These procedures relate to the Our culture policy.

The department is committed to creating open, supportive and inclusive workplaces where everyone feels represented, supported, included, valued, safe and inspired to bring their whole selves to work by protecting student, employee and stakeholder data and ensuring that everyone is aware of:

• what personal information the department collects
• how it is used and disclosed
• how it is securely stored and/or disposed of in accordance with all relevant privacy legislation and obligations.

Employees:

• have a reasonable understanding of how the privacy legislation protects their personal and health information, and how the department meets its obligations
• act with integrity when collecting, using and disclosing information
• use information obtained in the course of their employment for business related purposes only, in ways that benefit students, the department and the wider community
• comply with the Information Protection Principles (IPPs) (refer to Information protection principles for the public) and Health Protection Principles (HPPs) (refer to Health Privacy Principles (HPPs) explained for members of the public) when responsible for the collection, storage, access, alteration, use or disclosure of personal and health information
• comply with the department’s Privacy Code of Practice (PDF 361 KB), which changes how IPPs are applied in some circumstances (for example, for the purposes of child protection or the provision of safe learning environments)
• adhere to NSW Government Information Classification, Labelling and Handling Guidelines (PDF 2 MB)
• maintain confidentiality and report concerns about privacy breaches or unacceptable and improper conduct.

The department:

• lawfully collects personal and health information solely for purposes that are directly relevant to its functions and activities
• takes reasonable steps to ensure that the information collected is relevant, not excessive, accurate, up to date and complete
• complies with Workplace Surveillance Act 2005, Surveillance Devices Act 2007, Crimes Act 1900 (NSW) and Criminal Code Act 1995 (Cth) in addition to relevant privacy legislation
• takes reasonable steps to notify individuals of certain matters when their information is collected
• takes reasonable steps to protect information from loss, unauthorised access, modification, use and disclosure
• does not retain information for longer than necessary and securely disposes of the information in accordance with the State Records Act 1998
• takes reasonable steps to allow an individual to ascertain whether the department holds their personal or health information, including what information it holds and the purpose for which it is used, and provides access to that information
• amends personal or health information it holds about an individual at the individual’s request, and notifies them when the requested amendments is complete
• does not disclose personal or health information about an individual to a third party without that individual’s consent
• implements and monitors processes to address concerns about the collection, storage, access, use or disclosure of personal or health information
• manages complaints in accordance with the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002.

Department business units:

• handle requests for amending personal or health information they hold and control
• take reasonable steps to address concerns about the collection, storage, access, use or disclosure of personal or health information
• address concerns regarding privacy breaches or unacceptable and improper conduct informally and locally where possible.

Shared services HR:

• handles requests for amending personal or health information held in an employee’s personnel file.

Health and safety team:

• handles requests relating to information that is the subject of a workers’ compensation claim.

Professional and ethical standards:

• receive and respond to reports of serious wrongdoing by an employee that relates to breaches of the Information Protection Principles or Health Privacy Principles. They can also conduct an investigation, when appropriate.

Legal services:

• provide advice to employees on complying with relevant legislation when handling privacy matters
• coordinate the department’s response to requests for legal advice on privacy matters
• coordinate and oversee privacy information published on the department’s public website and intranet sites
• liaise with the Information and Privacy Commission NSW and the Office of the Australian Information Commissioner about privacy matters
• liaise with external agencies who manage health records
• conduct investigations and address privacy complaints as part of privacy internal reviews
• represent and/or coordinate the department’s response to privacy internal review appeals
• decide what information can be made publicly available in accordance with the Guidelines for the ‘proactive release’ of information held by the NSW Department of Education (PDF 204 KB) and what information can be released where an application for access to personal information is made
• receive, assess and investigate reported data breaches in accordance with relevant privacy legislation.

Compliance and privacy team:

• keep statistical records about privacy complaints for publication in the department’s Annual Report and for provision, where required, to the Privacy Commissioner.

Personal information is any information or opinion that can be used to identify a person. It could be a person’s name, address, family details, fingerprints or a mix of information that together could identify someone. This information can be recorded in paper files, electronic records, video recordings and photographs.

Health information is a type of personal information that relates to a person’s physical or mental health, or the healthcare they receive. It could be information about a person’s allergies or medication, or details relating to a person’s injury at work or school.

Health information includes:

• information or opinions about someone’s physical or mental health or disability at any time
• a person’s express request for future health services
• information about health services provided (or to be provided) to someone
• other personal information collected for the purpose of providing, or during the provision of, a health service
• personal information gathered in relation to the donation, or planned donation, of body parts, organs or body substances
• genetic information obtained from a health service, which could predict the health of an individual or their relatives
• healthcare identifiers.

Information Protection Principles (IPPs) and Health Privacy Principles (HPPs) support the privacy of individuals by minimising the risk of misuse of personal and health information.

There are 12 IPPs and 15 HPPs, which are similar in many respects and address the collection, storage, access, alteration, use and disclosure of personal and health information. In addition, HPPs cover identifiers, anonymity and linkage to health records.

Refer to the Information and Privacy Commission NSW IPPs and HPPs factsheets located on the following websites:

• Information Protection Principles for the public
• Health Privacy Principles (HPPs) explained for members of the public.

Exemptions

Privacy legislation provides for a number of exemptions to the IPPs and HPPs, for example, where the information is the subject of a subpoena or police warrant.

The department also recognises that in certain circumstances, requirements of the IPPs and HPPs do not apply. For example:

• when non-compliance is lawfully authorised, required, implied or reasonably contemplated under an Act or law
• when investigating or handling a complaint that could be, or has been, referred to or from an investigative agency, such as the Ombudsman’s Office
• when undertaking an investigation under legislation that may result in the agency taking disciplinary, criminal or formal action against a person.

The department’s Privacy Code of Practice (PDF 361 KB) provides further information on the modifications of the IPPs, and where exemptions apply.

The Privacy Commissioner has also published 7 statutory guidelines that provide guidance on applying for exemptions. Refer to Privacy Resources for Agencies.

• Generally, physical information storage systems such as filing cabinets should be locked when unattended.
• Personal information stored on electronic files should be password protected and access limited to those staff whose duties require it.
• Back-ups of electronic files should be made and stored securely.
• Where practicable, personal information in an electronic form should be encrypted before it is stored or shared.

Supporting information

• Managing personal and health information
• Collecting personal and health information
• Collection notice – schools (PDF 142 KB)

Formal requests to make amendments to personal information held by the department should include:

• the name of the requestor and the name of the person whose information is the subject of the request
• proof of identity or authority where the requestor is not the person whose information is the subject of the request
• a statement that the request is made under the PPIPA and/or HRIPA
• a description of the information to be amended and the amendment sought
• reference to records containing the information to be amended, if necessary
• reason/s for the amendment
• evidence to support the amendment.

Individuals who have made a formal request for amendment should receive a written notification of the decision that includes:

• a record of the precise amendments made
• the identity of other recipients who have been notified of the amendments, or an explanation if it was not feasible for this to occur
• information on the availability of an internal review process should the individual be dissatisfied with the handling of their request.

1. Prepare an application

An application for internal review should identify the conduct of the department that the complainant believes amounts to a breach of:

• an Information Protection Principle (IPP)
• a Health Privacy Principle (HPP)
• the Privacy Code of Practice (PDF 361 KB)
• any related privacy codes.

The application must:

• be in writing (including by email)
• be addressed to the department
• specify a return address within Australia for correspondence related to the application
• be lodged with the department within 6 months of the applicant becoming aware of the breach, or not later than 12 months with the department’s agreement.

It is recommended that applications for internal review use the Privacy Internal Review Application Form (DOCX 36 KB). However, this is not mandatory.

2. Refer the application to Legal Services

When an application is received, the receiving officer must refer it to Legal Services, by email (legal.privacy@det.nsw.edu.au), or mail:

Legal Services
NSW Department of Education
Level 5, 105 Phillip Street
PARRAMATTA NSW 2150

Legal Services will allocate a legal officer, who will handle the application with reference to NSW’s guidance (refer to How to handle an Internal Review). The legal officer has 10 days to notify the Privacy Commissioner of the application, and inform the applicant in writing of:

• the department’s decision on whether to conduct the internal review
• the name, position and contact details of the officer/s undertaking the review
• the department’s understanding of whether the conduct breaches an IPP, HPP, the Privacy Code of Practice or any other applicable privacy code
• the applicant’s right to apply for external review by the NSW Civil and Administrative Tribunal
• the department’s commitment to keeping the Privacy Commissioner and applicant informed of the progress and findings of the review.

3. Assess the application

The legal officer will assess the application.

If the complaint does not meet the requirements outlined in Part 4 (sections 1.8 and 1.9) of the Privacy management plan (PDF 643 KB), the officer will inform the applicant in writing of the decision within 10 days of receipt of the application.

If an application meets the requirements identified above, the legal officer will undertake a review.

4. Review the complaint

The legal officer will:

• assist the complainant to clearly describe their issue and give the department any and all important documents and evidence about the alleged breach and any harm caused
• interview relevant staff, examine records and obtain any other pertinent information on the circumstances of the alleged breach
• prepare a report setting out the steps taken in the investigation, the conclusions reached and any recommendations for action to be taken to resolve the complaint (the fact-finding report)
• refer the fact-finding report to the Privacy Commissioner for consultation
• refer the fact-finding report to the determining officer for consideration when making the determination
• contact the applicant during the internal review for any further required information and provide an estimated timeframe for completion of the internal review.

5. After the review

Once the review has been completed, the legal officer will write to the applicant and Privacy Commissioner within 14 days of the completion of the review, informing them:

• the review has been completed
• the findings of the review and reasons for the findings as well as an explanation of the law behind those findings
• the action proposed to be taken by the department and the reasons for that action
• the applicant’s right to have the subject of the complaint reviewed by the NSW Civil and Administrative Tribunal.

The determining officer will:

• consider the fact-finding report and any submissions from the Privacy Commissioner.

Following the completion of an internal review, the department may:

• take no further action on the matter
• inform the applicant of the corrective action plan in place to ensure the incident does not occur again
• make a formal apology to the applicant
• take such remedial action as it thinks appropriate (such as the payment of monetary compensation to the applicant)
• provide undertakings that the conduct will not occur again
• implement administrative measures to ensure that the conduct will not occur again (for example, staff training).

NSW Department of Education

• Privacy Management Plan for NSW Department of Education (PDF 643 KB)
• Informal release checklist for business units – GIPA Act (PDF 159 KB)
• Informal Release of Government information under GIPA Act Summary for business areas (PDF 281 KB)
• How does the GIPA Act affect the department’s business areas (PDF 143 KB)
• Your review rights under the Government Information (Public Access) Act 2009 (PDF 296 KB)
• Application for access (PDF 172 KB)
• Guidelines for the ‘proactive release’ of information held by the NSW Department of Education (PDF 204 KB)
• Collection notice – schools (PDF 142 KB)
• Privacy Internal Review Application Form (DOCX 36 KB)
• Community complaint procedures
• Staff complaint procedures (staff only)
• Code of conduct procedures
• Managing personal and health information
• Collecting personal and health information
• Storage of and access to personal information
• Use and disclosure of personal information
• Privacy Code of Practice (PDF 361 KB)
• Alteration of Personal and Health Information (PDF 238 KB)

Information and Privacy Commission

• Information Protection Principles for the public
• Health Privacy Principles (HPPs) explained for members of the public
• Privacy Code of Practice for the exchange of information by participating agencies in the Youth on Track scheme (PDF 238 KB)
• Checklist – Privacy internal review for agencies
• Privacy Complaint: Internal Review Application Form (PDF 172 KB)
• Form: Privacy Complaint (Health Information)

• Privacy and Personal Information Protection Act 1998
• Health Records and Information Privacy Act 2002
• Government Information (Public Access) Act 2009
• Crimes Act 1900
• Public Interest Disclosures Act 2022
• Privacy Code of Practice (General) 2003

Sarah Hargans, General Counsel
Legal Services, People Group
sarah.hargans@det.nsw.edu.au
0438 364 791

The Privacy Officer
Legal Services – Privacy
02 7814 3896