIP Act?

There are four major sources of exemptions to the PPIP Act:

• Exemptions in the Act itself
• Exemptions in a regulation made by the Attorney General
• Exemptions in a privacy code of practice, made by the Attorney General
• Exemptions in a Public Interest Direction, made by the Privacy Commissioner.

Exemptions allow public sector agencies to modify the application of the Information Protection Principles (IPPs) in the PPIP Act in certain circumstances. They may relate to:

• the definition of 'personal information'
• an agency's specific functions
• a particular agency
• one or more of the Information Protection Principles (IPPs)
• the public register provisions.

What exemptions are there to the HRIP Act?

There are four major sources of exemptions to the Health Records Information Privacy Act 2002 (HRIP Act):

• Exemptions written in the Health Privacy Principles (HPPs) directly
• Exemptions written in a regulation made by the Minister for Health
• Exemptions written in a Health Privacy Code of Practice, made by the Minister for Health
• Exemptions written in a Health Public Interest Direction, made by the Privacy Commissioner.

Each exemption could affect one or more of:

• the definition of 'health information'
• whether the Act affects specific functions
• whether the HPPs apply to a particular agency or organisation
• one or more of the HPPs.