Bulletin 3 - Storage of and access to personal information

This bulletin explains how NSW privacy legislation impacts on the Department’s storage and the rights of individuals to access information about them.

Jump to Index

On this page

Please wait while the page index loads. If you continue to see this message, try refreshing your page.

What issues does this bulletin address?

This bulletin focuses on the "storage and access" principles. Separate bulletins focus on other principles such as the "collection" and "use and disclosure" principles.

The Privacy and Personal Information Protection Act 1998 (NSW) and Health Records and Information Privacy Act 2002 (NSW) regulate the way public sector agencies handle personal and health information through principles referred to as Information Protection Principles (IPPs) and Health Privacy Principles (HPPs). This bulletin looks at the four IPPs and HPPs that apply to the storage of, and access to, personal and health information. The principles regulating personal information and health information are worded in similar terms.

Storing, accessing and altering personal information

Personal information must be protected using reasonable security safeguards. In addition, individuals have the right to determine whether the Department holds personal information about them and the right to access and correct that information. The privacy and protection of personal information afforded by these procedures is the right of the individual and an obligation of Department of Education staff.

The storage, access and alteration principles

These principles require that:

  • personal information is retained for only as long as is necessary for the purpose for which it was collected,
  • personal information is disposed of securely and in accordance with requirements for the retention and disposal of personal information,
  • personal information is protected by taking reasonable precautions against unauthorised access, use, modification or disclosure and against all other misuse,
  • personal information transferred to an external person or organisation in connection with the provision of a service to the Department is protected through the use of security safeguards, to prevent the unauthorised use or disclosure of the information. These safeguards would typically include strict contractual provisions relating to the security and management of the information,
  • reasonable steps are taken to enable an individual to ascertain what personal information the Department holds, the nature of and purpose for holding that information, whether it actually holds personal information relating to that person and the person's right to gain access to that information,
  • individuals are able to access their own personal information held by the Department, and
  • upon request, individuals may amend their personal information held by the Department or, where appropriate and practicable, to have a statement attached to the information if the Department is not prepared to amend the information.

The purposes for which access to personal information may be granted to staff and others should be identified and appropriate procedures established for authorised access. The procedures may include different levels of access. The nature of the personal information and the medium in which it is stored will determine the appropriate level of security required.

Generally, information storage systems such as filing cabinets containing personal information should be locked when unattended. Personal information stored on electronic files should be password protected and access to the information should be limited to those staff whose duties require them to have access. Back-ups of electronic files should be made and stored securely. Where practicable, personal information in an electronic form should be stored and transmitted in an encrypted form.

Exceptions to the access and alteration principles

Exceptions within the IPPs that apply to acces and alteration principles. The most relevant of these allows non-compliance where it is required, authorised, necessarily implied or reasonably contemplated under another Act or law. For example, a parent cannot access their child's personal information held by a school if there are Orders made under the Family Law Act 1975, preventing the parent from accessing this information.

These principles, are also modified by the Department's Privacy Code of Practice. They allow the Department to depart from these IPPs in certain circumstances. including in situations where it is necessary to promote a safe and disciplined learning environment or where compliance would detrimentally affect or prevent the proper exercise of the department's complaint handling or investigative functions.

The department's Privacy Code of Practice applies only to personal information and not health information.

Frequently asked questions

Do the individuals concerned have access to information about themselves?

Generally. yes. Everyone is entitled to access to the great majority of the personal information that is held by the Department and may seek correction of inaccuracies. Certain types of personal information. such as that relating to disciplinary investigations. is not accessible in this way.

Does a repair to a database containing personal information require the use of an internal member of staff?

No. However the Act does require the Department to take steps to ensure that this information is not used or disclosed inappropriately. At a minimum. steps should be taken to ensure the contractor understands that the personal information stored on the database is confidential and agrees that they will not misuse the information to which they have access.

Can staff have access to records containing personal information of other staff, or students?

Only if and when this access is required for the legitimate performance of their duties.

Can deletion of personal information be performed if it contravenes the State Records Act?

Yes. but only in cases where the information is inaccurate or misleading. In general. public sector agencies cannot delete information contained within their records systems. except in accordance with approved disposal authorities. due to the operation of the State Records Act 1998 (NSW). However. s21 of the State Records Act and Schedule 1 of the related Regulations expressly state that provisions of the PPIP Act relating to the alteration of personal information take precedence over the State Records Act.

Where can you get some more information?

Privacy guidance can now be found on the Department Legal services Intranet webpage.

At this website you will have access to:

  • Privacy Bulletins
  • link to the Law Foundation site where you can find the text of the Act
  • link to the Privacy NSW site
  • contact details for the site.

You will be kept informed of privacy matters through further editions of this bulletin and the Department’s website.

Information is also available from the Legal Services Unit.

The Legal Services Unit may be contacted:

Return to top of page