Privacy and Personal Information Protection Act 1998 No 133



An Act to provide for the protection of personal information, and for the protection of the privacy of individuals generally; to provide for the appointment of a Privacy Commissioner; to repeal the Privacy Committee Act 1975; and for other purposes.
Part 1 Preliminary
1   Name of Act
This Act is the Privacy and Personal Information Protection Act 1998.
2   Commencement
This Act commences on a day or days to be appointed by proclamation.
3   Definitions
(1)  In this Act:
Commonwealth agency means an entity referred to in paragraph (a)–(h) of the definition of agency in the Privacy Act 1988 of the Commonwealth.
convicted inmate has the same meaning as it has in the Crimes (Administration of Sentences) Act 1999.
exercise a function includes perform a duty.
function includes a power, authority or duty.
information protection principle or principle means a provision set out in Division 1 of Part 2.
investigative agency means any of the following:
(a)  the Ombudsman’s Office,
(b)  the Independent Commission Against Corruption,
(b1)  the Inspector of the Independent Commission Against Corruption,
(c)  the Police Integrity Commission,
(c1)  the Inspector of the Police Integrity Commission and any staff of the Inspector,
(d)    (Repealed)
(e)  the Health Care Complaints Commission,
(f)  the office of Legal Services Commissioner,
(g)  a person or body prescribed by the regulations for the purposes of this definition.
law enforcement agency means any of the following:
(a)  the NSW Police Force, or the police force of another State or a Territory,
(b)  the New South Wales Crime Commission,
(c)  the Australian Federal Police,
(d)  the Australian Crime Commission,
(e)  the Director of Public Prosecutions of New South Wales, of another State or a Territory, or of the Commonwealth,
(f)  the Department of Corrective Services,
(g)  the Department of Juvenile Justice,
(h)  a person or body prescribed by the regulations for the purposes of this definition.
local government authority means a council, or a county council, within the meaning of the Local Government Act 1993.
personal information is defined in section 4.
privacy code of practice or code means a privacy code of practice made under Part 3.
Privacy Commissioner means the Privacy Commissioner appointed under this Act.
public register means a register of personal information that is required by law to be, or is made, publicly available or open to public inspection (whether or not on payment of a fee).
public sector agency means any of the following:
(a)  a government department or the Teaching Service,
(b)  a statutory body representing the Crown,
(c)  a declared authority under the Public Sector Management Act 1988,
(d)  a person or body in relation to whom, or to whose functions, an account is kept of administration or working expenses, if the account:
(i)  is part of the accounts prepared under the Public Finance and Audit Act 1983, or
(ii)  is required by or under any Act to be audited by the Auditor-General, or
(iii)  is an account with respect to which the Auditor-General has powers under any law, or
(iv)  is an account with respect to which the Auditor-General may exercise powers under a law relating to the audit of accounts if requested to do so by a Minister of the Crown,
(e)  the NSW Police Force,
(f)  a local government authority,
(g)  a person or body that:
(i)  provides data services (being services relating to the collection, processing, disclosure or use of personal information or that provide for access to such information) for or on behalf of a body referred to in paragraph (a)–(f) of this definition, or that receives funding from any such body in connection with providing data services, and
(ii)  is prescribed by the regulations for the purposes of this definition,
but does not include a State owned corporation.
public sector official means any of the following:
(a)  a person appointed by the Governor, or a Minister, to a statutory office,
(b)  a judicial officer within the meaning of the Judicial Officers Act 1986,
(c)  a person employed in the Government Service, the Teaching Service, the NSW Health Service or the NSW Police Force,
(d)  a local government councillor or a person employed by a local government authority,
(e)  a person who is an officer of the Legislative Council or Legislative Assembly or who is employed by (or who is under the control of) the President of the Legislative Council or the Speaker of the Legislative Assembly, or both,
(f)  a person who is employed or engaged by:
(i)  a public sector agency, or
(ii)  a person referred to in paragraph (a)–(e),
(g)  a person who acts for or on behalf of, or in the place of, or as deputy or delegate of, a public sector agency or person referred to in paragraph (a)–(e).
publicly available publication does not include any publication or document declared by the regulations not to be a publicly available document for the purposes of this Act.
staff of the Inspector of the Independent Commission Against Corruption means:
(a)  any staff employed under section 57E (1) or (2) of the Independent Commission Against Corruption Act 1988, and
(b)  any consultants engaged under section 57E (3) of that Act.
staff of the Inspector of the Police Integrity Commission means:
(a)  any staff employed under section 92 (1) or (2) of the Police Integrity Commission Act 1996, and
(b)  any consultants engaged under section 92 (3) of that Act.
State record has the same meaning as in the State Records Act 1998.
Tribunal means the Administrative Decisions Tribunal established by the Administrative Decisions Tribunal Act 1997.
(2)  Notes included in this Act are explanatory notes and do not form part of this Act.
s 3: Am 2000 No 93, Sch 1.16 [1] [2]; 2002 No 42, Sch 4.7 [1]; 2002 No 71, Sch 3 [1] [2]; 2002 No 116, Sch 1 [1]; 2003 No 13, Sch 1.25; 2004 No 114, Sch 2.16; 2005 No 10, Sch 2.9 [1] [2]; 2005 No 64, Sch 2.46 [1]; 2006 No 2, Sch 5.10; 2006 No 94, Sch 3.28 [1]–[3].
4   Definition of “personal information”
(1)  In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
(2)  Personal information includes such things as an individual’s fingerprints, retina prints, body samples or genetic characteristics.
(3)  Personal information does not include any of the following:
(a)  information about an individual who has been dead for more than 30 years,
(b)  information about an individual that is contained in a publicly available publication,
(c)  information about a witness who is included in a witness protection program under the Witness Protection Act 1995 or who is subject to other witness protection arrangements made under an Act,
(d)  information about an individual arising out of a warrant issued under the Telecommunications (Interception) Act 1979 of the Commonwealth,
(e)  information about an individual that is contained in a protected disclosure within the meaning of the Protected Disclosures Act 1994, or that has been collected in the course of an investigation arising out of a protected disclosure,
(f)  information about an individual arising out of, or in connection with, an authorised operation within the meaning of the Law Enforcement (Controlled Operations) Act 1997,
(g)  information about an individual arising out of a Royal Commission or Special Commission of Inquiry,
(h)  information about an individual arising out of a complaint made under Part 8A of the Police Act 1990,
(i)  information about an individual that is contained in a document of a kind referred to in clause 1 or 2 of Schedule 1 (restricted documents) to the Freedom of Information Act 1989 (ie Cabinet documents or Executive Council documents),
(j)  information or an opinion about an individual’s suitability for appointment or employment as a public sector official,
(ja)  information about an individual that is obtained about an individual under Chapter 8 (Adoption information) of the Adoption Act 2000,
(k)  information about an individual that is of a class, or is contained in a document of a class, prescribed by the regulations for the purposes of this subsection.
(4)  For the purposes of this Act, personal information is held by a public sector agency if:
(a)  the agency is in possession or control of the information, or
(b)  the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement, or
(c)  the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998.
(5)  For the purposes of this Act, personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited.
s 4: Am 2000 No 75, Sch 2.4; 2005 No 64, Sch 2.46 [2].
4A   Exclusion of health information from definition of “personal information”
Except as provided by this Act or the Health Records and Information Privacy Act 2002, the definition of personal information in section 4 does not include health information within the meaning of the Health Records and Information Privacy Act 2002.
s 4A: Ins 2002 No 71, Sch 3 [3].
(1)  Nothing in this Act affects the operation of the Freedom of Information Act 1989.
(2)  In particular, this Act does not operate:
(a)  to modify any exemption under the Freedom of Information Act 1989, or
(b)  to lessen any obligations under that Act in respect of a public sector agency.
6   Courts, tribunals and Royal Commissions not affected
(1)  Nothing in this Act affects the manner in which a court or tribunal, or the manner in which the holder of an office relating to a court or tribunal, exercises the court’s, or the tribunal’s, judicial functions.
(2)  Nothing in this Act affects the manner in which a Royal Commission, or any Special Commission of Inquiry, exercises the Commission’s functions.
(3)  In this section, judicial functions of a court or tribunal means such of the functions of the court or tribunal as relate to the hearing or determination of proceedings before it, and includes:
(a)  in relation to a Magistrate—such of the functions of the Magistrate as relate to the conduct of committal proceedings, and
(b)  in relation to a coroner—such of the functions of the coroner as relate to the conduct of inquests and inquiries under the Coroners Act 2009.
s 6: Am 2001 No 121, Sch 2.172 [1]; 2003 No 40, Sch 2.24 [1]; 2009 No 41, Sch 4.
7   Crown bound by Act
This Act binds the Crown in right of New South Wales and also, in so far as the legislative power of Parliament permits, the Crown in all its other capacities.
Part 2 Information protection principles
Division 1 Principles
8   Collection of personal information for lawful purposes
(1)  A public sector agency must not collect personal information unless:
(a)  the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and
(b)  the collection of the information is reasonably necessary for that purpose.
(2)  A public sector agency must not collect personal information by any unlawful means.
9   Collection of personal information directly from individual
A public sector agency must, in collecting personal information, collect the information directly from the individual to whom the information relates unless:
(a)  the individual has authorised collection of the information from someone else, or
(b)  in the case of information relating to a person who is under the age of 16 years—the information has been provided by a parent or guardian of the person.
10   Requirements when collecting personal information
If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected or as soon as practicable after collection, the individual to whom the information relates is made aware of the following:
(a)  the fact that the information is being collected,
(b)  the purposes for which the information is being collected,
(c)  the intended recipients of the information,
(d)  whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided,
(e)  the existence of any right of access to, and correction of, the information,
(f)  the name and address of the agency that is collecting the information and the agency that is to hold the information.
11   Other requirements relating to collection of personal information
If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that:
(a)  the information collected is relevant to that purpose, is not excessive, and is accurate, up to date and complete, and
(b)  the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates.
12   Retention and security of personal information
A public sector agency that holds personal information must ensure:
(a)  that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and
(b)  that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and
(c)  that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and
(d)  that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.
13   Information about personal information held by agencies
A public sector agency that holds personal information must take such steps as are, in the circumstances, reasonable to enable any person to ascertain:
(a)  whether the agency holds personal information, and
(b)  whether the agency holds personal information relating to that person, and
(c)  if the agency holds personal information relating to that person:
(i)  the nature of that information, and
(ii)  the main purposes for which the information is used, and
(iii)  that person’s entitlement to gain access to the information.
14   Access to personal information held by agencies
A public sector agency that holds personal information must, at the request of the individual to whom the information relates and without excessive delay or expense, provide the individual with access to the information.
15   Alteration of personal information
(1)  A public sector agency that holds personal information must, at the request of the individual to whom the information relates, make appropriate amendments (whether by way of corrections, deletions or additions) to ensure that the personal information:
(a)  is accurate, and
(b)  having regard to the purpose for which the information was collected (or is to be used) and to any purpose that is directly related to that purpose, is relevant, up to date, complete and not misleading.
(2)  If a public sector agency is not prepared to amend personal information in accordance with a request by the individual to whom the information relates, the agency must, if so requested by the individual concerned, take such steps as are reasonable to attach to the information, in such a manner as is capable of being read with the information, any statement provided by that individual of the amendment sought.
(3)  If personal information is amended in accordance with this section, the individual to whom the information relates is entitled, if it is reasonably practicable, to have recipients of that information notified of the amendments made by the public sector agency.
(4)  This section, and any provision of a privacy code of practice that relates to the requirements set out in this section, apply to public sector agencies despite section 25 of this Act and section 21 of the State Records Act 1998.
s 15: Am 2002 No 71, Sch 3 [4].
16   Agency must check accuracy of personal information before use
A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.
17   Limits on use of personal information
A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless:
(a)  the individual to whom the information relates has consented to the use of the information for that other purpose, or
(b)  the other purpose for which the information is used is directly related to the purpose for which the information was collected, or
(c)  the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.
18   Limits on disclosure of personal information
(1)  A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:
(a)  the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or
(b)  the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or
(c)  the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.
(2)  If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.
19   Special restrictions on disclosure of personal information
(1)  A public sector agency must not disclose personal information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities unless the disclosure is necessary to prevent a serious and imminent threat to the life or health of the individual concerned or another person.
(2)  A public sector agency that holds personal information must not disclose the information to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless:
(a)  a relevant privacy law that applies to the personal information concerned is in force in that jurisdiction or applies to that Commonwealth agency, or
(b)  the disclosure is permitted under a privacy code of practice.
(3)  For the purposes of subsection (2), a relevant privacy law means a law that is determined by the Privacy Commissioner, by notice published in the Gazette, to be a privacy law for the jurisdiction concerned.
(4)  The Privacy Commissioner is to prepare a code relating to the disclosure of personal information by public sector agencies to persons or bodies outside New South Wales and to Commonwealth agencies.
(5)  Subsection (2) does not apply:
(a)  until after the first anniversary of the commencement of this section, or
(b)  until a code referred to in subsection (4) is made,
whichever is the later.
s 19: Am 2002 No 71, Sch 3 [5]–[10].
Division 2 General provisions relating to principles
20   General application of information protection principles to public sector agencies
(1)  The information protection principles apply to public sector agencies.
(2)  The application of the principles to public sector agencies:
(a)  may be modified by privacy codes of practice, and
(b)  is otherwise subject to this Act.
(3)  Sections 8–11 do not apply in respect of personal information collected by a public sector agency before the commencement of this Part.
(4)    (Repealed)
(5)  Without limiting the generality of section 5, the provisions of the Freedom of Information Act 1989 that impose conditions or limitations (however expressed) with respect to any matter referred to in section 13, 14 or 15 are not affected by this Act, and those provisions continue to apply in relation to any such matter as if those provisions were part of this Act.
s 20: Am 2002 No 71, Sch 3 [11].
21   Agencies to comply with principles
(1)  A public sector agency must not do any thing, or engage in any practice, that contravenes an information protection principle applying to the agency.
(2)  The contravention by a public sector agency of an information protection principle that applies to the agency is conduct to which Part 5 applies.
Division 3 Specific exemptions from principles
22   Operation of Division
Nothing in this Division authorises a public sector agency to do any thing that it is otherwise prohibited from doing.
23   Exemptions relating to law enforcement and related matters
(1)  A law enforcement agency is not required to comply with section 9 if compliance by the agency would prejudice the agency’s law enforcement functions.
(2)  A public sector agency (whether or not a law enforcement agency) is not required to comply with section 9 if the information concerned is collected in connection with proceedings (whether or not actually commenced) before any court or tribunal.
(3)  A public sector agency (whether or not a law enforcement agency) is not required to comply with section 10 if the information concerned is collected for law enforcement purposes. However, this subsection does not remove any protection provided by any other law in relation to the rights of accused persons or persons suspected of having committed an offence.
(4)  A public sector agency (whether or not a law enforcement agency) is not required to comply with section 17 if the use of the information concerned for a purpose other than the purpose for which it was collected is reasonably necessary for law enforcement purposes or for the protection of the public revenue.
(5)  A public sector agency (whether or not a law enforcement agency) is not required to comply with section 18 if the disclosure of the information concerned:
(a)  is made in connection with proceedings for an offence or for law enforcement purposes (including the exercising of functions under or in connection with the Confiscation of Proceeds of Crime Act 1989 or the Criminal Assets Recovery Act 1990), or
(b)  is to a law enforcement agency (or such other person or organisation as may be prescribed by the regulations) for the purposes of ascertaining the whereabouts of an individual who has been reported to a police officer as a missing person, or
(c)  is authorised or required by subpoena or by search warrant or other statutory instrument, or
(d)  is reasonably necessary:
(i)  for the protection of the public revenue, or
(ii)  in order to investigate an offence where there are reasonable grounds to believe that an offence may have been committed.
(6)  Nothing in subsection (5) requires a public sector agency to disclose personal information to another person or body if the agency is entitled to refuse to disclose the information in the absence of a subpoena, warrant or other lawful requirement.
(7)  A public sector agency (whether or not a law enforcement agency) is not required to comply with section 19 if the disclosure of the information concerned is reasonably necessary for the purposes of law enforcement in circumstances where there are reasonable grounds to believe that an offence may have been, or may be, committed.
24   Exemptions relating to investigative agencies
(1)  An investigative agency is not required to comply with section 9 or 10 if compliance with those sections might detrimentally affect (or prevent the proper exercise of) the agency’s complaint handling functions or any of its investigative functions.
(2)  An investigative agency is not required to comply with section 17 if the use of the information concerned for a purpose other than the purpose for which it was collected is reasonably necessary in order to enable the agency to exercise its complaint handling functions or any of its investigative functions.
(3)  An investigative agency is not required to comply with section 18 if the information concerned is disclosed to another investigative agency.
(4)  The exemptions provided by subsections (1)–(3) extend to any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency.
(5)  The exemptions provided by subsections (1)–(3) extend to the Department of Local Government, or any officer of that Department, who is investigating or otherwise handling (formally or informally) a complaint or other matter even though it is or may be the subject of a right of appeal conferred by or under an Act.
(6)  The Ombudsman’s Office is not required to comply with section 9 or 10.
(7)  An investigative agency is not required to comply with section 12 (a).
25   Exemptions where non-compliance is lawfully authorised or required
A public sector agency is not required to comply with section 9, 10, 13, 14, 15, 17, 18 or 19 if:
(a)  the agency is lawfully authorised or required not to comply with the principle concerned, or
(b)  non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).
26   Other exemptions where non-compliance would benefit the individual concerned
(1)  A public sector agency is not required to comply with section 9 or 10 if compliance by the agency would, in the circumstances, prejudice the interests of the individual to whom the information relates.
(2)  A public sector agency is not required to comply with section 10, 18 or 19 if the individual to whom the information relates has expressly consented to the agency not complying with the principle concerned.
27   Specific exemptions (ICAC, ICAC Inspector and Inspector’s staff, NSW Police Force, PIC, Inspector of PIC and Inspector’s staff and NSW Crime Commission)
(1)  Despite any other provision of this Act, the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the staff of the Inspector of the Independent Commission Against Corruption, the NSW Police Force, the Police Integrity Commission, the Inspector of the Police Integrity Commission, the staff of the Inspector of the Police Integrity Commission and the New South Wales Crime Commission are not required to comply with the information protection principles.
(2)  However, the information protection principles do apply to the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the staff of the Inspector of the Independent Commission Against Corruption, the NSW Police Force, the Police Integrity Commission, the Inspector of the Police Integrity Commission, the staff of the Inspector of the Police Integrity Commission and the New South Wales Crime Commission in connection with the exercise of their administrative and educative functions.
s 27: Am 2000 No 93, Sch 1.16 [3]; 2005 No 10, Sch 2.9 [3]; 2005 No 64, Sch 2.46 [3]; 2006 No 94, Sch 3.28 [4].
28   Other exemptions
(1)  The Ombudsman’s Office, Health Care Complaints Commission, Anti-Discrimination Board and Guardianship Board are not required to comply with section 19.
(2)  The information protection principles do not apply in respect of personal information collected or held by the Community Relations Commission if:
(a)  the information is collected or held by the Commission for the purpose only of translating the information, and
(b)  all documents held by the Commission in which the information is contained are destroyed or returned to the person who submitted the information for translation when the Commission is satisfied that the documents are no longer required for the provision of the translation service, and
(c)  in a case where it is necessary for the information to be given to another person in connection with the provision of the translation service, everything reasonably within the power of the Commission is done to prevent unauthorised disclosure of the information by that other person.
(3)  Nothing in section 17, 18 or 19 prevents or restricts the disclosure of information:
(a)  by a public sector agency to another public sector agency under the administration of the same Minister if the disclosure is for the purposes of informing that Minister about any matter within that administration, or
(b)  by a public sector agency to any public sector agency under the administration of the Premier if the disclosure is for the purposes of informing the Premier about any matter.
s 28: Am 2002 No 42, Sch 4.7 [2]; 2002 No 71, Sch 3 [12]; 2010 No 62, Sch 2.3.
Part 3 Privacy codes of practice and management plans
Division 1 Privacy codes of practice
29   Operation of privacy codes of practice
(1)  Privacy codes of practice may be made for the purpose of protecting the privacy of individuals.
(2)  A privacy code of practice may regulate the collection, use and disclosure of, and the procedures for dealing with, personal information held by public sector agencies.
(3)  In particular, a privacy code of practice may provide for the protection of personal information contained in a record that is more than 30 years old, and any such provision has effect despite the provisions of any other Act that deals with the disclosure of, or access to, personal information of that kind. Any such code must, to the extent that it relates to personal information contained in a State record that is more than 30 years old, be consistent with any relevant guidelines issued under section 52 of the State Records Act 1998.
(4)  A privacy code of practice may also provide for the disclosure of personal information to persons or bodies outside New South Wales.
(5)  A privacy code of practice can apply to any one or more of the following:
(a)  any specified class of personal information,
(b)  any specified public sector agency or class of public sector agency,
(c)  any specified activity or specified class of activity.
(6)  Except in the case of a privacy code of practice that is referred to in subsection (3), a code cannot affect the operation of any exemption provided under Division 3 of Part 2.
(7)  A code:
(a)  must provide standards of privacy protection that operate to protect public sector agencies from any restrictions in relation to the importation of personal information into New South Wales, and
(b)  must not impose on any public sector agency any requirements that are more stringent (or of a higher standard) than the information protection principles.
30   Modification of information protection principles
(1)  A privacy code of practice may modify the application to any public sector agency of any one or more of the information protection principles or the application to any public sector agency of the provisions of Part 6.
(2)  A code may:
(a)  specify requirements that are different from the requirements set out in the principles, or exempt any activity or conduct of or by the public sector agency from compliance with any such principle, and
(b)  specify the manner in which any one or more of the information protection principles are to be applied to, or are to be followed by, the public sector agency, and
(c)  exempt a public sector agency, or class of public sector agency, from the requirement to comply with any information protection principle.
31   Preparation and making of privacy codes of practice
(1)  The Privacy Commissioner, or any public sector agency, may:
(a)  initiate the preparation of a draft privacy code of practice, and
(b)  develop the draft code in consultation with such other persons or bodies as the Commissioner, or agency, thinks appropriate, and
(c)  submit the draft code to the Minister.
(2)  If a draft code is initiated and prepared by a public sector agency, the agency must consult with the Privacy Commissioner on the draft code before it is submitted to the Minister.
(3)  The Privacy Commissioner may make such submissions to the Minister in respect of a draft code as the Privacy Commissioner thinks appropriate.
(4)  Once a draft code is submitted to the Minister, the Minister may, after taking into consideration any submissions by the Privacy Commissioner, decide to make the code.
(5)  A code of practice is made by an order of the Minister published in the Gazette.
(6)  A code takes effect when the order making the code is published (or on such later date as may be specified in the order).
(7)  The procedures specified in this section extend to any amendment of a privacy code of practice.
Editorial note—
For codes of practice published under this section see Gazettes No 84 of 23.7.1999, p 5152; No 81 of 30.6.2000, pp 5981, 5993, 6004, 6007, 6020, 6024; No 83 of 30.6.2000, p 6035; No 143 of 3.11.2000, p 11568; No 170 of 29.12.2000, p 14069; No 46 of 2.3.2001, p 1133; No 93 of 1.6.2001, p 3395; No 199 of 28.12.2001, p 10853; No 83 of 9.5.2003, p 4669 (see also Gazette No 63 of 26.3.2004, p 1527) and No 104 of 25.6.2004, p 4812.
32   Agencies to comply with privacy codes of practice
(1)  A public sector agency must comply with any privacy code of practice applying to the agency.
(2)  The contravention by a public sector agency of a privacy code of practice applying to the agency is conduct to which Part 5 applies.
Division 2 Privacy management plans
33   Preparation and implementation of privacy management plans
(1)  Each public sector agency must prepare and implement a privacy management plan within 12 months of the commencement of this section.
(2)  The privacy management plan of a public sector agency must include provisions relating to the following:
(a)  the devising of policies and practices to ensure compliance by the agency with the requirements of this Act or the Health Records and Information Privacy Act 2002, if applicable,
(b)  the dissemination of those policies and practices to persons within the agency,
(c)  the procedures that the agency proposes to provide in relation to internal review under Part 5,
(d)  such other matters as are considered relevant by the agency in relation to privacy and the protection of personal information held by the agency.
(3)    (Repealed)
(4)  An agency may amend its privacy management plan from time to time.
(5)  An agency must provide a copy of its privacy management plan to the Privacy Commissioner as soon as practicable after it is prepared and whenever the plan is amended.
(6)  The regulations may make provision for or with respect to privacy management plans, including exempting certain public sector agencies (or classes of agencies) from the requirements of this section.
s 33: Am 2002 No 71, Sch 3 [13]; 2009 No 56, Sch 1.31.
Part 4 Privacy Commissioner
Division 1 General
34   Appointment of Privacy Commissioner
(1)  The Governor may, on the recommendation of the Minister, appoint a Privacy Commissioner.
(2)  Schedule 1 has effect with respect to the Privacy Commissioner.
35   Staff of Privacy Commissioner
(1)  The staff of the Privacy Commissioner are (subject to this section) to be employed under Part 2 of the Public Sector Management Act 1988.
(2)  The Privacy Commissioner may employ other staff with the approval of the Minister. Part 2 of the Public Sector Management Act 1988 does not apply to the employment of any such staff.
(3)  The Privacy Commissioner may arrange for the use of the services of any staff (by secondment or otherwise) or facilities of a government department or any other public or local government authority. Any staff of whose services the Commissioner makes use are taken to be the staff of the Commissioner for the purposes of this Act.
(4)  The Privacy Commissioner may, with the approval of the Minister, engage consultants or other persons for the purpose of getting expert assistance.
Division 2 Functions of Privacy Commissioner
36   General functions
(1)  The Privacy Commissioner has such functions as are conferred or imposed on the Commissioner by or under this or any other Act.
(2)  In particular, the Privacy Commissioner has the following functions:
(a)  to promote the adoption of, and monitor compliance with, the information protection principles,
(b)  to prepare and publish guidelines relating to the protection of personal information and other privacy matters, and to promote the adoption of such guidelines,
(c)  to initiate and recommend the making of privacy codes of practice,
(d)  to provide assistance to public sector agencies in adopting and complying with the information protection principles and privacy codes of practice,
(e)  to provide assistance to public sector agencies in preparing and implementing privacy management plans in accordance with section 33,
(f)  to conduct research, and collect and collate information, about any matter relating to the protection of personal information and the privacy of individuals,
(g)  to provide advice on matters relating to the protection of personal information and the privacy of individuals,
(h)  to make public statements about any matter relating to the privacy of individuals generally,
(i)  to conduct education programs, and to disseminate information, for the purpose of promoting the protection of the privacy of individuals,
(j)  to prepare and publish reports and recommendations about any matter (including developments in technology) that concerns the need for, or the desirability of, legislative, administrative or other action in the interest of the privacy of individuals,
(k)  to receive, investigate and conciliate complaints about privacy related matters (including conduct to which Part 5 applies),
(l)  to conduct such inquiries, and make such investigations, into privacy related matters as the Privacy Commissioner thinks appropriate.
37   Requirement to give information
(1)  The Privacy Commissioner may, in connection with the exercise of the Privacy Commissioner’s functions, require any person or public sector agency:
(a)  to give the Privacy Commissioner a statement of information, or
(b)  to produce to the Privacy Commissioner any document or other thing, or
(c)  to give the Privacy Commissioner a copy of any document.
(2)  The Privacy Commissioner is not to make any such requirement if it appears to the Privacy Commissioner that:
(a)  the person or public sector agency concerned does not consent to compliance with the requirement, and
(b)  the person or public sector agency would not, in court proceedings, be required to comply with a similar requirement on the grounds of public interest, privilege against self-incrimination or legal professional privilege.
(3)  A requirement under this section must be in writing, must specify or describe the information, document or thing required, and must specify the time and manner for complying with the requirement.
(4)  This section does not confer any function on the Privacy Commissioner that may be exercised in relation to the Independent Commission Against Corruption.
38   Inquiries and investigations
(1)  For the purposes of any inquiry or investigation conducted by the Privacy Commissioner under this Act (including in relation to a complaint made under Division 3 of this Part), the Privacy Commissioner has the powers, authorities, protections and immunities conferred on a commissioner by Division 1 of Part 2 of the Royal Commissions Act 1923, and that Act (section 13 and Division 2 of Part 2 excepted) applies (subject to this section) to any witness summoned by or appearing before the Privacy Commissioner in the same way as it applies to a witness summoned by or appearing before a commissioner.
(2)  Subsection (1) does not confer any function on the Privacy Commissioner that may be exercised in relation to the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the staff of the Inspector of the Independent Commission Against Corruption, Police Integrity Commission, Inspector of the Police Integrity Commission, staff of the Inspector of the Police Integrity Commission or New South Wales Crime Commission.
(3)  Any inquiry or investigation conducted by the Privacy Commissioner under this Act is to be conducted in the absence of the public, except as otherwise directed by the Privacy Commissioner.
(4)  The Privacy Commissioner, in the course of conducting an inquiry or investigation under this Act, must set aside any requirement:
(a)  to give any statement of information, or
(b)  to produce any document or other thing, or
(c)  to give a copy of any document, or
(d)  to answer any question,
if it appears to the Privacy Commissioner that the person concerned does not consent to compliance with the requirement and the person would not, in court proceedings, be required to comply with a similar requirement on the grounds of public interest, privilege against self-incrimination or legal professional privilege. However, the person must comply with any such requirement despite any duty of secrecy or other restriction on disclosure.
(5)  A person is not entitled to be represented by another person at an inquiry or investigation conducted by the Privacy Commissioner except with the leave of the Privacy Commissioner.
(6)  The Privacy Commissioner may allow any person appearing before the Privacy Commissioner to have the services of an interpreter.
s 38: Am 2000 No 93, Sch 1.16 [4]; 2005 No 10, Sch 2.9 [4].
39   General procedure for inquiries and investigations
The Privacy Commissioner:
(a)  may determine the procedures to be followed in exercising the Privacy Commissioner’s functions under this Act, including the procedures to be followed at an inquiry or investigation conducted by the Privacy Commissioner, and
(b)  is to act in an informal manner (including avoiding conducting formal hearings) as far as possible, and
(c)  is not bound by the rules of evidence and may inform himself or herself on any matter in any way that the Privacy Commissioner considers to be just, and
(d)  is to act according to the substantial merits of the case without undue regard to technicalities.
40   Personal information digest
(1)  The Privacy Commissioner may, from time to time, prepare and publish a personal information digest setting out the nature and source of personal information held by public sector agencies.
(2)  Any such personal information digest is to be made publicly available.
(3)  The Privacy Commissioner may, from time to time, require a public sector agency to provide the Privacy Commissioner with such details relating to the personal information held by the agency as the Commissioner may require. The public sector agency must comply with the requirement.
(4)  This section does not apply to personal information held by the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the staff of the Inspector of the Independent Commission Against Corruption, the Police Integrity Commission, the Inspector of the Police Integrity Commission, the staff of the Inspector of the Police Integrity Commission or the New South Wales Crime Commission.
s 40: Am 2000 No 93, Sch 1.16 [5]; 2005 No 10, Sch 2.9 [5].
41   Exempting agencies from complying with principles and codes
(1)  The Privacy Commissioner, with the approval of the Minister, may make a written direction that:
(a)  a public sector agency is not required to comply with an information protection principle or a privacy code of practice, or
(b)  the application of a principle or a code to a public sector agency is to be modified as specified in the direction.
(2)  Any such direction has effect despite any other provision of this Act.
(3)  The Privacy Commissioner is not to make a direction under this section unless the Privacy Commissioner is satisfied that the public interest in requiring the public sector agency to comply with the principle or code is outweighed by the public interest in the Privacy Commissioner making the direction.
42   Information about compliance arrangements
(1)  The Privacy Commissioner may require a public sector agency to provide the Commissioner with information concerning the arrangements that have been made by the agency to enable the agency to comply with the information protection principles, and any privacy code of practice, applying to the agency.
(2)  Any such requirement must be in writing and specify a time for complying with the requirement.
(3)  This section does not confer any function on the Privacy Commissioner that may be exercised in relation to the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the staff of the Inspector of the Independent Commission Against Corruption, Police Integrity Commission, Inspector of the Police Integrity Commission, staff of the Inspector of the Police Integrity Commission, New South Wales Crime Commission or Ombudsman’s Office.
s 42: Am 2000 No 93, Sch 1.16 [4]; 2005 No 10, Sch 2.9 [6].
43   Requirement to disclose exempt documents
(1)  Nothing in this Act or the Health Records and Information Privacy Act 2002 authorises the Privacy Commissioner to require any person or public sector agency to disclose an exempt document.
(2)  The Director-General of The Cabinet Office may certify that a document is an exempt document because it is a Cabinet document. Any such certificate:
(a)  is conclusive of that fact, and
(b)  authorises any person or agency who would otherwise be required under this Act or the Health Records and Information Privacy Act 2002 to disclose the document concerned to refuse to disclose it.
(3)  In this section:
disclose a document includes the following:
(a)  provide copies of the document,
(b)  give access to the document,
(c)  disclose the contents of the document.
document includes a part of a document.
exempt document means a document of a kind referred to in clause 1 or 2 of Schedule 1 to the Freedom of Information Act 1989 (ie Cabinet documents or Executive Council documents).
s 43: Am 2002 No 71, Sch 3 [14] [15].
44   Delegation of functions
(1)  The Privacy Commissioner may delegate to an authorised person any of the functions of the Privacy Commissioner under this or any other Act other than this power of delegation.
(2)  A delegate may sub-delegate to an authorised person any function delegated by the Privacy Commissioner if the delegate is authorised in writing to do so by the Commissioner.
(3)  In this section, authorised person means:
(a)  a member of the staff of the Privacy Commissioner, or
(b)  a person of a class prescribed by the regulations or approved by the Minister.
s 44: Am 2002 No 71, Sch 3 [16].
Division 3 Complaints relating to privacy
45   Making of privacy related complaints
(1)  A complaint may be made to (or by) the Privacy Commissioner about the alleged violation of, or interference with, the privacy of an individual.
(2)  The subject-matter of a complaint may relate to conduct to which Part 5 applies (unless it is conduct that is alleged to have occurred before the commencement of that Part).
Note—
Section 21 of the Health Records and Information Privacy Act 2002 provides that certain conduct under that Act by public sector agencies is conduct to which Part 5 of this Act applies.
(2A)  A complaint about a matter referred to in section 42 of the Health Records and Information Privacy Act 2002 is not to be dealt with under this Division but is to be dealt with by the Privacy Commissioner as a complaint under Part 6 of that Act.
Note—
Section 42 of that Health Records and Information Privacy Act 2002 provides that a complaint may be made to the Privacy Commissioner about the alleged contravention by a private sector person of a Health Privacy Principle, a provision of Part 4 (Provisions for private sector persons) of that Act or a health privacy code of practice.
(3)  A complaint may be in writing or verbal, but the Privacy Commissioner may require a verbal complaint to be put in writing.
(4)  The Privacy Commissioner may require information about a complaint to be provided by the complainant in a particular manner or form, and may require a complaint to be verified by statutory declaration.
(5)  A complaint must be made within 6 months (or such later time as the Privacy Commissioner may allow) from the time the complainant first became aware of the conduct or matter the subject of the complaint.
(6)  A complainant may amend or withdraw a complaint.
s 45: Am 2002 No 71, Sch 3 [18] (am 2002 No 112, Sch 2.8).
s 45, notes: Ins 2002 No 71, Sch 3 [17] [18] (am 2002 No 112, Sch 2.8).
46   Preliminary assessment of privacy related complaints
(1)  The Privacy Commissioner may conduct a preliminary assessment of a complaint made under this Division for the purpose of deciding whether to deal with the complaint.
(2)  If the subject-matter of the complaint relates to conduct to which Part 5 applies, the Privacy Commissioner must inform the complainant of the review process under that Part and the remedial action that may be available if the complainant decides to make an application under section 53 in respect of that conduct.
(3)  The Privacy Commissioner may decide not to deal with a complaint if the Privacy Commissioner is satisfied that:
(a)  the complaint is frivolous, vexatious or lacking in substance, or is not in good faith, or
(b)  the subject-matter of the complaint is trivial, or
(c)  the subject-matter of the complaint relates to a matter permitted or required by or under any law, or
(d)  there is available to the complainant an alternative, satisfactory and readily available means of redress, or
(e)  it would be more appropriate for the complainant to make an application under section 53.
47   Referring privacy related complaints to other authorities
(1)  The Privacy Commissioner may refer a complaint made under this Division for investigation or other action to any person or body (the relevant authority) considered by the Privacy Commissioner to be appropriate in the circumstances.
(2)  The Privacy Commissioner may communicate to the relevant authority any information that the Privacy Commissioner has obtained in relation to the complaint.
(3)  The Privacy Commissioner may only refer a complaint to a relevant authority after appropriate consultation with the complainant and the relevant authority, and after taking their views into consideration.
48   Dealing with privacy related complaints
(1)  If the Privacy Commissioner decides to deal with a complaint made under this Division, the Privacy Commissioner may:
(a)  deal with the complaint, and
(b)  make such inquiries and investigations in relation to the complaint as the Privacy Commissioner thinks appropriate.
(2)  If the Privacy Commissioner declines to deal with a complaint, the Privacy Commissioner must advise the complainant of the reasons for declining to deal with the complaint.
49   Resolution of privacy related complaints by conciliation
(1)  In dealing with a complaint made under this Division, the Privacy Commissioner must endeavour to resolve the complaint by conciliation.
(2)  The Privacy Commissioner may by written notice request the complainant, and the person or body against whom the complaint is made (the respondent), to appear before the Privacy Commissioner in conciliation proceedings.
(3)  If a respondent that is a public sector agency receives any such notice, the agency must comply with the terms of the notice.
Maximum penalty (subsection (3)): 50 penalty units.
(4)  The parties to any such conciliation proceedings before the Privacy Commissioner are not entitled to be represented by any other person except by leave of the Privacy Commissioner.
(5)  The procedures for conciliation are to be determined by the Privacy Commissioner.
50   Reports and recommendations of Privacy Commissioner
(1)  The Privacy Commissioner may make a written report as to any findings or recommendations by the Privacy Commissioner in relation to a complaint dealt with by the Commissioner under this Division.
(2)  The Privacy Commissioner may give a copy of any such report to the complainant, and to such other persons or bodies as appear to be materially involved in matters concerning the complaint.
51   Effect of dealing with privacy related complaints under this Division
Even though the Privacy Commissioner declines to deal with a complaint under this Division, or decides to refer the complaint to a relevant authority, the Privacy Commissioner may conduct an inquiry or investigation into any general issues or matters raised in connection with the complaint.
Part 5 Review of certain conduct
52   Application of Part
(1)  This Part applies to the following conduct:
(a)  the contravention by a public sector agency of an information protection principle that applies to the agency,
(b)  the contravention by a public sector agency of a privacy code of practice that applies to the agency,
(c)  the disclosure by a public sector agency of personal information kept in a public register.
(2)  A reference in this Part to conduct includes a reference to alleged conduct.
(3)  This Part does not apply to any conduct that occurred before the commencement of this Part.
(4)  Section 53 (Internal reviews) of the Administrative Decisions Tribunal Act 1997 does not apply to or in respect of conduct to which this Part applies.
53   Internal review by public sector agencies
(1)  A person (the applicant) who is aggrieved by the conduct of a public sector agency is entitled to a review of that conduct.
(2)  The review is to be undertaken by the public sector agency concerned.
(3)  An application for such a review must:
(a)  be in writing, and
(b)  be addressed to the public sector agency concerned, and
(c)  specify an address in Australia to which a notice under subsection (8) may be sent, and
(d)  be lodged at an office of the public sector agency within 6 months (or such later date as the agency may allow) from the time the applicant first became aware of the conduct the subject of the application, and
(e)  comply with such other requirements as may be prescribed by the regulations.
(4)  Except as provided by section 54 (3), the application must be dealt with by an individual within the public sector agency who is directed by the agency to deal with the application. That individual must be, as far as is practicable, a person:
(a)  who was not substantially involved in any matter relating to the conduct the subject of the application, and
(b)  who is an employee or officer of the agency, and
(c)  who is otherwise suitably qualified to deal with the matters raised by the application.
(5)  In reviewing the conduct the subject of the application, the individual dealing with the application must consider any relevant material submitted by:
(a)  the applicant, and
(b)  the Privacy Commissioner.
(6)  The review must be completed as soon as is reasonably practicable in the circumstances. However, if the review is not completed within 60 days from the day on which the application was received, the applicant is entitled to make an application under section 55 to the Tribunal for a review of the conduct concerned.
(7)  Following the completion of the review, the public sector agency whose conduct was the subject of the application may do any one or more of the following:
(a)  take no further action on the matter,
(b)  make a formal apology to the applicant,
(c)  take such remedial action as it thinks appropriate (eg the payment of monetary compensation to the applicant),
(d)  provide undertakings that the conduct will not occur again,
(e)  implement administrative measures to ensure that the conduct will not occur again.
(7A)  A public sector agency may not pay monetary compensation under subsection (7) if:
(a)  the applicant is a convicted inmate or former convicted inmate or a spouse, partner (whether of the same or the opposite sex), relative, friend or an associate of a convicted inmate or former convicted inmate, and
(b)  the application relates to conduct of a public sector agency in relation to the convicted inmate or former convicted inmate, and
(c)  the conduct occurred while the convicted inmate or former convicted inmate was a convicted inmate, or relates to any period during which the convicted inmate or former convicted inmate was a convicted inmate.
(8)  As soon as practicable (or in any event within 14 days) after the completion of the review, the public sector agency must notify the applicant in writing of:
(a)  the findings of the review (and the reasons for those findings), and
(b)  the action proposed to be taken by the agency (and the reasons for taking that action), and
(c)  the right of the person to have those findings, and the agency’s proposed action, reviewed by the Tribunal.
s 53: Am 1999 No 31, Sch 1.34 [1]; 2002 No 116, Sch 1 [2]; 2008 No 23, Sch 3.35.
54   Role of Privacy Commissioner in internal review process
(1)  A public sector agency that receives an application under section 53 must:
(a)  as soon as practicable after receiving the application notify the Privacy Commissioner of the application, and
(b)  keep the Privacy Commissioner informed of the progress of the internal review, and
(c)  inform the Privacy Commissioner of the findings of the review and of the action proposed to be taken by the agency in relation to the matter.
(2)  The Privacy Commissioner is entitled to make submissions to the agency in relation to the subject matter of the application.
(3)  The Privacy Commissioner may, at the request of the agency concerned:
(a)  undertake the internal review on behalf of the agency, and
(b)  make a report to the agency in relation to the application.
(4)  The Privacy Commissioner is entitled to charge an appropriate fee for that service.
(5)  Section 53 (7), (7A) and (8) apply in respect of an internal review that is undertaken by the Privacy Commissioner on behalf of an agency.
s 54: Am 2002 No 116, Sch 1 [3].
55   Review of conduct by Tribunal
(1)  If a person who has made an application for internal review under section 53 is not satisfied with:
(a)  the findings of the review, or
(b)  the action taken by the public sector agency in relation to the application,
the person may apply to the Tribunal for a review of the conduct that was the subject of the application under section 53.
(2)  On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders:
(a)  subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,
(b)  an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,
(c)  an order requiring the performance of an information protection principle or a privacy code of practice,
(d)  an order requiring personal information that has been disclosed to be corrected by the public sector agency,
(e)  an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,
(f)  an order requiring the public sector agency not to disclose personal information contained in a public register,
(g)  such ancillary orders as the Tribunal thinks appropriate.
(3)  Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 5 of the Administrative Decisions Tribunal Act 1997.
(4)  The Tribunal may make an order under subsection (2) (a) only if:
(a)  the application relates to conduct that occurs after the end of the 12 month period following the date on which Division 1 of Part 2 commences, and
(b)  the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency.
(4A)  The Tribunal may not make an order under subsection (2) (a) if:
(a)  the applicant is a convicted inmate or former convicted inmate or a spouse, partner (whether of the same or the opposite sex), relative, friend or an associate of a convicted inmate or former convicted inmate, and
(b)  the application relates to conduct of a public sector agency in relation to the convicted inmate or former convicted inmate, and
(c)  the conduct occurred while the convicted inmate or former convicted inmate was a convicted inmate, or relates to any period during which the convicted inmate or former convicted inmate was a convicted inmate.
(5)  If, in the course of a review under this section, the Tribunal is of the opinion that the chief executive officer or an employee of the public sector agency concerned has failed to exercise in good faith a function conferred or imposed on the officer or employee by or under this Act (including by or under a privacy code of practice), the Tribunal may take such measures as it considers appropriate to bring the matter to the attention of the responsible Minister (if any) for the public sector agency.
(6)  The Privacy Commissioner is to be notified by the Tribunal of any application made to it under this section.
(7)  The Privacy Commissioner has a right to appear and be heard in any proceedings before the Tribunal in relation to a review under this section.
s 55: Am 2002 No 116, Sch 1 [4] [5]; 2003 No 40, Sch 2.24 [2]; 2008 No 23, Sch 3.35.
56   Appeals to Appeal Panel against decisions and orders of Tribunal
An order or other decision made by the Tribunal under this Part may be appealed to an Appeal Panel of the Tribunal under Part 1 of Chapter 7 of the Administrative Decisions Tribunal Act 1997 by a party to the proceedings in which the order or decision is made.
Part 6 Public registers
56A   Personal information includes health information
In this Part:
personal information includes health information within the meaning of the Health Records and Information Privacy Act 2002.
s 56A: Ins 2002 No 71, Sch 3 [19].
57   Disclosure of personal information contained in public registers
(1)  The public sector agency responsible for keeping a public register must not disclose any personal information kept in the register unless the agency is satisfied that it is to be used for a purpose relating to the purpose of the register or the Act under which the register is kept.
(2)  In order to enable the responsible agency to comply with subsection (1), the agency may require any person who applies to inspect personal information contained in the public register to give particulars, in the form of a statutory declaration, as to the intended use of any information obtained from the inspection.
58   Suppression of personal information
(1)  A person about whom personal information is contained (or proposed to be contained) in a public register may request the public sector agency responsible for keeping the register to have the information:
(a)  removed from, or not placed on, the register as publicly available, and
(b)  not disclosed to the public.
(2)  If the public sector agency is satisfied that the safety or well-being of any person would be affected by not suppressing the personal information as requested, the agency must suppress the information in accordance with the request unless the agency is of the opinion that the public interest in maintaining public access to the information outweighs any individual interest in suppressing the information.
(3)  Any information that is removed from, or not placed on, a public register under this section may be kept on the register for other purposes.
59   Provisions of this Part prevail
The provisions of this Part prevail to the extent of any inconsistency with the requirements of the law under which the public register concerned is established.
Part 7 Privacy Advisory Committee
60   Privacy Advisory Committee
(1)  There is established by this Act a Privacy Advisory Committee.
(2)  The Committee is to consist of the Privacy Commissioner, and the following part-time members appointed by the Governor:
(a)  a member of the Legislative Assembly or the Legislative Council nominated by the Minister,
(b)  a member of the Legislative Assembly or the Legislative Council nominated by the Leader of the Opposition in the Legislative Assembly,
(c)  not more than 4 members nominated by the Minister having, in the opinion of the Minister, special knowledge of or interest in matters affecting the privacy of persons.
(3)  The Privacy Commissioner is to be the Chairperson of the Committee and is to preside at meetings of the Committee.
(4)  Schedule 2 has effect with respect to the members and procedure of the Committee.
61   Functions of Privacy Advisory Committee
The Privacy Advisory Committee has the following functions:
(a)  to advise on matters relevant to the Privacy Commissioner’s functions,
(b)  to recommend material to the Privacy Commissioner for inclusion in guidelines to be issued by the Privacy Commissioner in exercising the Commissioner’s functions,
(c)  to advise the Minister on such matters as may be referred to it by the Minister.
Part 8 Miscellaneous
62   Corrupt disclosure and use of personal information by public sector officials
(1)  A public sector official must not, otherwise than in connection with the lawful exercise of his or her official functions, intentionally disclose or use any personal information about another person to which the official has or had access in the exercise of his or her official functions.
Maximum penalty: 100 penalty units or imprisonment for 2 years, or both.
(2)  A person must not induce or attempt to induce a public sector official (by way of a bribe or other similar corrupt conduct) to disclose any personal information about another person to which the official has or had access in the exercise of his or her official functions.
Maximum penalty: 100 penalty units or imprisonment for 2 years, or both.
(3)  Subsection (1) does not prohibit a public sector official from disclosing any personal information about another person if the disclosure is made in accordance with the Protected Disclosures Act 1994.
(4)  In this section, a reference to a public sector official includes a reference to a person who was formerly a public sector official.
63   Offering to supply personal information that has been disclosed unlawfully
(1)  A person who offers to supply (whether to a particular person or otherwise), or holds himself or herself out as being able to supply (whether to a particular person or otherwise), personal information that the person knows, or ought reasonably to know, has been or is proposed to be disclosed in contravention of section 62 is guilty of an offence.
Maximum penalty: 100 penalty units or imprisonment for 2 years, or both.
(2)  If a person is convicted of an offence under section 62 or 63 (1), the court may order the confiscation of any money or other benefit alleged to have been obtained by the person in connection with the offence and for that money or other benefit to be forfeited to the Crown.
64   Annual report
(1)  The Privacy Commissioner is, as soon as practicable after 30 June in each year, to prepare and submit to the Minister a report of the Privacy Commissioner’s work and activities for the 12 months preceding that date.
(2)  The Minister is to lay that report or cause it to be laid before each House of Parliament as soon as practicable after receiving it.
65   Special report to Parliament
(1)  The Privacy Commissioner may, at any time, make a special report on any matter arising in connection with the discharge of his or her functions to the Presiding Officer of each House of Parliament and must also provide the Minister with a copy of the report.
(2)  The Privacy Commissioner may include in a report under this section a recommendation that the report be made public immediately.
(3)  A copy of a report made or furnished to the Presiding Officer of a House of Parliament must be laid before that House on the next sitting day of that House after it is received by the Presiding Officer.
(4)  If a report includes a recommendation by the Privacy Commissioner that the report be made public immediately, the Presiding Officer of a House of Parliament may make it public whether or not that House is in session and whether or not the report has been laid before that House.
(5)  A report that is made public by the Presiding Officer of a House of Parliament before it is laid before that House attracts the same privileges and immunities as it would if it had been laid before that House.
(6)  A Presiding Officer need not inquire whether all or any conditions precedent have been satisfied as regards a report purporting to have been made or furnished in accordance with this Act.
(7)  In this section, a reference to a Presiding Officer of a House of Parliament is a reference to the President of the Legislative Council or the Speaker of the Legislative Assembly. If there is a vacancy in the office of President, the reference to the President is taken to be a reference to the Clerk of the Legislative Council and, if there is a vacancy in the office of Speaker, the reference to the Speaker is taken to be a reference to the Clerk of the Legislative Assembly.
66   Personal liability of Privacy Commissioner and others
A matter or thing done (or omitted to be done) by the Privacy Commissioner, a member of the staff of the Privacy Commissioner, a member of the Privacy Advisory Committee or a person acting under the direction of the Privacy Commissioner does not, if the matter or thing was done (or omitted to be done) in good faith for the purpose of executing this Act or any other Act, subject the Privacy Commissioner, the member of staff, the member of the Privacy Advisory Committee or the person so acting personally to any action, liability, claim or demand.
s 66: Am 2002 No 71, Sch 3 [20].
66A   Protection from liability
(1)  Civil proceedings do not lie against a person in respect of loss, damage or injury of any kind suffered by another person by reason only of any of the following acts done in good faith:
(a)  the making of a complaint or application under this Act,
(b)  the making of a statement to, or the giving of a document or information to, the Privacy Commissioner, whether or not pursuant to a requirement under section 37.
(2)  If a public sector agency provides an individual with access to personal information under this Act, and the access was required by section 14 (Access to personal information held by agencies), or an employee, officer or agent of the public sector agency believed in good faith that the access was required by section 14:
(a)  no action for defamation or breach of confidence lies against the public sector agency, any employee, officer or agent of the agency or the Crown by reason of the provision of access, and
(b)  no action for defamation or breach of confidence in respect of any publication involved in, or resulting from, the giving of access lies against the person who provided the personal information to the public sector agency by reason of the person having supplied the information to the agency, and
(c)  the public sector agency, or any employee, officer or agent of the public sector agency, or any other person concerned in giving access to the personal information is not guilty of an offence merely because of the giving of access.
(3)  The provision of access to personal information in the circumstances referred to in subsection (2) must not be taken to constitute, for the purposes of the law relating to defamation or breach of confidence, an authorisation or approval of the publication of the health information by the person to whom access to the information is provided.
s 66A: Ins 2002 No 71, Sch 3 [21].
66B   Fees
(1)  A public sector agency may charge a fee for any of the following matters:
(a)  giving an individual a copy of health information,
(b)  giving an individual an opportunity to inspect and take notes of the health information,
(c)  amending health information at the request of an individual,
(d)  any other matter prescribed by the regulations.
(2)  Any fee charged must not exceed such fee (if any) prescribed by the regulations for the matter concerned.
s 66B: Ins 2002 No 71, Sch 3 [21].
67   Disclosure by Privacy Commissioner or staff member
(1)  The Privacy Commissioner or a member of the staff of the Privacy Commissioner must not disclose any information obtained by him or her in the course of his or her office, unless the disclosure is made:
(a)  with the consent of the person the subject of the information, or
(b)  for the purpose of discharging functions of the Privacy Commissioner or member of staff under this or any other Act.
Maximum penalty: 10 penalty units.
(2)  Subsection (1) does not prevent the Privacy Commissioner from furnishing any information relating to:
(a)  a matter arising under a law of another State, a Territory or the Commonwealth, or
(b)  an undertaking that is or was being carried out jointly by New South Wales and another State, a Territory or the Commonwealth,
to a person exercising under a law of that other State, that Territory or the Commonwealth functions similar to those exercised by the Commissioner under this Act or any other Act.
(3)  Subsection (1) does not operate to render admissible in evidence in any proceedings any document that would not have been so admissible if this section had not been enacted.
s 67: Am 2002 No 71, Sch 3 [22].
68   Offences relating to dealings with Privacy Commissioner
(1)  A person must not:
(a)  without lawful excuse, wilfully obstruct, hinder or resist the Privacy Commissioner or a member of the staff of the Privacy Commissioner in the exercise of functions under this or any other Act, or
(b)  without lawful excuse, refuse or wilfully fail to comply with any lawful requirement of the Privacy Commissioner or a member of the staff of the Privacy Commissioner under this or any other Act, or
(c)  wilfully make any false statement to or mislead, or attempt to mislead, the Privacy Commissioner or a member of the staff of the Privacy Commissioner in the exercise of functions under this or any other Act.
Maximum penalty: 10 penalty units.
(2)  A person must not directly or indirectly:
(a)  if the person is not the Privacy Commissioner—represent that he or she is the Privacy Commissioner, or
(b)  if the person has not been appointed under this Act as acting Privacy Commissioner—represent that he or she has been so appointed, or
(c)  if the person is not a person to whom a delegation has been made under this Act or the Health Records and Information Privacy Act 2002—represent that he or she is such a person, or
(d)  if the person is not a member of the staff of the Privacy Commissioner—represent that he or she is a member of that staff.
Maximum penalty: 10 penalty units.
(3)  For the purposes of subsection (2), a person represents that a state of affairs exists if the person does or says anything, or causes, permits or suffers anything to be done or said, whereby it is represented, or whereby a belief may be induced, that the state of affairs exists.
s 68: Am 2002 No 71, Sch 3 [23].
69   Legal rights not affected
(1)  Nothing in Part 2 or 3 gives rise to, or can be taken into account in, any civil cause of action, and without limiting the generality of the foregoing, nothing in Part 2 or 3:
(a)  operates to create in any person any legal rights not in existence before the enactment of this Act, or
(b)  affects the validity, or provides grounds for review, of any judicial or administrative act or omission.
(2)  Subsection (1) is subject to sections 21 and 32.
70   Proceedings for offences
Proceedings for an offence against this Act are to be dealt with summarily before the Local Court.
s 70: Am 2001 No 121, Sch 2.172 [2]; 2007 No 94, Sch 2.
71   Regulations
(1)  The Governor may make regulations, not inconsistent with this Act, for or with respect to any matter that by this Act is required or permitted to be prescribed or that is necessary or convenient to be prescribed for carrying out or giving effect to this Act.
(2)  Without affecting the generality of subsection (1), the regulations may make provision for or with respect to:
(a)  the manner in which privacy codes of practice are to be prepared and developed, and
(b)  exempting specified persons or public sector agencies, or classes of persons or public sector agencies, from:
(i)  any of the requirements of this Act or the regulations relating to the collection, use or disclosure of specified classes of personal information, or
(ii)  any other provision of this Act.
(3)  A regulation may create an offence punishable by a penalty not exceeding 50 penalty units.
72   (Repealed)
s 72: Rep 2003 No 82, Sch 3.
74   Savings, transitional and other provisions
Schedule 4 has effect.
75   Review of Act
(1)  The Minister is to review this Act to determine whether the policy objectives of the Act remain valid and whether the terms of the Act remain appropriate for securing those objectives.
(2)  The review is to be undertaken as soon as possible after the period of 5 years from the date of assent to this Act.
(3)  A report of the outcome of the review is to be tabled in each House of Parliament within 12 months after the end of the period of 5 years.
Schedule 1 Provisions relating to Privacy Commissioner
(Section 34)
1   Appointment of acting Privacy Commissioner
(1)  The Minister may, from time to time, appoint a person to act in the office of the Privacy Commissioner during the illness or absence of the Privacy Commissioner (or during a vacancy in the office of the Commissioner). The person, while so acting, has all the functions of the Privacy Commissioner and is taken to be the Privacy Commissioner (including as Chairperson of the Privacy Advisory Committee).
(2)  The Minister may, at any time, remove a person from office as acting Privacy Commissioner.
(3)  An acting Privacy Commissioner is entitled to be paid such remuneration (including travelling and subsistence allowances) as the Minister may from time to time determine.
2   Terms and conditions of appointment
(1)  Subject to this Act, the Privacy Commissioner holds office on terms and conditions approved by the Minister.
(2)  Subject to clause 4, the Privacy Commissioner holds office for such period (not exceeding 5 years) as is specified in the Commissioner’s instrument of appointment, but is eligible (if otherwise qualified) for re-appointment.
(3)  The Privacy Commissioner may be appointed on a full-time or part-time basis.
3   Remuneration
(1)  A Privacy Commissioner appointed on a full-time basis is entitled to be paid remuneration in accordance with the Statutory and Other Offices Remuneration Act 1975 and such travelling and subsistence allowances as the Minister may from time to time determine.
(2)  A Privacy Commissioner appointed on a part-time basis is entitled to be paid such remuneration (including travelling and subsistence allowances) as the Minister may from time to time determine in respect of him or her.
(3)  A person may hold office, and exercise functions, as Privacy Commissioner (whether full-time or part-time) even though the person also holds, and exercises the functions of, a judicial office or a statutory or other public office.
4   Vacancy in office
(1)  The office of Privacy Commissioner becomes vacant if the holder of the office:
(a)  dies, or
(b)  completes a term of office and is not re-appointed, or
(c)  resigns the office by letter addressed to the Minister, or
(d)  is removed from office by the Governor under this clause, or
(e)  becomes bankrupt, applies to take the benefit of any law for the relief of bankrupt or insolvent debtors, compounds with his or her creditors or makes an assignment of his or her remuneration for their benefit, or
(f)  becomes a mentally incapacitated person, or
(g)  is convicted in New South Wales of an offence that is punishable by imprisonment for 12 months or more or is convicted elsewhere than in New South Wales of an offence that, if committed in New South Wales, would be an offence so punishable.
(2)  The Governor may remove the Privacy Commissioner from office for misbehaviour, incapacity or incompetence.
5   Effect of certain other Acts
(1)  Parts 2 and 8 of the Public Sector Management Act 1988 do not apply to or in respect of the Privacy Commissioner.
(2)  If, by or under any Act, provision is made:
(a)  requiring a person who is the holder of a specified office to devote the whole of his or her time to the duties of that office, or
(b)  prohibiting the person from engaging in employment outside the duties of that office,
the provision does not operate to disqualify the person from holding that office and also the office of Privacy Commissioner.
sch 1: Am 1999 No 31, Sch 1.34 [2]–[4]; 1999 No 94, sec 7 (2) and Sch 5, Part 2.
Schedule 2 Provisions relating to members and procedure of Privacy Advisory Committee
(Section 60 (4))
1   Definition
In this Schedule:
member means a member of the Privacy Advisory Committee other than the Privacy Commissioner.
2   Deputies of members
(1)  The Minister may, from time to time, appoint a person to be the deputy of a member, and the Minister may revoke any such appointment.
(2)  In the case of a member nominated by the Leader of the Opposition, the Minister must appoint a person so nominated to be the deputy of the member.
(3)  In the absence of a member, the member’s deputy:
(a)  may, if available, act in the place of the member, and
(b)  while so acting, has all the functions of the member and is taken to be the member.
(4)  A deputy while acting in the place of a member is entitled to be paid such remuneration (including travelling and subsistence allowances) as the Minister may from time to time determine in respect of the person.
3   Term of office of members
Subject to this Schedule, a member holds office for such period (not exceeding 3 years) as is specified in the member’s instrument of appointment, but is eligible (if otherwise qualified) for re-appointment.
4   Remuneration of members
A member is entitled to be paid such remuneration (including travelling and subsistence allowances) for attending meetings and transacting the business of the Committee as the Minister may from time to time determine in respect of the member.
5   Vacancy in office of members
(1)  The office of a member becomes vacant if the member:
(a)  dies, or
(b)  completes a term of office and is not re-appointed, or
(c)  resigns the office by letter addressed to the Minister, or
(d)  is removed from office by the Minister under this clause, or
(e)  is absent from 4 consecutive meetings of the Privacy Advisory Committee of which reasonable notice has been given to the member personally or in the ordinary course of post, except on leave granted by the Committee or unless, before the expiration of 4 weeks after the last of those meetings, the member is excused by the Committee for having been absent from those meetings, or
(f)  becomes bankrupt, applies to take the benefit of any law for the relief of bankrupt or insolvent debtors, compounds with his or her creditors or makes an assignment of his or her remuneration for their benefit, or
(g)  becomes a mentally incapacitated person, or
(h)  is convicted in New South Wales of an offence that is punishable by imprisonment for 12 months or more or is convicted elsewhere than in New South Wales of an offence that, if committed in New South Wales, would be an offence so punishable.
(2)  The Minister may remove a member from office at any time.
6   Filling of vacancy in office of member
If the office of any member becomes vacant, a person is, subject to this Act, to be appointed to fill the vacancy.
7   Effect of certain other Acts
(1)  Parts 2 and 8 of the Public Sector Management Act 1988 do not apply to or in respect of the appointment of a member.
(2)  If, by or under any Act, provision is made:
(a)  requiring a person who is the holder of a specified office to devote the whole of his or her time to the duties of that office, or
(b)  prohibiting the person from engaging in employment outside the duties of that office,
the provision does not operate to disqualify the person from holding that office and also the office of a member or from accepting and retaining any remuneration payable to the person under this Act as such a member.
(3)  The office of a member is not, for the purposes of any Act, an office or place of profit under the Crown.
8   General procedure
The procedure for the calling of meetings of the Privacy Advisory Committee and for the conduct of business at those meetings, is to be as determined by the Privacy Commissioner.
sch 2: Am 1999 No 94, sec 7 (2) and Sch 5, Part 2.
Schedule 3 (Repealed)
sch 3: Rep 2003 No 82, Sch 3.
Schedule 4 Savings, transitional and other provisions
(Section 74)
1   Savings and transitional regulations
(1)  The regulations may contain provisions of a savings or transitional nature consequent on the enactment of the following Acts:
this Act
Health Records and Information Privacy Act 2002, but only to the extent that it amends this Act
(2)  Any such provision may, if the regulations so provide, take effect from the date of assent to the Act concerned or a later date.
(3)  To the extent to which any such provision takes effect from a date that is earlier than the date of its publication in the Gazette, the provision does not operate so as:
(a)  to affect in a manner prejudicial to any person (other than the State or an authority of the State), the rights of that person existing before the date of its publication, or
(b)  to impose liabilities on any person (other than the State or an authority of the State) in respect of any thing done or omitted to be done before the date of its publication.
2   Abolition of Privacy Committee
(1)  The Privacy Committee is abolished.
(2)  A person who, immediately before the repeal of the Privacy Committee Act 1975, held office as a member of the Privacy Committee, ceases to hold office on that repeal but is eligible (if otherwise qualified) to be appointed as a member of the Privacy Advisory Committee under this Act.
(3)  A person who ceases to hold office because of subclause (1) is not entitled to any remuneration or compensation because of the loss of that office.
3   Existing complaints
A complaint received by the Privacy Committee, but not concluded immediately before the repeal of the Privacy Committee Act 1975, is to be dealt with by the Privacy Commissioner as if that Act had not been repealed by this Act.
4   Existing reports
A publication to which there was a defence of absolute privilege under section 17B of the Defamation Act 1974, immediately before the amendment to that section by Schedule 3 to this Act, continues to be subject to that defence.
5   Annual report
The Privacy Commissioner is, in the Privacy Commissioner’s first annual report, to report on the activities of the Privacy Committee in the period from the date of the last annual report of the Committee to the date of abolition of the Committee.
6   Provisions consequential on enactment of Health Records and Information Privacy Act 2002
(1)  In this clause:
health information has the same meaning as in the HRIP Act.
(2)  A request made under this Act before the commencement of section 4A for access to, or alteration of, health information is to continue to be dealt with by the public sector agency under this Act as if the amendments to this Act by the HRIP Act had not been made.
(3)  A complaint concerning health information made to the Privacy Commissioner under Division 3 of Part 4 before the commencement of section 4A and pending immediately before that commencement is to continue to be dealt with under this Act as if the amendments to this Act by the HRIP Act had not been made. This Act (as in force immediately before the commencement of those amendments) continues to apply for that purpose.
(4)  An application concerning health information made under section 53 (Internal review by public sector agencies) or section 55 (Review of conduct by Tribunal) before the commencement of section 4A and pending immediately before that commencement is to continue to be dealt with by the public sector agency or the Tribunal under this Act as if the amendments to this Act by the HRIP Act had not been made. This Act (as in force immediately before the commencement of those amendments) continues to apply for that purpose.
(5)  For the purpose of allowing a complaint or application to be made in respect of conduct concerning health information that was engaged in before the commencement of section 4A, but in respect of which a complaint or application was not pending immediately before that commencement, this Act (as in force immediately before the commencement of the amendments made by the HRIP Act) continues to apply to conduct engaged in before the commencement of section 4A.
sch 4: Am 2002 No 71, Sch 3 [24] (subst 2003 No 40, Sch 2.15) [25]; 2002 No 116, Sch 1 [6] [7].