New South Wales: Privacy and Personal Information Protection Act 1998 (NSW)

Privacy and Personal Information Protection Act 1998 No 133 An Act to provide for the protection of personal information, and for the protection of the privacy of individuals generally; to provide for the appointment of a Privacy Commissioner; to repeal the Privacy Committee Act 1975; and for other purposes. Part 1 Preliminary 1 Name of Act This Act is the Privacy and Personal Information Protection Act 1998. 2 Commencement This Act commences on a day or days to be appointed by proclamation. 3 Definitions (1) In this Act— affected individual, for Part 6A—see section 59D(2). approved form, for Part 6A—see section 59A. assessment, for Part 6A—see section 59E(2)(b). assessor, for Part 6A—see section 59G(1). Commonwealth agency means an entity referred to in paragraph (a)–(h) of the definition of agency in the Privacy Act 1988 of the Commonwealth. convicted inmate has the same meaning as it has in the Crimes (Administration of Sentences) Act 1999. eligible data breach, for Part 6A—see section 59D(1). exercise a function includes perform a duty. function includes a power, authority or duty. head, for Part 6A—see section 59A. health privacy code of practice, for Part 6A—see section 59A. Health Privacy Principle, for Part 6A—see section 59A. held, in relation to personal information— (a) for Part 6A—see section 59C, or (b) otherwise—see section 4(4). Information Commissioner means the Information Commissioner under the Government Information (Information Commissioner) Act 2009. information protection principle or principle means a provision set out in Division 1 of Part 2. investigative agency means— (a) any of the following— (i) the Ombudsman's Office, (ii) the Independent Commission Against Corruption, (iii) the Inspector of the Independent Commission Against Corruption, (iv) the Law Enforcement Conduct Commission, (v) the Inspector of the Law Enforcement Conduct Commission and any staff of the Inspector, (vi) the Health Care Complaints Commission, (vii) the Office of the Legal Services Commissioner, (viia) the Ageing and Disability Commissioner, (viib) the Children's Guardian, (viii) a person or body prescribed by the regulations for the purposes of this definition, or (b) any other public sector agency with investigative functions if— (i) those functions are exercisable under the authority of an Act or statutory rule (or where that authority is necessarily implied or reasonably contemplated under an Act or statutory rule), and (ii) the exercise of those functions may result in the agency taking or instituting disciplinary, criminal or other formal action or proceedings against a person or body under investigation, or (c) a public sector agency conducting an investigation for or on behalf of an agency referred to in paragraph (a) or (b). law enforcement agency means any of the following— (a) the NSW Police Force, or the police force of another State or a Territory, (b) the New South Wales Crime Commission, (c) the Australian Federal Police, (d) the Australian Crime Commission, (e) the Director of Public Prosecutions of New South Wales, of another State or a Territory, or of the Commonwealth, (f) the Department of Justice, (f1) the Independent Gaming and Liquor Authority under the Gaming and Liquor Administration Act 2007, (g) the NSW Independent Casino Commission under the Casino Control Act 1992, (g1) the Office of the Sheriff of New South Wales, (h) a person or body prescribed by the regulations for the purposes of this definition. local government authority means a council, a county council or a joint organisation, within the meaning of the Local Government Act 1993. mandatory notification of data breach scheme means the scheme under Part 6A for assessing and notifying data breaches. personal information is defined in section 4. privacy code of practice or code means a privacy code of practice made under Part 3. Privacy Commissioner means the Privacy Commissioner appointed under this Act. public register means a register of personal information that is required by law to be, or is made, publicly available or open to public inspection (whether or not on payment of a fee). public sector agency means any of the following— (a) a Public Service agency or the Teaching Service, (a1) the office of a political office holder within the meaning of the Members of Parliament Staff Act 2013, being the office comprising the persons employed by the political office holder under Part 2 of that Act, (b) a statutory body representing the Crown, (c) (Repealed) (d) an auditable entity within the meaning of the Government Sector Audit Act 1983 or any other entity within the meaning of that Act (or entity of a kind) prescribed by the regulations, but excluding an entity (or entity of a kind) prescribed by the regulations, (e) the NSW Police Force, (e1) (Repealed) (f) a local government authority, (f1) a State owned corporation that is not subject to the Privacy Act 1988 of the Commonwealth, (g) a person or body that— (i) provides data services (being services relating to the collection, processing, disclosure or use of personal information or that provide for access to such information) for or on behalf of a body referred to in paragraph (a)–(f1) of this definition, or that receives funding from any such body in connection with providing data services, and (ii) is prescribed by the regulations for the purposes of this definition. Note— Section 4B enables the regulations to declare that a public sector agency is to be regarded as being part of another public sector agency for the purposes of this Act. It also enables the regulations to declare that a part of a public sector agency is to be regarded as being a separate public sector agency from the public sector agency of which it forms part for the purposes of this Act. public sector official means any of the following— (a) a person appointed by the Governor, or a Minister, to a statutory office, (b) a judicial officer within the meaning of the Judicial Officers Act 1986, (c) a person employed in the Public Service, the Transport Service of New South Wales, the Teaching Service, the NSW Health Service or the NSW Police Force, (c1) a person employed by a political office holder under Part 2 of the Members of Parliament Staff Act 2013, (c2) a person employed by a member of Parliament under Part 3 of the Members of Parliament Staff Act 2013, (d) a local government councillor or a person employed by a local government authority, (e) a person who is an officer of the Legislative Council or Legislative Assembly or who is employed by (or who is under the control of) the President of the Legislative Council or the Speaker of the Legislative Assembly, or both, (f) a person who is employed or engaged by— (i) a public sector agency, or (ii) a person referred to in paragraph (a)–(e), (g) a person who acts for or on behalf of, or in the place of, or as deputy or delegate of, a public sector agency or person referred to in paragraph (a)–(e). publicly available publication does not include any publication or document declared by the regulations not to be a publicly available document for the purposes of this Act. staff of the Inspector of the Independent Commission Against Corruption means— (a) any staff employed under section 57E (1) or (2) of the Independent Commission Against Corruption Act 1988, and (b) any consultants engaged under section 57E (3) of that Act. staff of the Inspector of the Law Enforcement Conduct Commission means— (a) any staff employed under section 128 (1) of the Law Enforcement Conduct Commission Act 2016, and (b) any consultants engaged under section 128 (4) (c) of that Act. State record has the same meaning as in the State Records Act 1998. Tribunal means the Civil and Administrative Tribunal. Note— The Interpretation Act 1987 contains definitions and other provisions that affect the interpretation and application of this Act. (2) Notes included in this Act are explanatory notes and do not form part of this Act. 4 Definition of "personal information" (1) In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. (2) Personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics. (3) Personal information does not include any of the following— (a) information about an individual who has been dead for more than 30 years, (b) information about an individual that is contained in a publicly available publication, (c) information about a witness who is included in a witness protection program under the Witness Protection Act 1995 or who is subject to other witness protection arrangements made under an Act, (d) information about an individual arising out of a warrant issued under the Telecommunications (Interception) Act 1979 of the Commonwealth, (e) information about an individual that is contained in a public interest disclosure within the meaning of the Public Interest Disclosures Act 2022, or that has been collected while dealing with a voluntary public interest disclosure in accordance with that Act, Part 5, Division 2, (f) information about an individual arising out of, or in connection with, an authorised operation within the meaning of the Law Enforcement (Controlled Operations) Act 1997, (g) information about an individual arising out of a Royal Commission or Special Commission of Inquiry, (h) information about an individual arising out of a complaint made under Part 8A of the Police Act 1990, (i) information about an individual that is contained in Cabinet information or Executive Council information under the Government Information (Public Access) Act 2009, (j) information or an opinion about an individual's suitability for appointment or employment as a public sector official, (ja) information about an individual that is obtained about an individual under Chapter 8 (Adoption information) of the Adoption Act 2000, (k) information about an individual that is of a class, or is contained in a document of a class, prescribed by the regulations for the purposes of this subsection. (4) Personal information is held by a public sector agency if— (a) the agency is in possession or control of the information, or (b) the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement, or (c) the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998. (5) For the purposes of this Act, personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited. 4A Exclusion of health information from definition of "personal information" Except as provided by this Act or the Health Records and Information Privacy Act 2002, the definition of personal information in section 4 does not include health information within the meaning of the Health Records and Information Privacy Act 2002. 4B Regulations may declare whether agency is part of or separate from a public sector agency (1) The regulations may declare that— (a) a specified public sector agency is not to be regarded as a separate public sector agency and instead is to be regarded for the purposes of this Act as part of and included in another specified public sector agency in respect of specified functions, or (b) a specified office, branch or other part of a public sector agency is for the purposes of this Act to be regarded as being a separate public sector agency to the public sector agency of which it forms part in respect of specified functions that it exercises. (2) The regulations may make provision for or with respect to the application of this Act (with such modifications, if any, as may be prescribed) for the purposes of a declaration under this section. (3) The Minister must, before recommending the making of a regulation under this section, consider whether the making of a declaration under this section will permit the sharing of personal information between public sector agencies and, if so, whether the sharing of that information would be appropriate in the circumstances. 5 Government Information (Public Access) Act 2009 not affected (1) Nothing in this Act affects the operation of the Government Information (Public Access) Act 2009. (2) In particular, this Act does not operate to lessen any obligations under the Government Information (Public Access) Act 2009 in respect of a public sector agency. 6 Courts, tribunals and Royal Commissions not affected (1) Nothing in this Act affects the manner in which a court or tribunal, or the manner in which the holder of an office relating to a court or tribunal, exercises the court's, or the tribunal's, judicial functions. (2) Nothing in this Act affects the manner in which a Royal Commission, or any Special Commission of Inquiry, exercises the Commission's functions. (3) In this section, judicial functions of a court or tribunal means such of the functions of the court or tribunal as relate to the hearing or determination of proceedings before it, and includes— (a) in relation to a Magistrate—such of the functions of the Magistrate as relate to the conduct of committal proceedings, and (b) in relation to a coroner—such of the functions of the coroner as relate to the conduct of inquests and inquiries under the Coroners Act 2009. 7 Crown bound by Act This Act binds the Crown in right of New South Wales and also, in so far as the legislative power of Parliament permits, the Crown in all its other capacities. Part 2 Information protection principles Division 1 Principles 8 Collection of personal information for lawful purposes (1) A public sector agency must not collect personal information unless— (a) the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and (b) the collection of the information is reasonably necessary for that purpose. (2) A public sector agency must not collect personal information by any unlawful means. 9 Collection of personal information directly from individual A public sector agency must, in collecting personal information, collect the information directly from the individual to whom the information relates unless— (a) the individual has authorised collection of the information from someone else, or (b) in the case of information relating to a person who is under the age of 16 years—the information has been provided by a parent or guardian of the person. 10 Requirements when collecting personal information If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected or as soon as practicable after collection, the individual to whom the information relates is made aware of the following— (a) the fact that the information is being collected, (b) the purposes for which the information is being collected, (c) the intended recipients of the information, (d) whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided, (e) the existence of any right of access to, and correction of, the information, (f) the name and address of the agency that is collecting the information and the agency that is to hold the information. 11 Other requirements relating to collection of personal information If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that— (a) the information collected is relevant to that purpose, is not excessive, and is accurate, up to date and complete, and (b) the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates. 12 Retention and security of personal information A public sector agency that holds personal information must ensure— (a) that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and (b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and (c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and (d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information. 13 Information about personal information held by agencies A public sector agency that holds personal information must take such steps as are, in the circumstances, reasonable to enable any person to ascertain— (a) whether the agency holds personal information, and (b) whether the agency holds personal information relating to that person, and (c) if the agency holds personal information relating to that person— (i) the nature of that information, and (ii) the main purposes for which the information is used, and (iii) that person's entitlement to gain access to the information. 14 Access to personal information held by agencies A public sector agency that holds personal information must, at the request of the individual to whom the information relates and without excessive delay or expense, provide the individual with access to the information. 15 Alteration of personal information (1) A public sector agency that holds personal information must, at the request of the individual to whom the information relates, make appropriate amendments (whether by way of corrections, deletions or additions) to ensure that the personal information— (a) is accurate, and (b) having regard to the purpose for which the information was collected (or is to be used) and to any purpose that is directly related to that purpose, is relevant, up to date, complete and not misleading. (2) If a public sector agency is not prepared to amend personal information in accordance with a request by the individual to whom the information relates, the agency must, if so requested by the individual concerned, take such steps as are reasonable to attach to the information, in such a manner as is capable of being read with the information, any statement provided by that individual of the amendment sought. (3) If personal information is amended in accordance with this section, the individual to whom the information relates is entitled, if it is reasonably practicable, to have recipients of that information notified of the amendments made by the public sector agency. (4) This section, and any provision of a privacy code of practice that relates to the requirements set out in this section, apply to public sector agencies despite section 25 of this Act and section 21 of the State Records Act 1998. (5) The Privacy Commissioner's guidelines under section 36 may make provision for or with respect to requests under this section, including the way in which such a request should be made and the time within which such a request should be dealt with. (6) In this section (and in any other provision of this Act in connection with the operation of this section), public sector agency includes a Minister and a Minister's personal staff. 16 Agency must check accuracy of personal information before use A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading. 17 Limits on use of personal information A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless— (a) the individual to whom the information relates has consented to the use of the information for that other purpose, or (b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or (c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person. 18 Limits on disclosure of personal information (1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless— (a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or (b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or (c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person. (2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it. 19 Special restrictions on disclosure of personal information (1) A public sector agency must not disclose personal information relating to an individual's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities unless the disclosure is necessary to prevent a serious and imminent threat to the life or health of the individual concerned or another person. (2) A public sector agency that holds personal information about an individual must not disclose the information to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless— (a) the public sector agency reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that effectively upholds principles for fair handling of the information that are substantially similar to the information protection principles, or (b) the individual expressly consents to the disclosure, or (c) the disclosure is necessary for the performance of a contract between the individual and the public sector agency, or for the implementation of pre-contractual measures taken in response to the individual's request, or (d) the disclosure is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the public sector agency and a third party, or (e) all of the following apply— (i) the disclosure is for the benefit of the individual, (ii) it is impracticable to obtain the consent of the individual to that disclosure, (iii) if it were practicable to obtain such consent, the individual would be likely to give it, or (f) the disclosure is reasonably believed by the public sector agency to be necessary to lessen or prevent a serious and imminent threat to the life, health or safety of the individual or another person, or (g) the public sector agency has taken reasonable steps to ensure that the information that it has disclosed will not be held, used or disclosed by the recipient of the information inconsistently with the information protection principles, or (h) the disclosure is permitted or required by an Act (including an Act of the Commonwealth) or any other law. (3)–(5) (Repealed) Division 2 General provisions relating to principles 20 General application of information protection principles to public sector agencies (1) The information protection principles apply to public sector agencies. (2) The application of the principles to public sector agencies— (a) may be modified by privacy codes of practice, and (b) is otherwise subject to this Act. (3) Sections 8–11 do not apply in respect of personal information collected by a public sector agency before the commencement of this Part. (4) (Repealed) (5) Without limiting the generality of section 5, the provisions of the Government Information (Public Access) Act 2009 that impose conditions or limitations (however expressed) with respect to any matter referred to in section 13, 14 or 15 are not affected by this Act, and those provisions continue to apply in relation to any such matter as if those provisions were part of this Act. 21 Agencies to comply with principles (1) A public sector agency must not do any thing, or engage in any practice, that contravenes an information protection principle applying to the agency. (2) The contravention by a public sector agency of an information protection principle that applies to the agency is conduct to which Part 5 applies. Division 3 Specific exemptions from principles 22 Operation of Division Nothing in this Division authorises a public sector agency to do any thing that it is otherwise prohibited from doing. 23 Exemptions relating to law enforcement and related matters (1) A law enforcement agency is not required to comply with section 9 if compliance by the agency would prejudice the agency's law enforcement functions. (2) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 9 if the information concerned is collected in connection with proceedings (whether or not actually commenced) before any court or tribunal. (3) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 10 if the information concerned is collected for law enforcement purposes. However, this subsection does not remove any protection provided by any other law in relation to the rights of accused persons or persons suspected of having committed an offence. (4) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 17 if the use of the information concerned for a purpose other than the purpose for which it was collected is reasonably necessary for law enforcement purposes or for the protection of the public revenue. (5) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 18 if the disclosure of the information concerned— (a) is made in connection with proceedings for an offence or for law enforcement purposes (including the exercising of functions under or in connection with the Confiscation of Proceeds of Crime Act 1989 or the Criminal Assets Recovery Act 1990), or (b) is to a law enforcement agency (or such other person or organisation as may be prescribed by the regulations) for the purposes of ascertaining the whereabouts of an individual who has been reported to a police officer as a missing person, or (c) is authorised or required by subpoena or by search warrant or other statutory instrument, or (d) is reasonably necessary— (i) for the protection of the public revenue, or (ii) in order to investigate an offence where there are reasonable grounds to believe that an offence may have been committed. (6) Nothing in subsection (5) requires a public sector agency to disclose personal information to another person or body if the agency is entitled to refuse to disclose the information in the absence of a subpoena, warrant or other lawful requirement. (6A) A public sector agency is not required to comply with the information protection principles with respect to the collection, use or disclosure of personal information if— (a) the agency is providing the information to another public sector agency or the agency is being provided with the information by another public sector agency, and (b) the collection, use or disclosure of the information is reasonably necessary for law enforcement purposes. (7) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 19 if the disclosure of the information concerned is reasonably necessary for the purposes of law enforcement in circumstances where there are reasonable grounds to believe that an offence may have been, or may be, committed. (8) In this section— (a) a reference to law enforcement purposes includes a reference to law enforcement purposes of another State or a Territory or the Commonwealth, and (b) a reference to an offence includes a reference to an offence against a law of another State or a Territory or the Commonwealth, and (c) a reference to the protection of the public revenue includes a reference to the protection of the public revenue of another State or a Territory or the Commonwealth. 23A Exemptions relating to ASIO (1) A public sector agency is not required to comply with section 13 or 14 if compliance would reveal to the public that ASIO had requested, or been provided with, information about a person. (2) A public sector agency is not required to comply with section 18 if— (a) the disclosure of the information concerned has been requested by the Director-General of ASIO for a purpose connected with the exercise of ASIO's functions under the Australian Security Intelligence Organisation Act 1979 of the Commonwealth, and (b) the information is disclosed to an officer or employee of ASIO who is authorised in writing by the Director-General to receive the information, and (c) the authorised officer or employee certifies in writing that the information sought is reasonably necessary for ASIO to exercise its functions under the Australian Security Intelligence Organisation Act 1979 of the Commonwealth. (3) To avoid doubt, this section permits (but does not require) a public sector agency to disclose any information requested by the Director-General of ASIO. (4) The Minister may enter into arrangements with the Director-General of ASIO concerning the provision of reports by the Director-General to the Minister concerning requests for information from public sector agencies made by the Director-General. (5) The regulations may make provision for or with respect to the tabling of such reports (or parts of such reports) in Parliament, including authorising the Minister to omit information in the reports that is confidential. (6) In this section— ASIO means the Australian Security Intelligence Organisation continued in existence by the Australian Security Intelligence Organisation Act 1979 of the Commonwealth. 24 Exemptions relating to investigative agencies (1) An investigative agency is not required to comply with section 9, 10, 13, 14, 15, 18 or 19 (1) if compliance with those sections might detrimentally affect (or prevent the proper exercise of) the agency's complaint handling functions or any of its investigative functions. (2) An investigative agency is not required to comply with section 17 if the use of the information concerned for a purpose other than the purpose for which it was collected is reasonably necessary in order to enable the agency to exercise its complaint handling functions or any of its investigative functions. (3) An investigative agency is not required to comply with section 18 or 19 (1) if the information concerned is disclosed to another investigative agency. (4) A public sector agency (whether or not an investigative agency) is not required to comply with section 18 or 19 (1) if non-compliance is reasonably necessary to assist another public sector agency that is an investigative agency in exercising its investigative functions. (5) An investigative agency is not required to comply with section 18 if— (a) the information concerned is disclosed to a complainant, and (b) the disclosure is reasonably necessary for the purpose of— (i) reporting the progress of an investigation into the complaint made by the complainant, or (ii) providing the complainant with advice as to the outcome of the complaint or any action taken as a result of the complaint. (6) The exemptions provided by subsections (1)–(5) extend to— (a) any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency, and (b) the Office of Local Government, or any person employed in that Office, who is investigating or otherwise handling (formally or informally) a complaint or other matter even though it is or may be the subject of a right of appeal conferred by or under an Act. (7) The Ombudsman's Office is not required to comply with section 9 or 10. (8) An investigative agency is not required to comply with section 12 (a). 25 Exemptions where non-compliance is lawfully authorised or required A public sector agency is not required to comply with section 9, 10, 13, 14, 15, 17, 18 or 19 if— (a) the agency is lawfully authorised or required not to comply with the principle concerned, or (b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998). 26 Other exemptions where non-compliance would benefit the individual concerned (1) A public sector agency is not required to comply with section 9 or 10 if compliance by the agency would, in the circumstances, prejudice the interests of the individual to whom the information relates. (2) A public sector agency is not required to comply with section 10, 18 or 19 if the individual to whom the information relates has expressly consented to the agency not complying with the principle concerned. 27 Specific exemptions for certain law enforcement agencies (1) Despite any other provision of this Act, the following are not required to comply with the information privacy principles— (a) the Independent Commission Against Corruption, (b) the Inspector of the Independent Commission Against Corruption and the staff of the Inspector, (c) the Independent Gaming and Liquor Authority under the Gaming and Liquor Administration Act 2007, (d) the Law Enforcement Conduct Commission, (e) the Inspector of the Law Enforcement Conduct Commission and the staff of the Inspector, (f) the New South Wales Crime Commission, (g) the NSW Independent Casino Commission, (h) the NSW Police Force. (2) However, the information protection principles do apply to a public sector agency mentioned in subsection (1) in connection with the exercise of the agency's administrative and educative functions. 27A Exemptions relating to information exchanges between public sector agencies A public sector agency is not required to comply with the information protection principles with respect to the collection, use or disclosure of personal information if— (a) the agency is providing the information to another public sector agency or the agency is being provided with the information by another public sector agency, and (b) the collection, use or disclosure of the information is reasonably necessary— (i) to allow any of the agencies concerned to deal with, or respond to, correspondence from a Minister or member of Parliament, or (ii) to enable inquiries to be referred between the agencies concerned, or (iii) to enable the auditing of the accounts or performance of a public sector agency or group of public sector agencies (or a program administered by an agency or group of agencies). 27B Exemptions relating to research A public sector agency is not required to comply with the information protection principles with respect to the collection, use or disclosure of personal information if— (a) the collection, use or disclosure of the information is reasonably necessary for the purpose of research, or the compilation or analysis of statistics, in the public interest, and (b) in the case where the agency would otherwise contravene section 9 in respect of the collection of the information—it is unreasonable or impracticable for the information to be collected directly from the individual to whom the information relates, and (c) in the case of the use or disclosure of the information—either— (i) the purpose referred to in paragraph (a) cannot be served by the use or disclosure of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the agency to seek the consent of the individual for the use or disclosure, or (ii) reasonable steps are taken to de-identify the information, and (d) in the case where the use or disclosure of the information could reasonably be expected to identify individuals—the information is not published in a publicly available publication, and (e) the collection, use or disclosure of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph. 27C Exemptions relating to credit information (1) A courts agency is not required to comply with section 17 or 18 if— (a) compliance would prevent the courts agency from disclosing to a credit reporting body that an individual is a default judgment debtor and the amount of the debt, and (b) the courts agency is satisfied that the credit reporting body has given an enforceable undertaking not to retain the information disclosed to it after the expiry of the applicable retention period. (2) The applicable retention period for the purposes of subsection (1) (b) is— (a) if the debt of the default judgment debtor is satisfied—the period of 2 years commencing on the date that the debt was satisfied, or (b) if the debt of the default judgment debtor remains unsatisfied—the period of 5 years commencing on the date the judgment was given, whichever is the earlier. (3) In this section— courts agency means— (a) the Department of Justice (including any Public Service executive agency that is related to the Department for the purposes of the Government Sector Employment Act 2013), and (b) any court or tribunal referred to in Schedule 1 to the Civil Procedure Act 2005. credit reporting body has the same meaning as in the Privacy Act 1988 of the Commonwealth. default judgment debtor means an individual against whom a default judgment has been given by a court or tribunal under the uniform rules within the meaning of the Civil Procedure Act 2005. 27D Exemptions relating to emergency situations (1) A public sector agency is not required to comply with the information protection principles in relation to the collection, use or disclosure of personal information if— (a) the collection, use or disclosure of the information is reasonably necessary to assist in a stage of an emergency, and (b) the collection, use or disclosure is only for the purpose of assisting in the stage of the emergency, and (c) it is impracticable or unreasonable to seek the consent of the individual to whom the information relates to the collection, use or disclosure for the purpose of assisting in the stage of the emergency. (2) In this section— emergency has the same meaning as in the State Emergency and Rescue Management Act 1989. stage, of an emergency, means a stage in relation to an emergency mentioned in the State Emergency and Rescue Management Act 1989, section 5. (3) If personal information is collected, used or disclosed under this section— (a) the public sector agency must not hold the information for longer than 18 months, unless extenuating circumstances apply or consent has been obtained, and (b) if the public sector agency is a law enforcement agency—the agency must not use the information for the purpose of a prosecuting an offence. 28 Other exemptions (1) The Ombudsman's Office, Children's Guardian, Health Care Complaints Commission, Anti-Discrimination Board, Ageing and Disability Commissioner and Guardianship Board are not required to comply with section 19. (2) The information protection principles do not apply in respect of personal information collected or held by Multicultural NSW if— (a) the information is collected or held by Multicultural NSW for the purpose only of translating the information, and (b) all documents held by Multicultural NSW in which the information is contained are destroyed or returned to the person who submitted the information for translation when Multicultural NSW is satisfied that the documents are no longer required for the provision of the translation service, and (c) in a case where it is necessary for the information to be given to another person in connection with the provision of the translation service, everything reasonably within the power of Multicultural NSW is done to prevent unauthorised disclosure of the information by that other person. (3) Nothing in section 17, 18 or 19 prevents or restricts the disclosure of information— (a) by a public sector agency to another public sector agency under the administration of the same Minister if the disclosure is for the purposes of informing that Minister about any matter within that administration, or (b) by a public sector agency to any public sector agency under the administration of the Premier if the disclosure is for the purposes of informing the Premier about any matter. Part 3 Privacy codes of practice and management plans Division 1 Privacy codes of practice 29 Operation of privacy codes of practice (1) Privacy codes of practice may be made for the purpose of protecting the privacy of individuals. (2) A privacy code of practice may regulate the collection, use and disclosure of, and the procedures for dealing with, personal information held by public sector agencies. (3) In particular, a privacy code of practice may provide for the protection of personal information contained in a record that is more than 30 years old, and any such provision has effect despite the provisions of any other Act that deals with the disclosure of, or access to, personal information of that kind. Any such code must, to the extent that it relates to personal information contained in a State record that is more than 30 years old, be consistent with any relevant guidelines issued under section 52 of the State Records Act 1998. (4) A privacy code of practice may also provide for the disclosure of personal information to persons or bodies outside New South Wales. (5) A privacy code of practice can apply to any one or more of the following— (a) any specified class of personal information, (b) any specified public sector agency or class of public sector agency, (c) any specified activity or specified class of activity. (6) Except in the case of a privacy code of practice that is referred to in subsection (3), a code cannot affect the operation of any exemption provided under Division 3 of Part 2. (7) A code— (a) must provide standards of privacy protection that operate to protect public sector agencies from any restrictions in relation to the importation of personal information into New South Wales, and (b) must not impose on any public sector agency any requirements that are more stringent (or of a higher standard) than the information protection principles. 30 Modification of information protection principles (1) A privacy code of practice may modify the application to any public sector agency of any one or more of the information protection principles or the application to any public sector agency of the provisions of Part 6. (2) A code may— (a) specify requirements that are different from the requirements set out in the principles, or exempt any activity or conduct of or by the public sector agency from compliance with any such principle, and (b) specify the manner in which any one or more of the information protection principles are to be applied to, or are to be followed by, the public sector agency, and (c) exempt a public sector agency, or class of public sector agency, from the requirement to comply with any information protection principle. 31 Preparation and making of privacy codes of practice (1) The Privacy Commissioner, or any public sector agency, may— (a) initiate the preparation of a draft privacy code of practice, and (b) develop the draft code in consultation with such other persons or bodies as the Commissioner, or agency, thinks appropriate, and (c) submit the draft code to the Minister. (2) If a draft code is initiated and prepared by a public sector agency, the agency must consult with the Privacy Commissioner on the draft code before it is submitted to the Minister. (3) The Privacy Commissioner may make such submissions to the Minister in respect of a draft code as the Privacy Commissioner thinks appropriate. (4) Once a draft code is submitted to the Minister, the Minister may, after taking into consideration any submissions by the Privacy Commissioner, decide to make the code. (5) A code of practice is made by an order of the Minister published in the Gazette. (6) A code takes effect when the order making the code is published (or on such later date as may be specified in the order). (7) The procedures specified in this section extend to any amendment of a privacy code of practice. Editorial note— For the Privacy Code of Practice (General) 2003 and amendments to that Code, see www.legislation.nsw.gov.au. For other codes of practice published under this section see Gazettes No 84 of 23.7.1999, p 5152; No 81 of 30.6.2000, pp 5981, 5993, 6004, 6007, 6020, 6024; No 83 of 30.6.2000, p 6035; No 143 of 3.11.2000, p 11568; No 170 of 29.12.2000, p 14069; No 46 of 2.3.2001, p 1133; No 93 of 1.6.2001, p 3395; No 199 of 28.12.2001, p 10853; No 104 of 25.6.2004, p 4812; No 85 of 24.8.2012, p 3781; No 17 of 5.3.2015, p 632; No 34 of 6.5.2016, p 1009; No 57 of 2.6.2017, p 1826; No 36 of 29.3.2018, p 1862; No 76 of 3.8.2018, p 5127; No 82 of 24.8.2018, p 5574 and No 179 of 20.12.2019, n2019-4051. From April 2021, PCO is no longer updating notes in provisions of in force titles about related gazette notices. To search for related gazette notices, please use the Gazette Search functionality. 32 Agencies to comply with privacy codes of practice (1) A public sector agency must comply with any privacy code of practice applying to the agency. (2) The contravention by a public sector agency of a privacy code of practice applying to the agency is conduct to which Part 5 applies. Division 2 Privacy management plans 33 Preparation and implementation of privacy management plans (1) Each public sector agency must have and implement a privacy management plan. (2) The privacy management plan of a public sector agency must include provisions relating to the following— (a) the devising of policies and practices to ensure compliance by the agency with the requirements of this Act or the Health Records and Information Privacy Act 2002, if applicable, (b) the dissemination of those policies and practices to persons within the agency, (c) the procedures that the agency proposes to provide in relation to internal review under Part 5, (c1) the procedures and practices used by the agency to ensure compliance with the obligations and responsibilities set out in Part 6A for the mandatory notification of data breach scheme, (d) such other matters as are considered relevant by the agency in relation to privacy and the protection of personal information held by the agency. (3) (Repealed) (4) An agency may amend its privacy management plan from time to time. (5) An agency must provide a copy of its privacy management plan to the Privacy Commissioner as soon as practicable after it is prepared and whenever the plan is amended. (6) The regulations may make provision for or with respect to privacy management plans, including exempting certain public sector agencies (or classes of agencies) from the requirements of this section. Part 4 Privacy Commissioner Division 1 Appointment of Privacy Commissioner 34 Appointment of Privacy Commissioner (1) The Governor may appoint a Privacy Commissioner. (2) The Privacy Commissioner holds office for such term not exceeding 5 years as may be specified in the instrument of appointment, but is eligible (if otherwise qualified) for re-appointment. (3) A person is not eligible to be appointed for more than 2 terms of office as Privacy Commissioner (whether or not consecutive terms). (4) A person is not eligible to be appointed as Privacy Commissioner or to act in that office if the person is the Information Commissioner. (5) A person is not eligible to be appointed as Privacy Commissioner or to act in that office if the person is a member of the Legislative Council or of the Legislative Assembly or is a member of a House of Parliament or legislature of another State or Territory or of the Commonwealth. (6) The Privacy Commissioner may be appointed on a full-time or part-time basis. If the Privacy Commissioner is appointed to office on a full-time basis, the Privacy Commissioner is required to hold the office on that basis except to the extent permitted by the Governor. 35 Veto of proposed appointment of Privacy Commissioner (1) A person is not to be appointed as Privacy Commissioner until— (a) a proposal that the person be so appointed has been referred to the Joint Committee under section 31BA of the Ombudsman Act 1974, and (b) the period that the Committee has under that section to veto the proposed appointment has ended without the Committee having vetoed the proposed appointment or the Committee notifies the Minister that it has decided not to veto the proposed appointment. (2) A person may be proposed for appointment on more than one occasion. (3) In this section, appointment includes re-appointment. 35A Remuneration (1) The Privacy Commissioner is entitled to be paid— (a) remuneration in accordance with the Statutory and Other Offices Remuneration Act 1975, and (b) such travelling and subsistence allowances as the Minister may from time to time determine. (2) The Privacy Commissioner is not, if a Judge of a New South Wales Court and while receiving remuneration as such a Judge, entitled to remuneration under this Act. 35B Vacancy in office The office of Privacy Commissioner becomes vacant if the holder— (a) dies, or (b) completes a term of office and is not re-appointed, or (c) resigns the office by instrument in writing addressed to the Governor, or (d) is nominated for election as a member of the Legislative Council or of the Legislative Assembly or as a member of a House of Parliament or a legislature of another State or Territory or of the Commonwealth, or (e) becomes bankrupt, applies to take the benefit of any law for the relief of bankrupt or insolvent debtors, compounds with his or her creditors or makes an assignment of his or her remuneration for their benefit, or (f) becomes a mentally incapacitated person, or (g) is convicted in New South Wales of an offence that is punishable by imprisonment for 12 months or more or is convicted elsewhere than in New South Wales of an offence that, if committed in New South Wales, would be an offence so punishable, or (h) is removed from office under section 35C. 35C Removal from office (1) The Governor may remove the Privacy Commissioner from office on the address of both Houses of Parliament. (2) The Governor may suspend the Privacy Commissioner from office— (a) for misbehaviour, or (b) for incapacity, or (c) if the Privacy Commissioner is absent from duty for a period in excess of his or her leave entitlement as approved by the Governor unless the absence is caused by illness or other unavoidable cause. (3) The Minister is to lay or cause to be laid before each House of Parliament, within 7 sitting days of that House after the Privacy Commissioner has been suspended from office, a full statement of the grounds for the suspension. (4) The suspension is to be lifted unless each House of Parliament, within 21 sitting days from the time when the statement was laid before it, declares by resolution that the Privacy Commissioner ought to be removed from office. (5) If each House does so declare within that period, the Privacy Commissioner is to be removed from office by the Governor. (6) For the purposes of this section, sitting days are to be counted whether or not they occur in the same session. 35D Filling of vacancy If the office of Privacy Commissioner becomes vacant, a person is, subject to this Act, to be appointed to fill the vacancy. 35E Privacy Commissioner a statutory officer and not Public Service employee The office of Privacy Commissioner is a statutory office and the provisions of the Government Sector Employment Act 2013 relating to the employment of Public Service employees do not apply to that office. 35F Appointment of acting Privacy Commissioner (1) The Minister may, from time to time, appoint a person to act in the office of the Privacy Commissioner during the illness or absence of the Privacy Commissioner or during a vacancy in the office of the Privacy Commissioner. The person, while so acting, has all the functions of the Privacy Commissioner and is taken to be the Privacy Commissioner. (2) The Minister may, at any time, remove a person from office as acting Privacy Commissioner. (3) An acting Privacy Commissioner is entitled to be paid such remuneration (including travelling and subsistence allowances) as the Minister may from time to time determine. 35G Staff of Privacy Commissioner Persons may be employed in the Public Service under the Government Sector Employment Act 2013 to enable the Privacy Commissioner to exercise his or her functions. Note— Section 59 of the Government Sector Employment Act 2013 provides that the persons so employed (or whose services the Privacy Commissioner makes use of) may be referred to as officers or employees, or members of staff, of the Privacy Commissioner. Section 47A of the Constitution Act 1902 precludes the Privacy Commissioner from employing staff. 35H Delegation The Privacy Commissioner may delegate the exercise of any function of the Privacy Commissioner (other than this power of delegation) to— (a) any member of staff of the Privacy Commissioner, or (b) any person, or any class of persons, authorised for the purposes of this section by the regulations. Division 2 Functions of Privacy Commissioner 36 General functions (1) The Privacy Commissioner has such functions as are conferred or imposed on the Commissioner by or under this or any other Act. (2) In particular, the Privacy Commissioner has the following functions— (a) to promote the adoption of, and monitor compliance with, the information protection principles, (b) to prepare and publish guidelines relating to the protection of personal information and other privacy matters, and to promote the adoption of such guidelines, (c) to initiate and recommend the making of privacy codes of practice, (d) to provide assistance to public sector agencies in adopting and complying with the information protection principles, privacy codes of practice and the mandatory notification of data breach scheme, (e) to provide assistance to public sector agencies in preparing and implementing— (i) privacy management plans under section 33, and (ii) data breach policies under section 59ZD, (f) to conduct research, and collect and collate information, about any matter relating to the protection of personal information and the privacy of individuals, (g) to provide advice on matters relating to the protection of personal information and the privacy of individuals, (h) to make public statements about any matter relating to the privacy of individuals generally, (i) to conduct education programs, and to disseminate information, for the purpose of promoting the protection of the privacy of individuals, (j) to prepare and publish reports and recommendations about any matter (including developments in technology) that concerns the need for, or the desirability of, legislative, administrative or other action in the interest of the privacy of individuals, (k) to receive, investigate and conciliate complaints about privacy related matters (including conduct to which Part 5 applies), (l) to conduct such inquiries, and make such investigations, into privacy related matters as the Privacy Commissioner thinks appropriate, (m) to investigate, monitor, audit and report on a public sector agency's compliance with Part 6A, including the agency's data handling systems, policies and practices. (3) The Privacy Commissioner must consult with the Information Commissioner before preparing any guidelines concerning the information protection principle set out in section 18 (Limits on disclosure of personal information). 37 Requirement to give information (1) The Privacy Commissioner may, in connection with the exercise of the Privacy Commissioner's functions, require any person or public sector agency— (a) to give the Privacy Commissioner a statement of information, or (b) to produce to the Privacy Commissioner any document or other thing, or (c) to give the Privacy Commissioner a copy of any document. (2) The Privacy Commissioner is not to make any such requirement if it appears to the Privacy Commissioner that— (a) the person or public sector agency concerned does not consent to compliance with the requirement, and (b) the person or public sector agency would not, in court proceedings, be required to comply with a similar requirement on the grounds of public interest, privilege against self-incrimination or legal professional privilege. (3) A requirement under this section must be in writing, must specify or describe the information, document or thing required, and must specify the time and manner for complying with the requirement. (4) This section does not confer any function on the Privacy Commissioner that may be exercised in relation to the Independent Commission Against Corruption. 38 Inquiries and investigations (1) For the purposes of any inquiry or investigation conducted by the Privacy Commissioner under this Act (including in relation to a complaint made under Division 3 of this Part), the Privacy Commissioner has the powers, authorities, protections and immunities conferred on a commissioner by Division 1 of Part 2 of the Royal Commissions Act 1923, and that Act (section 13 and Division 2 of Part 2 excepted) applies (subject to this section) to any witness summoned by or appearing before the Privacy Commissioner in the same way as it applies to a witness summoned by or appearing before a commissioner. (2) Subsection (1) does not confer any function on the Privacy Commissioner that may be exercised in relation to the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the staff of the Inspector of the Independent Commission Against Corruption, Law Enforcement Conduct Commission, Inspector of the Law Enforcement Conduct Commission, staff of the Inspector of the Law Enforcement Conduct Commission or New South Wales Crime Commission. (3) Any inquiry or investigation conducted by the Privacy Commissioner under this Act is to be conducted in the absence of the public, except as otherwise directed by the Privacy Commissioner. (4) The Privacy Commissioner, in the course of conducting an inquiry or investigation under this Act, must set aside any requirement— (a) to give any statement of information, or (b) to produce any document or other thing, or (c) to give a copy of any document, or (d) to answer any question, if it appears to the Privacy Commissioner that the person concerned does not consent to compliance with the requirement and the person would not, in court proceedings, be required to comply with a similar requirement on the grounds of public interest, privilege against self-incrimination or legal professional privilege. However, the person must comply with any such requirement despite any duty of secrecy or other restriction on disclosure. (5) A person is not entitled to be represented by another person at an inquiry or investigation conducted by the Privacy Commissioner except with the leave of the Privacy Commissioner. (6) The Privacy Commissioner may allow any person appearing before the Privacy Commissioner to