IPC Privacy Proactive Regulatory Initiatives Program

Privacy Commissioner’s introduction

The Information and Privacy Commission (IPC) is one of a few independent statutory authorities in NSW. We administer legislation dealing with privacy and access to government held information in NSW.

While our core work is the provision of advices, undertaking reviews and dealing with complaints, the IPC must also identify and respond to risk to improve and promote compliance.

Like any agency, we have finite resources and must target our efforts to make the most of what we have at our disposal. From time to time, the Privacy Commissioner will look to undertake proactive regulatory initiatives to elevate and influence compliance by regulated entities. The outcomes of these completed initiatives will be published for the awareness and learnings of regulated entities.

Sonia Minutillo
A/NSW Privacy Commissioner

Our Role

The IPC reports to the NSW Parliament. The Privacy Commissioner:

  • reviews the performance and decisions of agencies and investigates and conciliates complaints relating to public sector agencies, health service providers (both public and private) and some large organisations that deal with health information.
  • has functions which include promoting privacy rights and the adoption of privacy best practice, preparing guidelines, and oversighting the NSW privacy legislation.
  • supports agencies and new service delivery models to achieve compliance with privacy rights through risk identification, agency self-audit tool, guidance and advice.

The IPC conducts proactive regulatory compliance initiatives under the Privacy and Personal Information Protection Act 1998 (PPIP Act) and Health Records and Information Privacy Act 2002 (HRIP Act), and can also undertake investigations or inquiries. These proactive regulatory initiatives are a mechanism which assist agencies to elevate their compliance, improve knowledge and understanding of their requirements and functions.

Through our proactive regulatory initiative function we aim to also:

  • promote privacy rights in NSW and provide information, advice, assistance and training for agencies and individuals on privacy and access matters
  • disseminate information for the purposes of promoting the protection of the privacy
  • provide assistance in preparing privacy management plans
  • provide guidance about the legislation and relevant developments in the law and technology as it relates to information access and privacy.
Regulatory Initiatives Calendar

Q4 2023/24

Desktop Review of existence of Data Breach Policies (DBP) and Privacy Management Plans (PMP)

The commencement of the Mandatory Notification of Data Breach Scheme (MNDB) on 28 November 2023 required agencies to have a Data Breach Policy (DBP). Additionally, the requirements for Privacy Management Plans (PMP) were amended to require that agencies PMP’s include the procedures and practices used by the agency to ensure compliance with the obligations and responsibilities set out in Part 6A for the mandatory notification of data breach scheme. 

This initiative will commence in Q4 of 2023/24 and review the extent of compliance by agencies with the requirements to have a DBP in place and the extent to which PMP’s have been updated as a result. The review will draw on the adaption of the IPC regulatory tool to assist the IPC with the measure and assessment of compliance across government agencies, local councils and universities and state-owned corporations.

View the IPC's compliance audit calendar for information access here.