Privacy and Personal Information Protection Act 1998 (NSW)

Privacy and Personal Information Protection Act 1998 No 133 An Act to provide for the protection of personal information, and for the protection of the privacy of individuals generally; to provide for the appointment of a Privacy Commissioner; to repeal the Privacy Committee Act 1975; and for other purposes. Part 1 Preliminary 1 Name of Act This Act is the Privacy and Personal Information Protection Act 1998. 2 Commencement This Act commences on a day or days to be appointed by proclamation. 3 Definitions (1) In this Act— affected individual, for Part 6A—see section 59D(2). approved form, for Part 6A—see section 59A. assessment, for Part 6A—see section 59E(2)(b). assessor, for Part 6A—see section 59G(1). Commonwealth agency means an entity referred to in paragraph (a)–(h) of the definition of agency in the Privacy Act 1988 of the Commonwealth. convicted inmate has the same meaning as it has in the Crimes (Administration of Sentences) Act 1999. eligible data breach, for Part 6A—see section 59D(1). exercise a function includes perform a duty. function includes a power, authority or duty. head, for Part 6A—see section 59A. health privacy code of practice, for Part 6A—see section 59A. Health Privacy Principle, for Part 6A—see section 59A. held, in relation to personal information— (a) for Part 6A—see section 59C, or (b) otherwise—see section 4(4). Information Commissioner means the Information Commissioner under the Government Information (Information Commissioner) Act 2009. information protection principle or principle means a provision set out in Division 1 of Part 2. investigative agency means— (a) any of the following— (i) the Ombudsman's Office, (ii) the Independent Commission Against Corruption, (iii) the Inspector of the Independent Commission Against Corruption, (iv) the Law Enforcement Conduct Commission, (v) the Inspector of the Law Enforcement Conduct Commission and any staff of the Inspector, (vi) the Health Care Complaints Commission, (vii) the Office of the Legal Services Commissioner, (viia) the Ageing and Disability Commissioner, (viib) the Children's Guardian, (viii) a person or body prescribed by the regulations for the purposes of this definition, or (b) any other public sector agency with investigative functions if— (i) those functions are exercisable under the authority of an Act or statutory rule (or where that authority is necessarily implied or reasonably contemplated under an Act or statutory rule), and (ii) the exercise of those functions may result in the agency taking or instituting disciplinary, criminal or other formal action or proceedings against a person or body under investigation, or (c) a public sector agency conducting an investigation for or on behalf of an agency referred to in paragraph (a) or (b). law enforcement agency means any of the following— (a) the NSW Police Force, or the police force of another State or a Territory, (b) the New South Wales Crime Commission, (c) the Australian Federal Police, (d) the Australian Crime Commission, (e) the Director of Public Prosecutions of New South Wales, of another State or a Territory, or of the Commonwealth, (f) the Department of Justice, (f1) the Independent Gaming and Liquor Authority under the Gaming and Liquor Administration Act 2007, (g) the NSW Independent Casino Commission under the Casino Control Act 1992, (g1) the Office of the Sheriff of New South Wales, (h) a person or body prescribed by the regulations for the purposes of this definition. local government authority means a council, a county council or a joint organisation, within the meaning of the Local Government Act 1993. mandatory notification of data breach scheme means the scheme under Part 6A for assessing and notifying data breaches. personal information is defined in section 4. privacy code of practice or code means a privacy code of practice made under Part 3. Privacy Commissioner means the Privacy Commissioner appointed under this Act. public register means a register of personal information that is required by law to be, or is made, publicly available or open to public inspection (whether or not on payment of a fee). public sector agency means any of the following— (a) a Public Service agency or the Teaching Service, (a1) the office of a political office holder within the meaning of the Members of Parliament Staff Act 2013, being the office comprising the persons employed by the political office holder under Part 2 of that Act, (b) a statutory body representing the Crown, (c) (Repealed) (d) an auditable entity within the meaning of the Government Sector Audit Act 1983 or any other entity within the meaning of that Act (or entity of a kind) prescribed by the regulations, but excluding an entity (or entity of a kind) prescribed by the regulations, (e) the NSW Police Force, (e1) (Repealed) (f) a local government authority, (f1) a State owned corporation that is not subject to the Privacy Act 1988 of the Commonwealth, (g) a person or body that— (i) provides data services (being services relating to the collection, processing, disclosure or use of personal information or that provide for access to such information) for or on behalf of a body referred to in paragraph (a)–(f1) of this definition, or that receives funding from any such body in connection with providing data services, and (ii) is prescribed by the regulations for the purposes of this definition. Note— Section 4B enables the regulations to declare that a public sector agency is to be regarded as being part of another public sector agency for the purposes of this Act. It also enables the regulations to declare that a part of a public sector agency is to be regarded as being a separate public sector agency from the public sector agency of which it forms part for the purposes of this Act. public sector official means any of the following— (a) a person appointed by the Governor, or a Minister, to a statutory office, (b) a judicial officer within the meaning of the Judicial Officers Act 1986, (c) a person employed in the Public Service, the Transport Service of New South Wales, the Teaching Service, the NSW Health Service or the NSW Police Force, (c1) a person employed by a political office holder under Part 2 of the Members of Parliament Staff Act 2013, (c2) a person employed by a member of Parliament under Part 3 of the Members of Parliament Staff Act 2013, (d) a local government councillor or a person employed by a local government authority, (e) a person who is an officer of the Legislative Council or Legislative Assembly or who is employed by (or who is under the control of) the President of the Legislative Council or the Speaker of the Legislative Assembly, or both, (f) a person who is employed or engaged by— (i) a public sector agency, or (ii) a person referred to in paragraph (a)–(e), (g) a person who acts for or on behalf of, or in the place of, or as deputy or delegate of, a public sector agency or person referred to in paragraph (a)–(e). publicly available publication does not include any publication or document declared by the regulations not to be a publicly available document for the purposes of this Act. staff of the Inspector of the Independent Commission Against Corruption means— (a) any staff employed under section 57E (1) or (2) of the Independent Commission Against Corruption Act 1988, and (b) any consultants engaged under section 57E (3) of that Act. staff of the Inspector of the Law Enforcement Conduct Commission means— (a) any staff employed under section 128 (1) of the Law Enforcement Conduct Commission Act 2016, and (b) any consultants engaged under section 128 (4) (c) of that Act. State record has the same meaning as in the State Records Act 1998. Tribunal means the Civil and Administrative Tribunal. Note— The Interpretation Act 1987 contains definitions and other provisions that affect the interpretation and application of this Act. (2) Notes included in this Act are explanatory notes and do not form part of this Act. 4 Definition of "personal information" (1) In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. (2) Personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics. (3) Personal information does not include any of the following— (a) information about an individual who has been dead for more than 30 years, (b) information about an individual that is contained in a publicly available publication, (c) information about a witness who is included in a witness protection program under the Witness Protection Act 1995 or who is subject to other witness protection arrangements made under an Act, (d) information about an individual arising out of a warrant issued under the Telecommunications (Interception) Act 1979 of the Commonwealth, (e) information about an individual that is contained in a public interest disclosure within the meaning of the Public Interest Disclosures Act 2022, or that has been collected while dealing with a voluntary public interest disclosure in accordance with that Act, Part 5, Division 2, (f) information about an individual arising out of, or in connection with, an authorised operation within the meaning of the Law Enforcement (Controlled Operations) Act 1997, (g) information about an individual arising out of a Royal Commission or Special Commission of Inquiry, (h) information about an individual arising out of a complaint made under Part 8A of the Police Act 1990, (i) information about an individual that is contained in Cabinet information or Executive Council information under the Government Information (Public Access) Act 2009, (j) information or an opinion about an individual's suitability for appointment or employment as a public sector official, (ja) information about an individual that is obtained about an individual under Chapter 8 (Adoption information) of the Adoption Act 2000, (k) information about an individual that is of a class, or is contained in a document of a class, prescribed by the regulations for the purposes of this subsection. (4) Personal information is held by a public sector agency if— (a) the agency is in possession or control of the information, or (b) the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement, or (c) the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998. (5) For the purposes of this Act, personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited. 4A Exclusion of health information from definition of "personal information" Except as provided by this Act or the Health Records and Information Privacy Act 2002, the definition of personal information in section 4 does not include health information within the meaning of the Health Records and Information Privacy Act 2002. 4B Regulations may declare whether agency is part of or separate from a public sector agency (1) The regulations may declare that— (a) a specified public sector agency is not to be regarded as a separate public sector agency and instead is to be regarded for the purposes of this Act as part of and included in another specified public sector agency in respect of specified functions, or (b) a specified office, branch or other part of a public sector agency is for the purposes of this Act to be regarded as being a separate public sector agency to the public sector agency of which it forms part in respect of specified functions that it exercises. (2) The regulations may make provision for or with respect to the application of this Act (with such modifications, if any, as may be prescribed) for the purposes of a declaration under this section. (3) The Minister must, before recommending the making of a regulation under this section, consider whether the making of a declaration under this section will permit the sharing of personal information between public sector agencies and, if so, whether the sharing of that information would be appropriate in the circumstances. 5 Government Information (Public Access) Act 2009 not affected (1) Nothing in this Act affects the operation of the Government Information (Public Access) Act 2009. (2) In particular, this Act does not operate to lessen any obligations under the Government Information (Public Access) Act 2009 in respect of a public sector agency. 6 Courts, tribunals and Royal Commissions not affected (1) Nothing in this Act affects the manner in which a court or tribunal, or the manner in which the holder of an office relating to a court or tribunal, exercises the court's, or the tribunal's, judicial functions. (2) Nothing in this Act affects the manner in which a Royal Commission, or any Special Commission of Inquiry, exercises the Commission's functions. (3) In this section, judicial functions of a court or tribunal means such of the functions of the court or tribunal as relate to the hearing or determination of proceedings before it, and includes— (a) in relation to a Magistrate—such of the functions of the Magistrate as relate to the conduct of committal proceedings, and (b) in relation to a coroner—such of the functions of the coroner as relate to the conduct of inquests and inquiries under the Coroners Act 2009. 7 Crown bound by Act This Act binds the Crown in right of New South Wales and also, in so far as the legislative power of Parliament permits, the Crown in all its other capacities. Part 2 Information protection principles Division 1 Principles 8 Collection of personal information for lawful purposes (1) A public sector agency must not collect personal information unless— (a) the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and (b) the collection of the information is reasonably necessary for that purpose. (2) A public sector agency must not collect personal information by any unlawful means. 9 Collection of personal information directly from individual A public sector agency must, in collecting personal information, collect the information directly from the individual to whom the information relates unless— (a) the individual has authorised collection of the information from someone else, or (b) in the case of information relating to a person who is under the age of 16 years—the information has been provided by a parent or guardian of the person. 10 Requirements when collecting personal information If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected or as soon as practicable after collection, the individual to whom the information relates is made aware of the following— (a) the fact that the information is being collected, (b) the purposes for which the information is being collected, (c) the intended recipients of the information, (d) whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided, (e) the existence of any right of access to, and correction of, the information, (f) the name and address of the agency that is collecting the information and the agency that is to hold the information. 11 Other requirements relating to collection of personal information If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that— (a) the information collected is relevant to that purpose, is not excessive, and is accurate, up to date and complete, and (b) the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates. 12 Retention and security of personal information A public sector agency that holds personal information must ensure— (a) that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and (b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and (c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and (d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information. 13 Information about personal information held by agencies A public sector agency that holds personal information must take such steps as are, in the circumstances, reasonable to enable any person to ascertain— (a) whether the agency holds personal information, and (b) whether the agency holds personal information relating to that person, and (c) if the agency holds personal information relating to that person— (i) the nature of that information, and (ii) the main purposes for which the information is used, and (iii) that person's entitlement to gain access to the information. 14 Access to personal information held by agencies A public sector agency that holds personal information must, at the request of the individual to whom the information relates and without excessive delay or expense, provide the individual with access to the information. 15 Alteration of personal information (1) A public sector agency that holds personal information must, at the request of the individual to whom the information relates, make appropriate amendments (whether by way of corrections, deletions or additions) to ensure that the personal information— (a) is accurate, and (b) having regard to the purpose for which the information was collected (or is to be used) and to any purpose that is directly related to that purpose, is relevant, up to date, complete and not misleading. (2) If a public sector agency is not prepared to amend personal information in accordance with a request by the individual to whom the information relates, the agency must, if so requested by the individual concerned, take such steps as are reasonable to attach to the information, in such a manner as is capable of being read with the information, any statement provided by that individual of the amendment sought. (3) If personal information is amended in accordance with this section, the individual to whom the information relates is entitled, if it is reasonably practicable, to have recipients of that information notified of the amendments made by the public sector agency. (4) This section, and any provision of a privacy code of practice that relates to the requirements set out in this section, apply to public sector agencies despite section 25 of this Act and section 21 of the State Records Act 1998. (5) The Privacy Commissioner's guidelines under section 36 may make provision for or with respect to requests under this section, including the way in which such a request should be made and the time within which such a request should be dealt with. (6) In this section (and in any other provision of this Act in connection with the operation of this section), public sector agency includes a Minister and a Minister's personal staff. 16 Agency must check accuracy of personal information before use A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading. 17 Limits on use of personal information A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless— (a) the individual to whom the information relates has consented to the use of the information for that other purpose, or (b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or (c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person. 18 Limits on disclosure of personal information (1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless— (a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or (b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or (c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person. (2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it. 19 Special restrictions on disclosure of personal information (1) A public sector agency must not disclose personal information relating to an individual's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities unless the disclosure is necessary to prevent a serious and imminent threat to the life or health of the individual concerned or another person. (2) A public sector agency that holds personal information about an individual must not disclose the information to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless— (a) the public sector agency reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that effectively upholds principles for fair handling of the information that are substantially similar to the information protection principles, or (b) the individual expressly consents to the disclosure, or (c) the disclosure is necessary for the performance of a contract between the individual and the public sector agency, or for the implementation of pre-contractual measures taken in response to the individual's request, or (d) the disclosure is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the public sector agency and a third party, or (e) all of the following apply— (i) the disclosure is for the benefit of the individual, (ii) it is impracticable to obtain the consent of the individual to that disclosure, (iii) if it were practicable to obtain such consent, the individual would be likely to give it, or (f) the disclosure is reasonably believed by the public sector agency to be necessary to lessen or prevent a serious and imminent threat to the life, health or safety of the individual or another person, or (g) the public sector agency has taken reasonable steps to ensure that the information that it has disclosed will not be held, used or disclosed by the recipient of the information inconsistently with the information protection principles, or (h) the disclosure is permitted or required by an Act (including an Act of the Commonwealth) or any other law. (3)–(5) (Repealed) Division 2 General provisions relating to principles 20 General application of information protection principles to public sector agencies (1) The information protection principles apply to public sector agencies. (2) The application of the principles to public sector agencies— (a) may be modified by privacy codes of practice, and (b) is otherwise subject to this Act. (3) Sections 8–11 do not apply in respect of personal information collected by a public sector agency before the commencement of this Part. (4) (Repealed) (5) Without limiting the generality of section 5, the provisions of the Government Information (Public Access) Act 2009 that impose conditions or limitations (however expressed) with respect to any matter referred to in section 13, 14 or 15 are not affected by this Act, and those provisions continue to apply in relation to any such matter as if those provisions were part of this Act. 21 Agencies to comply with principles (1) A public sector agency must not do any thing, or engage in any practice, that contravenes an information protection principle applying to the agency. (2) The contravention by a public sector agency of an information protection principle that applies to the agency is conduct to which Part 5 applies. Division 3 Specific exemptions from principles 22 Operation of Division Nothing in this Division authorises a public sector agency to do any thing that it is otherwise prohibited from doing. 23 Exemptions relating to law enforcement and related matters (1) A law enforcement agency is not required to comply with section 9 if compliance by the agency would prejudice the agency's law enforcement functions. (2) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 9 if the information concerned is collected in connection with proceedings (whether or not actually commenced) before any court or tribunal. (3) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 10 if the information concerned is collected for law enforcement purposes. However, this subsection does not remove any protection provided by any other law in relation to the rights of accused persons or persons suspected of having committed an offence. (4) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 17 if the use of the information concerned for a purpose other than the purpose for which it was collected is reasonably necessary for law enforcement purposes or for the protection of the public revenue. (5) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 18 if the disclosure of the information concerned— (a) is made in connection with proceedings for an offence or for law enforcement purposes (including the exercising of functions under or in connection with the Confiscation of Proceeds of Crime Act 1989 or the Criminal Assets Recovery Act 1990), or (b) is to a law enforcement agency (or such other person or organisation as may be prescribed by the regulations) for the purposes of ascertaining the whereabouts of an individual who has been reported to a police officer as a missing person, or (c) is authorised or required by subpoena or by search warrant or other statutory instrument, or (d) is reasonably necessary— (i) for the protection of the public revenue, or (ii) in order to investigate an offence where there are reasonable grounds to believe that an offence may have been committed. (6) Nothing in subsection (5) requires a public sector agency to disclose personal information to another person or body if the agency is entitled to refuse to disclose the information in the absence of a subpoena, warrant or other lawful requirement. (6A) A public sector agency is not required to comply with the information protection principles with respect to the collection, use or disclosure of personal information if— (a) the agency is providing the information to another public sector agency or the agency is being provided with the information by another public sector agency, and (b) the collection, use or disclosure of the information is reasonably necessary for law enforcement purposes. (7) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 19 if the disclosure of the information concerned is reasonably necessary for the purposes of law enforcement in circumstances where there are reasonable grounds to believe that an offence may have been, or may be, committed. (8) In this section— (a) a reference to law enforcement purposes includes a reference to law enforcement purposes of another State or a Territory or the Commonwealth, and (b) a reference to an offence includes a reference to an offence against a law of another State or a Territory or the Commonwealth, and (c) a reference to the protection of the public revenue includes a reference to the protection of the public revenue of another State or a Territory or the Commonwealth. 23A Exemptions relating to ASIO (1) A public sector agency is not required to comply with section 13 or 14 if compliance would reveal to the public that ASIO had requested, or been provided with, information about a person. (2) A public sector agency is not required to comply with section 18 if— (a) the disclosure of the information concerned has been requested by the Director-General of ASIO for a purpose connected with the exercise of ASIO's functions under the Australian Security Intelligence Organisation Act 1979 of the Commonwealth, and (b) the information is disclosed to an officer or employee of ASIO who is authorised in writing by the Director-General to receive the information, and (c) the authorised officer or employee certifies in writing that the information sought is reasonably necessary for ASIO to exercise its functions under the Australian Security Intelligence Organisation Act 1979 of the Commonwealth. (3) To avoid doubt, this section permits (but does not require) a public sector agency to disclose any information requested by the D