Bulletin 4 - Use and disclosure of personal information
Legal Issues Bulletin 4 - Use and disclosure of personal information
Legal Issues Bulletin 4 - Use and disclosure of personal information
Please wait while page index is generated
This bulletin focuses on the “use” and “disclosure” of personal and health information held by the department.
Personal and health information is explained in Privacy Bulletin 1.
The Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) and Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) regulate the way public sector agencies handle personal and health information through principles referred to as Information Protection Principles (IPPs) and Health Privacy Principles (HPPs).
The department “holds” information when information is recorded in a material form, such as a file note, report, email or other forms of correspondence. In general, information is not “held” when it is in the mind of a person such as information exchanged in conversation, as long as the department does not have a material record of that information.
“Use” refers to the internal treatment and handling of information. Transferring personal or health information between Department staff for legitimate educational or management purposes is a “use” of the information.
In general, “disclosure” occurs when the department makes information available to individuals or organisations outside the department. Schools disclose the personal information of students when they publish student names, pictures, or other information from which a student can be identified, in the school newsletter or on the school’s Facebook or other social media sites. Disclosure may also occur when student information is provided to the third party online service providers.
The "use and disclosure" principles are at sections 16 - 19 of the PPIP Act [insert URL] and Clauses 16 – 19 of Schedule 1 of the HRIP Act [insert URL] They place limitations on the uses that can be made of personal and health information and the circumstances in which the information can be disclosed. In most circumstances, the information must not be used or disclosed for a purpose other than the purpose for which it was collected, and the individual to whom the information relates (or, in the case of students, their parent/carer) was notified of that purpose when the information was collected or as soon as possible after the collection. There are criminal sanctions for the unauthorised use and disclosure of personal or health information by public sector officials.
The “use” and “disclosure” principles require:
The PPIP Act and HRIP Act contain a number of exceptions to the “use” and “disclosure” IPPs and HPPs, in addition to those listed above. The exceptions most relevant to the operation of the department allow for non-compliance where:
The Department’s Privacy Code of Practice (the Code) [insert URL] allows non-compliance with some IPPs in certain circumstances. Non-compliance is permitted where:
The Code contains further information on the department’s philosophy in relation to the handling of student information in the context of the PPIP Act.
The Code ONLY relates to personal information.
In all cases of a self-referral to the school counsellor, information can only be disclosed to a parent or caregiver of a student attending a government school with the express permission of the child or young person, or where the counsellor believes it is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or to another person.
Where a parent or caregiver of a primary or pre-school aged student or a parent or caregiver of a student with a significant intellectual disability refers to their child to the school counsellor, the school counsellor can provide relevant information to the parent, guardian or caregiver if it is in the child's best interests to provide the information.
Where a high school aged student is referred to the school counsellor by a parent or caregiver, information can only be disclosed to the parent or caregiver with the express permission of the child or young person, or where the counsellor believes it is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or to another person.
e.g. A former government school student is organising a reunion and would like the names and addresses of other ex-students, or, the President of the P&C wants the names and addresses of all families in the school so that invitations to the school centenary can be sent out, or, the local Member of Parliament would like to invite all members of local school communities to the promotion of Cancer Awareness Week.
No. Unless the people whose names and addresses are sought have given permission or were told at the time of collection of their personal information that it would be used for this purpose, neither the former student, nor the President of the P&C, nor the Member of Parliament has a legitimate right to have this information. You might suggest alternatives such as:
In general, no. The Department's Privacy Code of Practice contains a specific exemption to ensure that parents or caregivers can be informed of personal information about school students where it is in the best interests of the student. In the vast majority of situations, it will be in the best interests of school students for parents or caregivers to be aware of the students' examination marks.
Yes. Additional details regarding this can be found in section 3.2 of the Department Privacy Code of Practice on the Department's intranet site. The decision is to be reviewed by the principal, with a right of appeal to the Director. In these cases, the principal may need to establish procedures to manage the review process.
Limits on the use of personal information can be overridden by the consent of the individual. Where reasonably practicable, consent in writing should be obtained. This consent should be explicit and indicate clearly to what the individual has agreed. Since breaches of the IPPs and HPPs are subject to an internal review, evidence of consent may be required for a subsequent review.
Where it is not reasonably practicable to obtain consent in writing, you should make a file note of the conversation recording the particular matter to which the individual has consented.
Yes. Since the Department is empowered and obliged, by law, to perform effectively and address misconduct, staff reporting problems such as this through proper departmental channels are not in breach of privacy requirements of the Act. Similarly, ICAC, by law, can receive such information and therefore staff are not in breach of the Act if they report personal information to ICAC when making a complaint of misconduct.
It is worth noting here that protected disclosures under the Protected Disclosures Act 1994 (NSW) are exempt from the definition of personal information under the Privacy and Personal Information Protection Act 1998. This means that privacy legislation does not apply in these situations.
Privacy guidance can be found at here.