An Act to amend the Privacy and Personal Information Protection Act 1998 and certain other Acts and an instrument to consolidate and rationalise certain exemptions from the operation of that Act.
1 Name of Act
This Act is the Privacy and Personal Information Protection Amendment (Exemptions Consolidation) Act 2015.
2 Commencement
This Act commences on a day or days to be appointed by proclamation.
Schedule 1 Amendment of Privacy and Personal Information Protection Act 1998 No 133
[1] Section 3 Definitions
Omit the definition of investigative agency from section 3 (1). Insert instead:investigative agency means:(a) any of the following:(i) the Ombudsman’s Office,(ii) the Independent Commission Against Corruption,(iii) the Inspector of the Independent Commission Against Corruption,(iv) the Police Integrity Commission,(v) the Inspector of the Police Integrity Commission and any staff of the Inspector,(vi) the Health Care Complaints Commission,(vii) the Office of the Legal Services Commissioner,(viii) a person or body prescribed by the regulations for the purposes of this definition, or(b) any other public sector agency with investigative functions if:(i) those functions are exercisable under the authority of an Act or statutory rule (or where that authority is necessarily implied or reasonably contemplated under an Act or statutory rule), and(ii) the exercise of those functions may result in the agency taking or instituting disciplinary, criminal or other formal action or proceedings against a person or body under investigation, or(c) a public sector agency conducting an investigation for or on behalf of an agency referred to in paragraph (a) or (b).
[2] Section 19 Special restrictions on disclosure of personal information
Omit section 19 (2)–(5). Insert instead:(2) A public sector agency that holds personal information about an individual must not disclose the information to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless:(a) the public sector agency reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that effectively upholds principles for fair handling of the information that are substantially similar to the information protection principles, or(b) the individual expressly consents to the disclosure, or(c) the disclosure is necessary for the performance of a contract between the individual and the public sector agency, or for the implementation of pre-contractual measures taken in response to the individual’s request, or(d) the disclosure is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the public sector agency and a third party, or(e) all of the following apply:(i) the disclosure is for the benefit of the individual,(ii) it is impracticable to obtain the consent of the individual to that disclosure,(iii) if it were practicable to obtain such consent, the individual would be likely to give it, or(f) the disclosure is reasonably believed by the public sector agency to be necessary to lessen or prevent a serious and imminent threat to the life, health or safety of the individual or another person, or(g) the public sector agency has taken reasonable steps to ensure that the information that it has disclosed will not be held, used or disclosed by the recipient of the information inconsistently with the information protection principles, or(h) the disclosure is permitted or required by an Act (including an Act of the Commonwealth) or any other law.
[3] Section 23 Exemptions relating to law enforcement and related matters
Insert after section 23 (6):(6A) A public sector agency is not required to comply with the information protection principles with respect to the collection, use or disclosure of personal information if:(a) the agency is providing the information to another public sector agency or the agency is being provided with the information by another public sector agency, and(b) the collection, use or disclosure of the information is reasonably necessary for law enforcement purposes.
[4] Section 23 (8)
Insert after section 23 (7):(8) In this section:(a) a reference to law enforcement purposes includes a reference to law enforcement purposes of another State or a Territory or the Commonwealth, and(b) a reference to an offence includes a reference to an offence against a law of another State or a Territory or the Commonwealth, and(c) a reference to the protection of the public revenue includes a reference to the protection of the public revenue of another State or a Territory or the Commonwealth.
[5] Section 24
Omit the section. Insert instead:24 Exemptions relating to investigative agencies(1) An investigative agency is not required to comply with section 9, 10, 13, 14, 15, 18 or 19 (1) if compliance with those sections might detrimentally affect (or prevent the proper exercise of) the agency’s complaint handling functions or any of its investigative functions.(2) An investigative agency is not required to comply with section 17 if the use of the information concerned for a purpose other than the purpose for which it was collected is reasonably necessary in order to enable the agency to exercise its complaint handling functions or any of its investigative functions.(3) An investigative agency is not required to comply with section 18 or 19 (1) if the information concerned is disclosed to another investigative agency.(4) A public sector agency (whether or not an investigative agency) is not required to comply with section 18 or 19 (1) if non-compliance is reasonably necessary to assist another public sector agency that is an investigative agency in exercising its investigative functions.(5) An investigative agency is not required to comply with section 18 if:(a) the information concerned is disclosed to a complainant, and(b) the disclosure is reasonably necessary for the purpose of:(i) reporting the progress of an investigation into the complaint made by the complainant, or(ii) providing the complainant with advice as to the outcome of the complaint or any action taken as a result of the complaint.(6) The exemptions provided by subsections (1)–(5) extend to:(a) any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency, and(b) the Office of Local Government, or any person employed in that Office, who is investigating or otherwise handling (formally or informally) a complaint or other matter even though it is or may be the subject of a right of appeal conferred by or under an Act.(7) The Ombudsman’s Office is not required to comply with section 9 or 10.(8) An investigative agency is not required to comply with section 12 (a).
[6] Sections 27A–27C
Insert after section 27:27A Exemptions relating to information exchanges between public sector agenciesA public sector agency is not required to comply with the information protection principles with respect to the collection, use or disclosure of personal information if:(a) the agency is providing the information to another public sector agency or the agency is being provided with the information by another public sector agency, and(b) the collection, use or disclosure of the information is reasonably necessary:(i) to allow any of the agencies concerned to deal with, or respond to, correspondence from a Minister or member of Parliament, or(ii) to enable inquiries to be referred between the agencies concerned, or(iii) to enable the auditing of the accounts or performance of a public sector agency or group of public sector agencies (or a program administered by an agency or group of agencies).27B Exemptions relating to researchA public sector agency is not required to comply with the information protection principles with respect to the collection, use or disclosure of personal information if:(a) the collection, use or disclosure of the information is reasonably necessary for the purpose of research, or the compilation or analysis of statistics, in the public interest, and(b) in the case where the agency would otherwise contravene section 9 in respect of the collection of the information—it is unreasonable or impracticable for the information to be collected directly from the individual to whom the information relates, and(c) in the case of the use or disclosure of the information—either:(i) the purpose referred to in paragraph (a) cannot be served by the use or disclosure of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained and it is impracticable for the agency to seek the consent of the individual for the use or disclosure, or(ii) reasonable steps are taken to de-identify the information, and(d) in the case where the use or disclosure of the information could reasonably be expected to identify individuals—the information is not published in a publicly available publication, and(e) the collection, use or disclosure of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph.27C Exemptions relating to credit information(1) A courts agency is not required to comply with section 17 or 18 if:(a) compliance would prevent the courts agency from disclosing to a credit reporting body that an individual is a default judgment debtor and the amount of the debt, and(b) the courts agency is satisfied that the credit reporting body has given an enforceable undertaking not to retain the information disclosed to it after the expiry of the applicable retention period.(2) The applicable retention period for the purposes of subsection (1) (b) is:(a) if the debt of the default judgment debtor is satisfied—the period of 2 years commencing on the date that the debt was satisfied, orwhichever is the earlier.(b) if the debt of the default judgment debtor remains unsatisfied—the period of 5 years commencing on the date the judgment was given,(3) In this section:courts agency means:(a) the Department of Justice (including any Public Service executive agency that is related to the Department for the purposes of the Government Sector Employment Act 2013), and(b) any court or tribunal referred to in Schedule 1 to the Civil Procedure Act 2005.credit reporting body has the same meaning as in the Privacy Act 1988 of the Commonwealth.default judgment debtor means an individual against whom a default judgment has been given by a court or tribunal under the uniform rules within the meaning of the Civil Procedure Act 2005.
[7] Schedule 4 Savings, transitional and other provisions
Insert at the end of clause 1 (1):any other Act that amends this Act
[8] Schedule 4, clause 1 (3)
Omit “in the Gazette”. Insert instead “on the NSW legislation website”.
[9] Schedule 4
Insert at the end of the Schedule (with appropriate clause numbering):Provisions consequent on enactment of Privacy and Personal Information Protection Amendment (Exemptions Consolidation) Act 2015(1) The following directions made by the Privacy Commissioner under section 41 are revoked:(a) Direction on Disclosures of Information by Public Sector Agencies for Research Purposes as renewed by the Privacy Commissioner on 19 June 2015 for the period 1 July 2015 to 31 December 2015,(b) Direction relating to the Disclosure of Information to Credit Reporting Agencies as renewed by the Privacy Commissioner on 19 June 2015 for the period 1 July 2015 to 31 December 2015,(c) Direction on Information Transfers between Public Sector Agencies as renewed by the Privacy Commissioner on 19 June 2015 for the period 1 July 2015 to 31 December 2015,(d) Direction on Processing of Personal Information by Public Sector Agencies in relation to their Investigative Functions as renewed by the Privacy Commissioner on 19 June 2015 for the period 1 July 2015 to 31 December 2015,(e) Direction on Disclosures of Information by the New South Wales Public Sector to the National Coronial Information System (NCIS) as renewed by the Privacy Commissioner on 19 June 2015 for the period 1 July 2015 to 31 December 2015,(f) Direction on the Collection of Personal Information about Third Parties by New South Wales Public Sector (Human Services) Agencies from their Clients as renewed by the Privacy Commissioner on 19 June 2015 for the period 1 July 2015 to 31 December 2015,(g) Direction for the Department of Families and Community Services and Associated Agencies as renewed by the Privacy Commissioner on 19 June 2015 for the period 1 July 2015 to 31 December 2015,(h) Direction on the Disclosure of Information to Victims of Crime as renewed by the Privacy Commissioner on 19 June 2015 for the period 1 July 2015 to 31 December 2015.(2) Subclause (1) extends to any direction made before the commencement of this clause that renews a direction referred to in that subclause.
Schedule 2 Amendment of other Acts and an instrument
Section 102A
Insert after section 102:102A Sharing of information with coronial database(1) The Minister may, on behalf of the State, enter into an arrangement (a coronial information sharing arrangement) with a person or body that is responsible for the creation or maintenance of a database under which specified NSW coronial information can be provided and included in that database if the Minister is satisfied that:(a) the person or body has a legitimate interest in storing the information in the database, and(b) the person or body will make the information available only to persons with a legitimate interest in obtaining it, and(c) the conditions for making the information available to database users are reasonable.(2) NSW coronial information may be provided in accordance with a coronial information sharing arrangement despite any prohibition in, or the need to comply with any requirement of, any Act or law (in particular, the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002).(3) In this section:NSW coronial information means information obtained in the exercise of functions under this Act.
[1] Clause 11
Omit the clause. Insert instead:11 Collection of personal information from and about third parties(1) A human services agency is not required to comply with section 9 of the Act if it is unreasonable or impracticable in the circumstances to do so.(2) A human services agency is not required to comply with section 9 or 10 of the Act if:(a) the personal information collected is about an individual other than a relevant client of the agency, and(b) the personal information is collected from any of the following:(i) a relevant client,(ii) a non-government organisation engaged by the agency to provide services for or to it,(iii) another human services agency, and(c) the personal information is reasonably relevant and reasonably necessary to enable the agency to provide services to a relevant client.(3) In this clause:relevant client of a human services agency means an individual to whom the agency is providing welfare services, health services or mental health services.
[2] Clause 16 Disclosure of personal information
Omit clause 16 (c) (i)–(iii). Insert instead:(i) the Department of Family and Community Services,(ii) the Ministry of Health,(iii) the Justice Health and Forensic Mental Health Network,
[3] Part 6, heading
Omit the heading. Insert instead:Part 6 Community care
[4] Clause 17 Interpretation
Omit the definition of ageing, disability or home care service agency or ADHC agency from clause 17 (1).Insert in alphabetical order:of a community care agency means:(a) if the agency is a Government Department (or part of a Government Department)—an employee of the Department appointed by the Secretary of the Department, or(b) if the agency is the Civil and Administrative Tribunal—a member of staff of the Tribunal appointed by the President of the Tribunal.community care agency means any of the following:(a) the Department of Family and Community Services (including any office or branch of the Department, the Home Care Service Staff Agency or any Public Service executive agency that is related to the Department for the purposes of the Government Sector Employment Act 2013),(b) Juvenile Justice in the Department of Justice,(c) the Civil and Administrative Tribunal.
[5] Clause 17 (2)
Omit “an ADHC agency”, “ageing, disability or home care services” and “the ADHC agency”.Insert instead “a community care agency”, “services” and “the community care agency”, respectively.
[6] Clause 18 Modification of certain information protection principles
Omit “ADHC agencies”. Insert instead “community care agencies”.
[7] Schedule 3, heading
Omit the heading. Insert instead:Schedule 3 Modification of information protection principles applying to community care agencies
[8] Schedule 3
Omit “An ADHC agency”, “an ADHC agency” and “the ADHC agency” wherever occurring.Insert instead “A community care agency”, “a community care agency” and “the community care agency” respectively.
[9] Schedule 3, clauses 1 (1) and 8 (example)
Omit “ageing, disability or home care”.
[10] Schedule 3, clause 2
Omit the clause. Insert instead:2 Section 10: Requirements when collecting personal informationIf the individual to whom personal information relates lacks the capacity to understand the matters listed in section 10 of the Act, the community care agency must, instead of complying with that section:(a) make a record of those matters in its files and ensure that the record is readily accessible by:(i) if the individual regains capacity, the individual, or(ii) any personal information custodian of the individual, or(iii) the agency itself, and(b) inform a personal information custodian of the individual of those matters.
[11] Schedule 3, clauses 6 (2) (b) and 7 (2) (b)
Omit “an officer of the Department of Human Services appointed by the Director-General of that Department to act for individuals who have no personal information custodian” wherever occurring.Insert instead “an employee of the community care agency (who is authorised by the head of that agency to act for individuals who have no personal information custodian)”.
[12] Schedule 3, clause 9
Insert at the end of the Schedule:9 Involvement of individual to whom personal information relatesA community care agency must, when exercising a function under a provision of this Schedule that requires the consent of a personal information custodian of an individual, take such steps as are reasonably practicable to involve the individual in the provision of that consent.
Section 112A
Insert after section 112:112A Provision of personal information to victims of crime and family victims(1) A victims rights agency is not required to comply with section 9, 10, 17, 18 or 19 of the Privacy and Personal Information Protection Act 1998 if compliance by the agency would prevent:(a) the disclosure of information to a victim of crime or a family victim to which the victim is entitled under the Charter of Victims Rights (or the collection, use or disclosure of information that is incidental to that purpose), or(b) the disclosure of information that is reasonably necessary to inform a victim of crime or a family victim about the general location or movements of a serious offender of whom they were the victim.(2) However, nothing in subsection (1) requires a victims rights agency to disclose personal information to a victim of crime or a family victim if the agency is prohibited from doing so by or under this or any other Act or law.(3) In this section:personal information has the same meaning as in the Privacy and Personal Information Protection Act 1998.serious offender means a person who has been convicted of an indictable offence that is punishable by imprisonment for life or for a term of 5 years or more.victims rights agency means any of the following government sector agencies:(a) the Department of Family and Community Services,(b) the Department of Justice,(c) the Department of Premier and Cabinet,(d) a local health district or statutory health corporation within the meaning of the Health Services Act 1997,(e) the Mental Health Review Tribunal,(f) the NSW Police Force,(g) the Office of the Director of Public Prosecutions.