Bulletin 4 - Use and disclosure of personal information

Legal Issues Bulletin 4 - Use and disclosure of personal information

On this page

Please wait while page index is generated

This bulletin focuses on the “use” and “disclosure” of personal and health information held by the department.

Personal and health information is explained in Privacy Bulletin 1.

The Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) and Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) regulate the way public sector agencies handle personal and health information through principles referred to as Information Protection Principles (IPPs) and Health Privacy Principles (HPPs).

Use and disclosure of personal information

The department “holds” information when information is recorded in a material form, such as a file note, report, email or other forms of correspondence. In general, information is not “held” when it is in the mind of a person such as information exchanged in conversation, as long as the department does not have a material record of that information.

“Use” refers to the internal treatment and handling of information. Transferring personal or health information between Department staff for legitimate educational or management purposes is a “use” of the information.

In general, “disclosure” occurs when the department makes information available to individuals or organisations outside the department.  Schools disclose the personal information of students when they publish student names, pictures, or other information from which a student can be identified, in the school newsletter or on the school’s Facebook or other social media sites. Disclosure may also occur when student information is provided to the third party online service providers.

The “use and disclosure” principles

The "use and disclosure" principles are at sections 16 - 19 of the PPIP Act [insert URL] and Clauses 16 – 19 of Schedule 1 of the HRIP Act [insert URL] They place limitations on the uses that can be made of personal and health information and the circumstances in which the information can be disclosed. In most circumstances, the information must not be used or disclosed for a purpose other than the purpose for which it was collected, and the individual to whom the information relates (or, in the case of students, their parent/carer) was notified of that purpose when the information was collected or as soon as possible after the collection.  There are criminal sanctions for the unauthorised use and disclosure of personal or health information by public sector officials.

The “use” and “disclosure” principles require:

  • the Department take reasonable steps to ensure that, before using personal or health information for a particular purpose, the information is relevant, accurate, up to date, complete and not misleading,
  • information is used only for the purpose for which it was collected, unless:
    • the relevant individual has consented, or
    • the use is for a directly related purpose and the individual would reasonably expect the department to use the information for the related purpose, or
    • the use of the information is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or to another person,
  • information is disclosed only for the purpose for which the information was collected unless:
    • the relevant individual has consented, or
    • the disclosure is for a directly related purpose where there is no reason to believe that the person concerned would object to the disclosure, or
    • the person concerned is reasonably likely to be aware or has been made aware, that it is usual practice to disclose information of that kind to that other person or body, or
    • it is believed that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or to another person,
  • there must be no disclosure of personal or health information relating to an individual's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, or sexual activities, unless:
    • the disclosure is with the express permission of the person concerned or in the case of students, their parent/caregiver, or
    • the disclosure is necessary to prevent a serious or imminent threat to the life or health of the individual concerned or to another person, and
  • there must be no disclosure of personal or health information to bodies outside NSW unless:
    • the disclosure is to a jurisdiction with recognised privacy law in place or the disclosure is otherwise authorised, or
    • the individual has consented, or
    • the Department has taken steps to ensure that the information will be held, used and disclosed in a manner consistent with the IPPs and HPPs.

Exceptions to the “use and disclosure” principles

The PPIP Act and HRIP Act contain a number of exceptions to the “use” and “disclosure” IPPs and HPPs, in addition to those listed above. The exceptions most relevant to the operation of the department allow for non-compliance where:

  • the department is lawfully authorised or required not to comply or non-compliance is otherwise permitted, implied or reasonably contemplated under any other law – for example, Chapter 16A of the Children and Young Persons (Care and Protection) Act 1998 (NSW) allow for the exchange of personal or health information about a child, young person or class of children or young people between prescribed bodies, OH&S legislation and the department’s duty of care to students and others may also require non-compliance in certain circumstances, or
  • the department is investigating or handling a complaint or other matter that could be referred to an investigative agency such as police or the Ombudsman.

The Department’s Privacy Code of Practice (the Code) [insert URL] allows non-compliance with some IPPs in certain circumstances. Non-compliance is permitted where:

  • compliance may detrimentally affect the department’s complaint handling or investigative functions or
  • non-compliance is necessary to promote and maintain a safe and disciplined learning environment, or
  • information is used or disclosed for the purpose of obtaining legal advice or representation or for use in legal proceedings, or
  • it is necessary to maintain the confidentiality of counsellor records, or
  • it is necessary for child protection purposes, or
  • it is in the best interests of a student for the department to collect a student’s information from or disclose a student’s information to a parent/caregiver, or
  • it is in the best interests of a student for the department to obtain consent from a parent/caregiver for the use or disclosure of a student’s information.

The Code contains further information on the department’s philosophy in relation to the handling of student information in the context of the PPIP Act.

The Code ONLY relates to personal information.

Frequently asked questions

Should a counsellor provide information to parents?

In all cases of a self-referral to the school counsellor, information can only be disclosed to a parent or caregiver of a student attending a government school with the express permission of the child or young person, or where the counsellor believes it is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or to another person.

Where a parent or caregiver of a primary or pre-school aged student or a parent or caregiver of a student with a significant intellectual disability refers to their child to the school counsellor, the school counsellor can provide relevant information to the parent, guardian or caregiver if it is in the child's best interests to provide the information.

Where a high school aged student is referred to the school counsellor by a parent or caregiver, information can only be disclosed to the parent or caregiver with the express permission of the child or young person, or where the counsellor believes it is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or to another person.

Should you provide names and addresses?

e.g. A former government school student is organising a reunion and would like the names and addresses of other ex-students, or, the President of the P&C wants the names and addresses of all families in the school so that invitations to the school centenary can be sent out, or, the local Member of Parliament would like to invite all members of local school communities to the promotion of Cancer Awareness Week.

No. Unless the people whose names and addresses are sought have given permission or were told at the time of collection of their personal information that it would be used for this purpose, neither the former student, nor the President of the P&C, nor the Member of Parliament has a legitimate right to have this information. You might suggest alternatives such as:

  • announcing the event on social media,
  • placing an advertisement in the local paper, or
  • placing signs on community notice boards, or
  • asking those requesting the information to visit your school, college or workplace and make an announcement inviting people to contact them if they would like to be involved.

Does the Act prevent disclosing a student's exam marks to their parent or caregiver?

In general, no. The Department's Privacy Code of Practice contains a specific exemption to ensure that parents or caregivers can be informed of personal information about school students where it is in the best interests of the student. In the vast majority of situations, it will be in the best interests of school students for parents or caregivers to be aware of the students' examination marks.

Do school students have a right of review if they disagree with a decision to disclose their personal information to a parent or caregiver?

Yes. Additional details regarding this can be found in section 3.2 of the Department Privacy Code of Practice on the Department's intranet site. The decision is to be reviewed by the principal, with a right of appeal to the Director. In these cases, the principal may need to establish procedures to manage the review process.

In what form should consent be recorded?

Limits on the use of personal information can be overridden by the consent of the individual. Where reasonably practicable, consent in writing should be obtained. This consent should be explicit and indicate clearly to what the individual has agreed. Since breaches of the IPPs and HPPs are subject to an internal review, evidence of consent may be required for a subsequent review.

Where it is not reasonably practicable to obtain consent in writing, you should make a file note of the conversation recording the particular matter to which the individual has consented.

Can staff report suspected misconduct within the Department or to the Independent Commission Against Corruption (ICAC)?

Yes. Since the Department is empowered and obliged, by law, to perform effectively and address misconduct, staff reporting problems such as this through proper departmental channels are not in breach of privacy requirements of the Act. Similarly, ICAC, by law, can receive such information and therefore staff are not in breach of the Act if they report personal information to ICAC when making a complaint of misconduct.

It is worth noting here that protected disclosures under the Protected Disclosures Act 1994 (NSW) are exempt from the definition of personal information under the Privacy and Personal Information Protection Act 1998. This means that privacy legislation does not apply in these situations.

Further information

Privacy guidance can be found at here.

Return to top of page Back to top