What is serious wrongdoing? Privacy Contravention

Read the document below or download it here: Fact Sheet - What is serious wrongdoing? Privacy Contravention October 2023

Who is this information for?
This fact sheet is for public officials reporting serious wrongdoing.
Why is this information important to them?
To ensure that agencies identify when they have received a voluntary public interest disclosure (PID), it is important to understand serious wrongdoing.

This fact sheet provides a framework for public officials to report serious wrongdoing and for those reports to be properly dealt with is vital for maintaining the integrity of the public service.

To ensure that agencies identify when they have received a voluntary public interest disclosure (PID), it is important to understand serious wrongdoing. A key feature of a voluntary PID is that the public official making the report must honestly believe on reasonable grounds that the information shows or tends to show serious wrongdoing.

Section 13 of the Public Interest Disclosures Act 2022 (PID Act defines serious wrongdoing as meaning one or more of the following:

1. corrupt conduct

2. serious maladministration

3. a government information contravention

4. a privacy contravention

5. a serious and substantial waste of public money

6. a local government pecuniary interest contravention.

This guidance is concerned specifically with serious wrongdoing under the PID Act which relates to a privacy contravention.

There is no further assessment that needs to be made as to the seriousness of the reported wrongdoing. If it is serious wrongdoing, as defined under section 13 of the PID Act, it meets the test under the PID Act and is ‘serious’ enough to be a voluntary PID.

What is a privacy contravention?

A privacy contravention is a failure, other than a trivial failure, by an agency or public official to exercise functions in accordance with the Privacy and Personal Information Protection Act 1998 (PPIP Act) or the Health Records and Information Privacy Act 2002 (HRIP Act)[1]. For further information on what constitutes personal or health information under these Acts please see the following Fact Sheet - A guide to privacy laws in NSW.

In determining whether the failure is trivial or not, agencies should consider the nature of the failure and its likely consequences, including but not limited to the following:

  • the duration, frequency or history of the action or inaction.

  • the degree of intent or improper purpose involved.

  • whether the conduct was 'deliberate' (as opposed to accidental, negligent, or reckless).

  • whether the conduct is of sufficient gravity that it would warrant the person being dismissed, removed, disciplined, or punished.

  • as well as the extent to which the action or inaction may undermine public confidence or trust in the relevant public authority or in public administration generally.

For further information on how to assess whether or not a failure to exercise functions in accordance with the PPIP Act or HRIP Act is a PID, please see the NSW Ombudsman’s website for PID resources and guidance.

Personal information and/or health information

Privacy contraventions may be of a personal or heath nature or both. Examples of a privacy contravention may include:

  • a public official unlawfully accessing a person’s personal or health information, on a database that is used by an agency to retain customer information for their personal use or for another non-work-related matter.
  • a public official unlawfully disclosing someone’s personal or health information from the agency database for their own purposes or a non-work-related purpose.
  • a public sector official unlawfully disclosing personal or health information from an agency’s systems in return for a bribe or similar corrupt conduct from a third party.
  • a public sector official offering to supply personal or health information that has been obtained unlawfully from an agency’s systems to a third party.
  • an agency having poor data management processes in place which leads to the disclosure of the personal or health information about a person, or group of persons, to another agency or entity or person without a lawful reason.
  • an agency’s poor email practices resulting in repeated failures by staff of the agency to ensure emails containing personal or health information go to the correct recipient.
  • corrupt disclosure or use of personal or health information.
  • supplying personal or health information unlawfully.
  • using intimidation or false representation to require someone to give consent under the PPIP Act or HRIP Act.
  • a public sector official threatening, intimidating, or using false information to prevent another person from requesting access to their personal or health information.

What is an offence under the PPIP and HRIP Act?

There are two offences under both the PPIP Act and HRIP Act relating to the corrupt disclosure and use of personal information by public sector officials:

  • The first offence is the disclosure or use of personal information about another person by a public sector official.[2] The disclosure or use must be intentional, and the public sector official must have or have had access to the personal information in the exercise of their official functions. However, disclosure or use in connection with the lawful exercise of the official functions of the official or in accordance with the PID Act is permitted.[3]
  • The second offence is inducing a public sector official to disclose personal information to which the official has access in the exercise of their official functions.[4] The inducement may be by way of a bribe or other similar corrupt conduct. The offence includes attempts to induce.

There are also offences about the behaviour or conduct of persons and public officials, either by way of deliberate conduct or taking action or alternatively, deliberately or knowingly not taking action.

Each offence under the PPIP Act and HRIP Act have penalties identified in the Act (100 penalty units – $11,000 or 2 years imprisonment or both).

For further information see the IPC fact sheet on offences under the PPIP Act, or:

For more information

Contact the Information and Privacy Commission NSW (IPC):

Freecall:           1800 472 679
Email:               ipcinfo@ipc.nsw.gov.au
Website:           www.ipc.nsw.gov.au

NOTE: The information in this factsheet is to be used as a guide only. Legal advice should be sought in relation to individual circumstances.

[1] PID Act 2022, Schedule 2

[2] PPIP Act section 62(1); HRIP Act section 68(1)

[3] PPIP Act section 62(3); HRIP Act section 68(3)

[4] PPIP Act section 62(2); HRIP Act section 68(2)