Managing personal and health information
This bulletin explains how NSW privacy legislation impacts the department’s management of personal and health information. PB01 This bulletin last revised August 2018.
On this page
Please wait while page index is generated
What issues does this bulletin address?
- NSW privacy legislation being the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) and the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) which govern the management of personal and health information held by NSW government agencies.
- The Information Protection Principles (IPPs) and Health Privacy Principles (HPPs).
- The application of privacy law to the DoE and its employees.
Application of privacy legislation
The PPIP Act applies to public sector agencies including the Teaching Service and to a person or body that provides data services involving handling personal information for a NSW government agency.
The HRIP Act applies to public sector agencies including the Teaching Service and private sector organisations that collect, hold or use health information.
What is personal information?
Personal information is any information about an individual who is identifiable. It could be a student’s name, address, class, school, family details, fingerprints or a combination of information from which a student or other individual can be identified. The information can be in recorded in paper files, electronic records, video recordings and photographs.
Personal information is defined as:
- Information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
What is health information?
Health information is personal information that relates to aspects of an individual’s physical or mental health or health care services provide to an individual. Personal information is defined in the same terms as in the PPIP Act. Health information is defined as:
- personal information that is information or an opinion about:
- the physical mental health or disability (at any time) of an individual, or
- an individual’s express wishes about the future provision of health services to him or her, or
- a health service provided, or to be provided, to an individual, or
- other personal information collected to provide, or in providing, a health service, or
- other personal information about an individual collected in connection with the donation, or intended donation, of an individual's body parts, organs or body substances, or
- other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of a genetic relative of the individual, or
- healthcare identifiers
Health information is any health information about an individual who is identifiable. It could be information about a student’s allergy to peanuts, a student’s need for asthma medication, the need for a scribe due to a learning difficulty or disability, or injuries suffered during school sports events.
There are a number of exceptions to the definition of personal information. Those most relevant to the operation of DoE are:
- information in a publically available publication or
- information about an individual’s suitability for employment as a public sector official or
- information about an individual who has been dead for over 30 years.
Publically available publications include newspapers, magazines, books and online sources that are available to the public.
Information about an individual’s suitability for employment as a public sector official includes job references and comments and reports by members of selection committees and those who interview applicants for public sector roles.
What are IPPs and HPPs?
IPPs and HPPs are the principles with which public sector agencies must comply when dealing with personal and health information. They are intended to minimise the risk of misuse of personal and health information and to support the privacy of individuals.
There are 12 IPPs and 15 HPPs. They are similar in many respects, addressing collection, storage, access, alteration, use and disclosure of personal and health information. In addition, HPPs cover identifiers, anonymity and linkage of health records.
IPPS and HPPs are summarised in the fact sheets below published on the website of the Information Privacy Commission.
Privacy legislation provides for a number of exemptions to the IPPs and HPPs, many are common to both personal and health information. Those most relevant to DoE’s operation allow non-compliance with IPPs and HPPs in the following situations:
- when non-compliance with an IPP or HPP is lawfully authorised, required, implied or reasonably contemplated under an Act or law.
- when investigating or handling a complaint that could be referred to or has been referred from an investigative agency. Investigative agencies include the Ombudsman’s Office.
- when exercising investigative functions under the authority of an Act or statutory rule where the investigation may result in the agency taking or instituting disciplinary, criminal or formal action or proceedings against a person
Australian laws that may require or authorise information to be used or disclosed outside the ordinary scope of the IPPs or the HPPs include subpoenas requiring the production of documents and information to a court, police warrants requiring the provision of documents or information, and the ordinary process of discovery in the course of litigation.
Similarly, compliance with the IPPs or HPPs cannot be used as a barrier to prevent information being provided in the context of an official investigation by the Ombudsman.
The department’s Privacy Code of Practice
The Department of Education’s Privacy Code of Practice (PDF 147.28KB) (the Code) modifies some IPPs to allow the department’s non-compliance so it can perform functions such as complaint handling, providing a disciplined and safe learning environment and for child protection purposes. The Code does not apply to HPPs.
Examples of non-compliance permitted by the Code include allowing parents or caregivers of students attending government schools to have access or make amendments to students' personal information. Other exceptions allow the department to depart from the IPPs in order to preserve the confidentiality of counsellor records and the confidentiality of information provided by staff or students about another student.
Privacy legislation and department employees
Department employees have an obligation to comply with IPPs and HPPs when handling personal and health information to which they have access in the performance of their duties.
Privacy legislation is concerned with the conduct of public sector agencies so, in most instances an employee's actions will be taken to be the actions of agency. However, the legislation imposes penalties where an employee intentionally discloses or uses an individual’s personal or health information, obtained in the exercise of the employee’s official functions, for purposes other than the lawful exercise of those functions. It is also an offence to attempt to bribe a public sector official to disclose an individual’s health or personal information to which the official has had access in the exercise of his/her official functions.
An example of misconduct in respect of personal information would include disclosing personal information about the child of a famous person to a journalist, regardless of whether payment or a bribe was offered.