The Privacy and Personal Information Protection Act 1998 (PPIP Act) outlines how New South Wales (NSW) public sector agencies manage personal information and the functions of the NSW Privacy Commissioner.
The commentary on this page is not intended to provide legal advice or legal interpretation of the Privacy and Personal Information Protection Act 1998. For the full text of the Act click on this external link to the Legislation NSW website Privacy and Personal Information Protection Act 1998 NSW (PPIP Act)
What agencies are bound by the PPIP Act?
Agencies that are bound by the PPIP Act are NSW public sector agencies, statutory authorities, universities, NSW local councils, and other bodies whose accounts are subject to the Auditor General.
You can find a complete list of agencies on the NSW Government Directory* and a complete list of NSW councils on the Office of Local Government website.
*Please note that although state owned corporations are included in the directory, they are not bound by the PPIP Act as outlined in section 3.
Should you be unsure if NSW privacy laws apply, please feel free to contact the agency or the IPC.
Definition of personal information
The legal definition of personal information is provided by section 4 of the PPIP Act. Section 4 of the PPIP Act defines ‘personal information‘ as:
“Information or an opinion (including information or an opinion forming part of a database and whether or not in a recorded form) about an individual whose identity is apparent or can be reasonably be ascertained from the information or opinion”.
Personal information includes such things as an individual’s fingerprints, retina prints, body samples or genetic characteristics (section 4(2)).
As an example personal information can be considered to be information that identifies you. Personal information could include :
- a record which may include your name, address and other details about you
- photographs, images, video or audio footage
- fingerprints, blood or DNA samples.
Exemptions from the definition
There are some exemptions from the definition of personal information provided for in section 4(3) of the PPIP Act, for example, the definition doesn’t include personal information about a person who has been dead for more than 30 years. To see all the exemptions you should read section 4(3).
Role of the NSW Privacy Commissioner
The PPIP Act gives a number of functions to the NSW Privacy Commissioner. These are:
- promote the adoption of, and monitor compliance with, the information protection principles;
- prepare and publish guidelines relating to the protection of personal information and other privacy matters, and to promote the adoption of such guidelines;
- initiate and recommend the making of Privacy Codes of Practice;
- provide assistance to public sector agencies in adopting and complying with the Information Protection Principles and Privacy Codes of Practice;
- provide assistance to public sector agencies in preparing and implementing Privacy Management Plans in accordance with section 33;
- conduct research, and collect and collate information, about any matter relating to the protection of personal information and the privacy of individuals;
- provide advice on matters relating to the protection of personal information and the privacy of individuals;
- make public statements about any matter relating to the privacy of individuals generally;
- conduct education programs, and to disseminate information, for the purpose of promoting the protection of the privacy of individuals;
- prepare and publish reports and recommendations about any matter (including developments in technology) that concerns the need for, or the desirability of, legislative, administrative or other action in the interest of the privacy of individuals.
- to receive, investigate and conciliate complaints about privacy related matters (including conduct to which Part 5 applies),
- to conduct such inquiries, and make such investigations, into privacy related matters as the Privacy Commissioner thinks appropriate.
Information Protection Principles
The 12 Information Protection Principles (IPPs) are the key to the PPIP Act. They are legal duties that describe what NSW public sector agencies (including councils) must do when they handle your personal information. The 12 IPPs detail how your personal information must be collected, stored, used and disclosed as well as your rights to access your personal information.
If you require more information on the 12 IPPs we encourage you to read our Fact sheet: Information Protection Principles (IPPs).
Exemptions from the privacy principles
The Act includes a number of specific exemptions from the principles, for example relating to:
- law enforcement
- where non compliance is authorised
- where non-compliance would benefit the individual concerned
- credit information
In addition to these specific exemptions, a Public Interest Direction or Code of Practice may modify the application of the principles. For more information see the Privacy Codes of Practice and the Public Interest Direction pages.
What exemptions are there to the PPIP Act?
There are four major sources of exemptions to the PPIP Act:
- Exemptions in the Act itself
- Exemptions in a regulation made by the Attorney General
- Exemptions in a privacy code of practice, made by the Attorney General
- Exemptions in a Public Interest Direction, made by the Privacy Commissioner.
Exemptions allow public sector agencies to modify the application of the Information Protection Principles (IPPs) in the PPIP Act in certain circumstances. They may relate to:
- the definition of 'personal information'
- an agency's specific functions
- a particular agency
- one or more of the Information Protection Principles (IPPs)
- the public register provisions.
You can find more detailed information about the PPIP Act and IPPs by reading the full text of the PPIP Act
Regulations made under the PPIP Act:
- Privacy and Personal Information Protection Regulation 2019 (PPIP Regulation)
- Privacy and Personal Information Protection Regulation 2014 - repealed on 15 August 2019
- Privacy and Personal Information Protection Regulation 2005 - repealed on 1 September 2014
- Privacy and Personal Information Protection (Transitional) Regulation 1999 - repealed on 1 July 2008
- Public registers
- Public Interest Directions
- Privacy reports and decisions
- How do I get my information?
- How do I make a complaint?
Last updated: September 2020