Privacy standards
Directions and guidance on how individuals can access and request amendments to their personal information. Outlines obligations regarding managing personal and health information in accordance with the Privacy and Personal Information Protection Act 1998 (PPIPA) and the Health Records and Information Privacy Act 2002 (HRIPA).
Audience
All staff, contractors, visitors to the department’s schools and workplaces, students, their parents and people applying for employment.
Version | Date | Description of changes | Approved by |
---|---|---|---|
V01.0.0 |
05/09/2024 |
Under the 2023 Policy and procedure review program, new policy document consolidating existing instructions and improving clarity and readability. |
Chief People Officer |
Ongoing union consultation is occurring and amendments may be made from time to time. |
About the policy
These procedures relate to the Our culture policy.
The department is committed to creating open, supportive and inclusive workplaces where everyone feels represented, supported, included, valued, safe and inspired to bring their whole selves to work by protecting student, employee and stakeholder data and ensuring that everyone is aware of:
- what personal information the department collects
- how it is used and disclosed
- how it is securely stored and/or disposed of in accordance with all relevant privacy legislation and obligations.
Term | Definition |
---|---|
Conduct |
An action, decision, or inaction by an employee in relation to the collection, storage, access, use or disclosure of personal or health information. |
Data breach |
In the context of the Privacy and Personal Information Protection Act 1998 (PPIPA) and the Health Records and Information Privacy Act 2002 (HRIPA), it is either:
|
Genetic information |
Information about a person’s gender, race, height, weight and other features that are related, in whole or in part, to that person’s genetic inheritance. |
Heath information |
Personal information about the physical or mental health or disability of an individual or the provision of health services to an individual. |
Healthcare identifier |
A number assigned to identify:
|
Informal request |
A request for:
Additionally, any other reasonable requests that do not involve public interest disclosures. |
Information protection principles (IPPs) and health privacy principles (HPPs) |
Public sector agencies must comply with these principles when handling personal and health information. They are intended to minimise the risk of misuse of personal and health information and to support the privacy of individuals. In addition, HPPs cover identifiers, anonymity and linkage of health records. |
Personal information |
Information or an opinion about an individual whose identity is apparent or can reasonably be ascertained. |
Privacy legislation |
A law that imposes an obligation on the department and its employees when handling personal and health information. |
Record |
Any document or other source of information compiled, recorded, or stored in written form, by an electronic process, or by any other manner or means. |
Employees:
- have a reasonable understanding of how the privacy legislation protects their personal and health information, and how the department meets its obligations
- act with integrity when collecting, using and disclosing information
- use information obtained in the course of their employment for business related purposes only, in ways that benefit students, the department and the wider community
- comply with the Information Protection Principles (IPPs) (refer to Information protection principles for the public) and Health Protection Principles (HPPs) (refer to Health Privacy Principles (HPPs) explained for members of the public) when responsible for the collection, storage, access, alteration, use or disclosure of personal and health information
- comply with the department’s Privacy Code of Practice (PDF 361 KB), which changes how IPPs are applied in some circumstances (for example, for the purposes of child protection or the provision of safe learning environments)
- adhere to NSW Government Information Classification, Labelling and Handling Guidelines (PDF 2 MB)
- maintain confidentiality and report concerns about privacy breaches or unacceptable and improper conduct.
The department:
- lawfully collects personal and health information solely for purposes that are directly relevant to its functions and activities
- takes reasonable steps to ensure that the information collected is relevant, not excessive, accurate, up to date and complete
- complies with Workplace Surveillance Act 2005, Surveillance Devices Act 2007, Crimes Act 1900 (NSW) and Criminal Code Act 1995 (Cth) in addition to relevant privacy legislation
- takes reasonable steps to notify individuals of certain matters when their information is collected
- takes reasonable steps to protect information from loss, unauthorised access, modification, use and disclosure
- does not retain information for longer than necessary and securely disposes of the information in accordance with the State Records Act 1998
- takes reasonable steps to allow an individual to ascertain whether the department holds their personal or health information, including what information it holds and the purpose for which it is used, and provides access to that information
- amends personal or health information it holds about an individual at the individual’s request, and notifies them when the requested amendments is complete
- does not disclose personal or health information about an individual to a third party without that individual’s consent
- implements and monitors processes to address concerns about the collection, storage, access, use or disclosure of personal or health information
- manages complaints in accordance with the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002.
Department business units:
- handle requests for amending personal or health information they hold and control
- take reasonable steps to address concerns about the collection, storage, access, use or disclosure of personal or health information
- address concerns regarding privacy breaches or unacceptable and improper conduct informally and locally where possible.
Shared services HR:
- handles requests for amending personal or health information held in an employee’s personnel file.
Health and safety team:
- handles requests relating to information that is the subject of a workers’ compensation claim.
Professional and ethical standards:
- receive and respond to reports of serious wrongdoing by an employee that relates to breaches of the Information Protection Principles or Health Privacy Principles. They can also conduct an investigation, when appropriate.
Legal services:
- provide advice to employees on complying with relevant legislation when handling privacy matters
- coordinate the department’s response to requests for legal advice on privacy matters
- coordinate and oversee privacy information published on the department’s public website and intranet sites
- liaise with the Information and Privacy Commission NSW and the Office of the Australian Information Commissioner about privacy matters
- liaise with external agencies who manage health records
- conduct investigations and address privacy complaints as part of privacy internal reviews
- represent and/or coordinate the department’s response to privacy internal review appeals
- decide what information can be made publicly available in accordance with the Guidelines for the ‘proactive release’ of information held by the NSW Department of Education (PDF 204 KB) and what information can be released where an application for access to personal information is made
- receive, assess and investigate reported data breaches in accordance with relevant privacy legislation.
Compliance and privacy team:
- keep statistical records about privacy complaints for publication in the department’s Annual Report and for provision, where required, to the Privacy Commissioner.
Standards
The department collects a significant volume of personal information, including health information, while administering and providing education, training and community services. It takes reasonable steps to maintain confidentiality and comply with privacy legislation.
When handling personal and health information, the department complies with information protection and health privacy principles to minimise the risk of misuse and support individual privacy.
Personal information is any information or opinion that can be used to identify a person. It could be a person’s name, address, family details, fingerprints or a mix of information that together could identify someone. This information can be recorded in paper files, electronic records, video recordings and photographs.
Health information is a type of personal information that relates to a person’s physical or mental health, or the healthcare they receive. It could be information about a person’s allergies or medication, or details relating to a person’s injury at work or school.
Health information includes:
- information or opinions about someone’s physical or mental health or disability at any time
- a person’s express request for future health services
- information about health services provided (or to be provided) to someone
- other personal information collected for the purpose of providing, or during the provision of, a health service
- personal information gathered in relation to the donation, or planned donation, of body parts, organs or body substances
- genetic information obtained from a health service, which could predict the health of an individual or their relatives
- healthcare identifiers.
Information Protection Principles (IPPs) and Health Privacy Principles (HPPs) support the privacy of individuals by minimising the risk of misuse of personal and health information.
There are 12 IPPs and 15 HPPs, which are similar in many respects and address the collection, storage, access, alteration, use and disclosure of personal and health information. In addition, HPPs cover identifiers, anonymity and linkage to health records.
Refer to the Information and Privacy Commission NSW IPPs and HPPs factsheets located on the following websites:
- Information Protection Principles for the public
- Health Privacy Principles (HPPs) explained for members of the public.
Exemptions
Privacy legislation provides for a number of exemptions to the IPPs and HPPs, for example, where the information is the subject of a subpoena or police warrant.
The department also recognises that in certain circumstances, requirements of the IPPs and HPPs do not apply. For example:
- when non-compliance is lawfully authorised, required, implied or reasonably contemplated under an Act or law
- when investigating or handling a complaint that could be, or has been, referred to or from an investigative agency, such as the Ombudsman’s Office
- when undertaking an investigation under legislation that may result in the agency taking disciplinary, criminal or formal action against a person.
The department’s Privacy Code of Practice (PDF 361 KB) provides further information on the modifications of the IPPs, and where exemptions apply.
The Privacy Commissioner has also published 7 statutory guidelines that provide guidance on applying for exemptions. Refer to Privacy Resources for Agencies.
1. Collect and store information
The department takes steps to ensure that the people whose information it collects understand:
- why the information is required
- who will see it
- how they can access and amend it.
The department usually does this by issuing a collection notice when it collects the information.
- Generally, physical information storage systems such as filing cabinets should be locked when unattended.
- Personal information stored on electronic files should be password protected and access limited to those staff whose duties require it.
- Back-ups of electronic files should be made and stored securely.
- Where practicable, personal information in an electronic form should be encrypted before it is stored or shared.
Supporting information
2. Respond to access requests
When responding to a request for access to personal information, it is important to identify the purpose of the access, with procedures established to authorise access according to the:
- nature of the information
- type of storage
- appropriate level of security.
Individuals may request access to their personal information by either:
- applying to the department’s Right to Access unit
- completing an Application for Access (PDF 105 KB) personal information form.
2.1 Informal release of information
The department encourages the informal release of information where it is appropriate and manageable and follows the Government Information (Public Access) Act 2009 (GIPA).
Department staff with the appropriate delegation can use the Informal release checklist for business units – GIPA Act (PDF 159 KB) to assess whether a request for release of government information is suitable.
The Informal release of government information under GIPA Act – Summary for business areas (PDF 281 KB) may also assist in dealing with a request for informal release.
For information on the various methods of information release under the GIPA, and how they impact schools and other corporate business areas, refer to the fact sheet, How does the GIPA Act affect the department’s business areas (PDF 143 KB).
3. Request an amendment
Individuals have the right to determine whether the department can hold, access and modify their personal information, except where the information is subject to workers compensation claims or injury management.
Individuals may request to amend their personal information held by the department.
If the department is not prepared to make an amendment, individuals may request that a statement reflecting their requested changes be attached to the information.
If an individual lacks the capacity to understand the nature and effect of the Privacy legislation or is unable to communicate their intentions, a request may be made on the individual’s behalf by:
- an authorised representative
- parent
- carer
- legal guardian or a person legally authorised to represent the best interests of the individual.
The Change of personal information procedures outlines how employees can amend their personal and health information held by the department.
For information that is not accessible online, employees can make an informal request for amendments directly to the business unit responsible for holding the information.
If an informal request is denied, employees can make a formal request in writing by using the department’s Application for Amendment (PDF 107 KB) form or the Application for amendment form in Annexure 2 of the Privacy Management Plan for NSW Department of Education (PDF 643 KB).
Supporting information
Formal requests to make amendments to personal information held by the department should include:
- the name of the requestor and the name of the person whose information is the subject of the request
- proof of identity or authority where the requestor is not the person whose information is the subject of the request
- a statement that the request is made under the PPIPA and/or HRIPA
- a description of the information to be amended and the amendment sought
- reference to records containing the information to be amended, if necessary
- reason/s for the amendment
- evidence to support the amendment.
Individuals who have made a formal request for amendment should receive a written notification of the decision that includes:
- a record of the precise amendments made
- the identity of other recipients who have been notified of the amendments, or an explanation if it was not feasible for this to occur
- information on the availability of an internal review process should the individual be dissatisfied with the handling of their request.
4. Navigate privacy breaches
A data breach is a particular kind of privacy breach where:
- there is unauthorised access to, or unauthorised disclosure of, personal information
- personal information is lost in circumstances where unauthorised access to, or disclosure of, the personal information is likely to occur.
All staff must report all suspected data breaches (as mandated under privacy legislation).
Staff:
- can report using the Data Breach Incident Notification Form (PDF 243 KB)
- must follow the Data breach response plan (staff only) and take action to contain and mitigate harm from the breach as a priority.
Once reported, Legal Services will assess the breach and see if mandatory notification of impacted individuals and the NSW Privacy Commissioner is required.
People impacted by a data breach can make a privacy complaint or request a review through the privacy reviews and complaints processes.
Supporting information
- Data breach response plan (staff only)
- Reporting and managing data breaches (staff only)
- Data Breach Incident Notification Form (PDF 243 KB).
5. Privacy review and complaints processes
A person can raise an issue or concern about the department’s collection, storage, access, use or disclosure of their personal or health information or about a data breach that has impacted them by making:
- an application for an internal review regarding the handling of personal information (section 5.1 below)
- an application to the NSW Civil and Administrative Tribunal for an external review of a privacy internal review (section 5.2)
- a complaint to the Privacy Commissioner (section 5.3)
- a complaint to the department (section 5.4)
- allegations of misconduct to Professional and Ethical Standards (section 5.5).
5.1 Internal reviews of privacy breaches
A person can request an internal review of the department’s handling of personal or health information that is subject to:
- Information Protection Principles (IPPs)
- Health Privacy Principles (HPPs)
- Privacy Code of Practice (PDF 361 KB)
- any related privacy codes.
The department will undertake an internal review in accordance with Part 5 of the Privacy and Personal Information Protection Act 1998 (PPIPA).
Refer to Your review rights under the Government Information (Public Access) Act 2009 (PDF 297 KB) for more information.
A person may seek an internal review in relation to a breach of their own privacy or the privacy of a child within their care. Where a person lacks the capacity to understand the effect of the PPIPA or HRIPA, or is unable to clearly communicate their intention regarding the complaint, an authorised individual may act on their behalf.
1. Prepare an application
An application for internal review should identify the conduct of the department that the complainant believes amounts to a breach of:
- an Information Protection Principle (IPP)
- a Health Privacy Principle (HPP)
- the Privacy Code of Practice (PDF 361 KB)
- any related privacy codes.
The application must:
- be in writing (including by email)
- be addressed to the department
- specify a return address within Australia for correspondence related to the application
- be lodged with the department within 6 months of the applicant becoming aware of the breach, or not later than 12 months with the department’s agreement.
It is recommended that applications for internal review use the Privacy Internal Review Application Form (DOCX 36 KB). However, this is not mandatory.
2. Refer the application to Legal Services
When an application is received, the receiving officer must refer it to Legal Services, by email (legal.privacy@det.nsw.edu.au), or mail:
Legal Services
NSW Department of Education
Level 5, 105 Phillip Street
PARRAMATTA NSW 2150
Legal Services will allocate a legal officer, who will handle the application with reference to NSW’s guidance (refer to How to handle an Internal Review). The legal officer has 10 days to notify the Privacy Commissioner of the application, and inform the applicant in writing of:
- the department’s decision on whether to conduct the internal review
- the name, position and contact details of the officer/s undertaking the review
- the department’s understanding of whether the conduct breaches an IPP, HPP, the Privacy Code of Practice or any other applicable privacy code
- the applicant’s right to apply for external review by the NSW Civil and Administrative Tribunal
- the department’s commitment to keeping the Privacy Commissioner and applicant informed of the progress and findings of the review.
3. Assess the application
The legal officer will assess the application.
If the complaint does not meet the requirements outlined in Part 4 (sections 1.8 and 1.9) of the Privacy management plan (PDF 643 KB), the officer will inform the applicant in writing of the decision within 10 days of receipt of the application.
If an application meets the requirements identified above, the legal officer will undertake a review.
4. Review the complaint
The legal officer will:
- assist the complainant to clearly describe their issue and give the department any and all important documents and evidence about the alleged breach and any harm caused
- interview relevant staff, examine records and obtain any other pertinent information on the circumstances of the alleged breach
- prepare a report setting out the steps taken in the investigation, the conclusions reached and any recommendations for action to be taken to resolve the complaint (the fact-finding report)
- refer the fact-finding report to the Privacy Commissioner for consultation
- refer the fact-finding report to the determining officer for consideration when making the determination
- contact the applicant during the internal review for any further required information and provide an estimated timeframe for completion of the internal review.
5. After the review
Once the review has been completed, the legal officer will write to the applicant and Privacy Commissioner within 14 days of the completion of the review, informing them:
- the review has been completed
- the findings of the review and reasons for the findings as well as an explanation of the law behind those findings
- the action proposed to be taken by the department and the reasons for that action
- the applicant’s right to have the subject of the complaint reviewed by the NSW Civil and Administrative Tribunal.
The determining officer will:
- consider the fact-finding report and any submissions from the Privacy Commissioner.
Following the completion of an internal review, the department may:
- take no further action on the matter
- inform the applicant of the corrective action plan in place to ensure the incident does not occur again
- make a formal apology to the applicant
- take such remedial action as it thinks appropriate (such as the payment of monetary compensation to the applicant)
- provide undertakings that the conduct will not occur again
- implement administrative measures to ensure that the conduct will not occur again (for example, staff training).
5.2 External reviews of a privacy internal review
If an internal review is not finalised within 60 days, or the applicant is unsatisfied with the review’s findings or the action taken to address the concerns, they have 28 days to seek an external review by applying directly to the NSW Civil and Administrative Tribunal (the tribunal).
On reviewing the conduct, the tribunal may decide not to take any action or to make orders requiring the department to:
- refrain from any conduct or action that breaches an IPP or HPP, the public register rules of the PPIPA, the department’s Code of Practice or any other relevant privacy code
- act in accordance with an IPP or HPP, the public register rules of the PPIPA, the department’s Code of Practice or any other relevant privacy code
- correct particular information disclosed by the department
- take specified steps to remedy loss or damage suffered by the applicant
- refrain from disclosing information in a public register
- in certain circumstances, pay compensation to the applicant of up to $40,000 where the applicant has suffered financial loss or psychological or physical harm because of the conduct.
The tribunal may make any other ancillary orders it deems necessary or appropriate.
5.3 External complaints to the Privacy Commissioner
A person may make a complaint to the Privacy Commissioner about the alleged violation of, or interference with, the privacy of an individual, including:
- the contravention of an IPP or Privacy Code of Practice by the department
- the disclosure of personal information kept in a public register.
The Privacy Commissioner will decide what action to take, including whether to refer the complaint to the department.
Refer to Information and Privacy Commission NSW.
5.4 Department complaints procedures
Concerns about the collection, storage, access, use or disclosure of personal or health information – other than those managed through the internal review, external review (sections 5.1, 5.2, 5.3) or misconduct investigation processes (section 5.5) – are managed through the department’s complaint handling procedures.
Refer to:
- Community complaint procedures for guidance on managing complaints by parents, carers, students and community members
- Staff complaint procedures (staff only) for guidance on managing complaints by employees.
5.5 Misconduct investigation
Breaches of privacy by an employee that are deliberate and more than trivial may amount to misconduct.
The department’s Code of Conduct requires employees to report allegations of misconduct to Professional and Ethical Standards (PES). It may be appropriate for business areas in the department to make a report on behalf of an individual, including following an application for internal review.
Individuals can also make a report directly to PES at pes@det.nsw.edu.au or on 7814 3722.
The Public Interest Disclosures Act 2022 (the PID Act) defines a more than trivial breach of the PPIPA or HRIPA as serious wrongdoing. Employees who make reports may be entitled to protections under the PID Act if their report meets certain requirements. The features of a public interest disclosure are detailed further in the department’s Public interest disclosures procedures.
Under the PID Act, all employees have a responsibility to assist an investigation into a privacy breach, if requested.
For additional information on conduct that may require a referral to PES, refer to:
Supporting tools, resources and related information
NSW Department of Education
- Privacy Management Plan for NSW Department of Education (PDF 643 KB)
- Informal release checklist for business units – GIPA Act (PDF 159 KB)
- Informal Release of Government information under GIPA Act Summary for business areas (PDF 281 KB)
- How does the GIPA Act affect the department’s business areas (PDF 143 KB)
- Your review rights under the Government Information (Public Access) Act 2009 (PDF 296 KB)
- Application for access (PDF 172 KB)
- Guidelines for the ‘proactive release’ of information held by the NSW Department of Education (PDF 204 KB)
- Collection notice – schools (PDF 142 KB)
- Privacy Internal Review Application Form (DOCX 36 KB)
- Community complaint procedures
- Staff complaint procedures (staff only)
- Code of conduct procedures
- Managing personal and health information
- Collecting personal and health information
- Storage of and access to personal information
- Use and disclosure of personal information
- Privacy Code of Practice (PDF 361 KB)
- Alteration of Personal and Health Information (PDF 238 KB)
Information and Privacy Commission
- Information Protection Principles for the public
- Health Privacy Principles (HPPs) explained for members of the public
- Privacy Code of Practice for the exchange of information by participating agencies in the Youth on Track scheme (PDF 238 KB)
- Checklist – Privacy internal review for agencies
- Privacy Complaint: Internal Review Application Form (PDF 172 KB)
- Form: Privacy Complaint (Health Information)
Policy contact
Sarah Hargans, General Counsel
Legal Services, People Group
sarah.hargans@det.nsw.edu.au
0438 364 791
The Privacy Officer
Legal Services – Privacy
02 7814 3896
A Senior Legal Officer, Legal Services, monitors the implementation of these standards, regularly reviews their contents to ensure relevance and accuracy, and updates them as needed.