Bulletin 2 - Collecting personal and health informationJump to Index
On this page
Please wait while the page index loads. If you continue to see this message, try refreshing your page.
What issues does this bulletin address?
Privacy Bulletin 1 explains the meaning of personal and health information and provides an overview of NSW privacy law and its application to the department. Privacy Bulletin 2 looks specifically at how the law applies to the collection of personal and health information.
The Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW) regulate the way public sector agencies handle personal and health information through principles referred to as Information Protection Principles (IPPs) and Health Privacy Principles (HPPs). This bulletin looks at the four IPPs and HPPs that apply to the collection of personal and health information. The principles regulating personal information and health information are worded in similar terms.
When is information collected?
‘Collection’ is not defined by NSW privacy legislation. However, it is accepted that ‘collection’ typically involves a planned process of gathering information related to the official functions of the agency, where the agency has a system in place for receipt of the information.
Unsolicited information is not ‘collected’ information and is not subject to the collection principles. Unsolicited information is information that is provided voluntarily when an agency has not asked for it. If an agency retains unsolicited personal or health information in its records, the information will be subject to all other IPPs and HPPs.
Examples of collected information include personal information provided on enrolment forms and information about the performance of students in examinations. Collected information also includes teachers photographing students engaging in school events and information about students’ sporting achievements.
Examples of unsolicited information include information provided on a form which is in addition to that requested, or provided by a parent or guardian in the course of correspondence with the school.
The collection principles
The collection principles provide that public sector agencies collecting personal or health information must:
- collect the information for a lawful purpose that is directly related to the agency’s functions or activities;
- collect the information directly from the individual concerned, unless, in respect of personal information, the individual is under 16 or, in the case of health information, lacks the capacity to understand the nature and effect of the legislation, in which case information can be collected from the individual’s parent/guardian.
- make the individual providing the information aware of:
- the fact that the information is being collected,
- the purposes for its collection,
- the intended recipients,
- whether the supply of the information is required by law or voluntary, and any consequences for not supplying the information,
- the right to access and correct the information, and
- name and address of the agency holding the information.
- take reasonable steps to ensure that the information collected is relevant, not excessive, accurate, up to date and complete.
Exceptions to the collection principles
The legislation has a number of exceptions that apply to the application of collection principles (2) and (3). Those most relevant to department’s operation are:
- if non-compliance is authorised, contemplated or permitted under another law or Act.
- if the agency is investigating or handling a complaint or other matter that could be referred to or has been referred from an investigative agency such as the Ombudsman or police.
The Department’s Privacy Code of Practice relates only to personal information and not health information. It modifies the collection IPPs to allow the Department to:
- collect a student’s personal information from a student’s parent or carer/guardian,
- collect a student’s personal information from other students or staff where it is necessary to promote and maintain a safe and disciplined learning environment,
- not comply with IPPs (2) and (3) above if compliance would prevent the proper exercise of the department’s complaint handling or investigative functions,
- not comply if compliance would, in the circumstances, prejudice the interests of the individual to whom the information relates.
A sample privacy notice which can be placed on standard forms requesting personal or health information about an individual is attached at Annexure A. You will need to tailor the notice to make it appropriate for the information you are collecting.
Where practicable, the privacy notice should be provided to the individual (or the parent, guardian or caregiver of the student) before or at the time the personal information is collected. If you are collecting personal or health information by telephone, you should offer to read the privacy notice to the individual.
Below is some sample wording for a privacy notice. You will need to fill in the blanks, make reference to your school in place of ‘the department’ and make other necessary amendments to make the notice relevant in your particular situation. The privacy notice should appear on the bottom of forms used for collecting personal or health information. This notice also needs to be included on any electronic personal information data collection system.
The information requested on this form is being collected by the [Department of Education]. [The department] will use the information for the following purposes:
Provision of this information is [required by law] or [voluntary, however, if you do not provide all or any of the information requested it may ………………….].
The department might share the information with ………….[list persons, agencies or organisations] for the purpose of …………………………………
You have the right to access and correct the information you provide. If you wish to do so, please contact the [department/school] at …………….……………. .