An Act to enable the Secretary to exercise functions to support individuals and organisations in protecting, recovering and remediating personal information in relation to the compromise of personal information; to provide the necessary exemptions from privacy and other laws; and for related purposes.
Part 1 Preliminary
1 Name of Act
This Act is the Identity Protection and Recovery Act 2025.
2 Commencement
This Act commences on the date of assent to this Act.
3 Objects of Act
The objects of this Act are as follows—(a) to enable the Secretary to—(i) carry out and facilitate the protection and recovery of personal information of individuals from personal data compromises, and(ii) facilitate the remediation of compromised personal information of individuals, and(iii) carry out and facilitate the protection of organisations from personal data compromises, and(iv) adopt and recommend best practice standards in the protection and recovery of personal information,(b) to permit the collection, holding, use and disclosure of information for the purpose of protecting organisations and the personal information of individuals from personal data compromises.
4 Definitions
The dictionary in Schedule 4 defines words used in this Act.Note—The Interpretation Act 1987 contains definitions and other provisions that affect the interpretation and application of this Act.
5 Meaning of “compromised” personal information
In this Act, compromised, in relation to personal information, means personal information known or suspected to have been—(a) used, accessed, disclosed or lost unlawfully or without authorisation, or(b) lost or disclosed unintentionally.
6 Meaning of “identity document”
(1) In this Act, identity document means the following—(a) a document specified in Schedule 1,Examples—driver licencebirth certificatemedicare card(b) a DVS document within the meaning of the Identity Verification Services Act 2023 of the Commonwealth that is not otherwise specified in Schedule 1,(c) another document that is—(i) issued by a government to an individual containing personal information relating to the individual, and(ii) prescribed by the regulations.(2) A reference in this Act to an identity document includes information in relation to an individual—(a) contained in an identity document related to the individual, or(b) associated, or reasonably expected to be associated, with an identity document related to the individual.
7 Meaning of “personal data compromise”
In this Act, a personal data compromise means a known or suspected—(a) unauthorised or unlawful use, access, disclosure or loss of personal information, or(b) unintentional disclosure or loss of personal information.
8 Act to bind Crown
This Act binds the Crown in right of New South Wales and, to the extent the legislative power of the Parliament of New South Wales permits, the Crown in all its other capacities.
Part 2 Identity protection and recovery functions
9 Functions of Secretary
(1) The Secretary has the following functions (identity protection functions)—(a) identity protection and recovery functions,(b) identity fraud control functions,(c) another function specified to be an identity protection function by this Act or another Act.(2) The Secretary must not exercise an identity protection function unless—(a) in accordance with this Act, and(b) consistent with the objects of this Act.
10 Identity protection and recovery functions
The identity protection and recovery functions are as follows—(a) to advise on and recommend actions—(i) to detect, prevent and mitigate the likelihood of personal data compromises, and(ii) to mitigate the risk of harm to individuals and impacted individuals in relation to personal data compromises,(b) to increase resilience and protection of persons from personal data compromises, including by advising on the appropriate kind and use of information technology,(c) in response to a personal data compromise—(i) to advise on and recommend actions to take, including to replace or reissue identity documents and other actions to protect and recover personal information, and(ii) to advise on and assess the risk of harm to impacted individuals, and(iii) to notify and disclose information to impacted individuals and other persons, including to assist persons in notifying impacted individuals,(d) other functions prescribed by the regulations.
11 Identity fraud control functions
The identity fraud control functions are as follows—(a) to advise on and recommend actions for the detection, prevention and mitigation of the likelihood of identity fraud,(b) to establish and keep the compromised ID register,(c) to disclose information on the compromised ID register to certain persons,(d) to determine and disclose information about the life status of individuals to certain persons,(e) other functions prescribed by the regulations.
12 Exercise of functions
The Secretary must not exercise an identity protection function unless the exercise of the function is—(a) at the request of the following—(i) a person who the Secretary is satisfied is, or may be, affected by a personal data compromise,(ii) a law enforcement agency,(iii) a fraud check user, or(b) in response to the following—(i) a personal data compromise for which the source of the personal data cannot reasonably be determined,(ii) compromised personal data made available on the internet, whether on the clear or dark web, or(c) to establish, keep and disclose information on and in relation to the compromised ID register, or(d) to determine and disclose information about the life status of an individual, or(e) to advise on and recommend actions for the detection, prevention and mitigation of the likelihood of personal data compromises, or(f) in other circumstances prescribed by the regulations.
13 Coordination with privacy and other similar authorities
(1) The Secretary may exercise an identity protection function to coordinate with the following authorities () in response to a personal data compromise—(a) the Privacy Commissioner,(b) an authority with functions to protect the privacy of individuals under an Act or law of another jurisdiction within Australia,(c) an authority of another jurisdiction within Australia with functions that are the same as or similar to the identity protection functions,(d) an authority of the Commonwealth, prescribed by the regulations, with functions under an Act of the Commonwealth to manage cyber security incidents.(2) The Secretary, in exercising an identity protection function, must act consistently with guidance and advice given by the following in relation to a notifiable data breach—(a) the Privacy Commissioner,(b) an authority, prescribed by the regulations, with functions under an Act of the Commonwealth to protect the privacy of individuals.(3) The Secretary must not act for or on behalf of a person for the purpose of discharging the person’s duties in relation to a notifiable data breach.(4) In this section—notifiable data breach means a breach required to be notified under an Act or law of the State or another jurisdiction prescribed by the regulations.
14 Contracts for identity protection functions
(1) The Secretary may make and enter into contracts or other agreements in connection with the exercise of an identity protection function.(2) The regulations may provide for the form and content of the contracts or agreements.
15 Functions outside New South Wales
The Secretary may exercise an identity protection function for or in relation to—(a) a person who resides or is located within another State or Territory, or(b) a department or agency of the Commonwealth or another State or Territory.
16 Fees
(1) The Secretary may charge fees under this Act or the regulations for or in relation to the exercise of a function under this Act or the regulations, including for—(a) an approval or other permission, or(b) late payment of fees.(2) A fee or other charge payable to the Secretary may be recovered by the Secretary as a debt in a court of competent jurisdiction.(3) The regulations may—(a) prescribe the fees or the way in which the fees may be calculated, and(b) provide for the exemption from or waiver or refund of fees under this Act or in relation to this Act, and(c) provide for payment of a deposit or prepayment in relation to a fee.
17 Delegation
The Secretary may delegate the exercise of a function of the Secretary under this Act, other than this power of delegation, to a member of staff of the Department.
Part 3 Identity fraud control
Division 1 Compromised ID register
18 Secretary to keep register
The Secretary must keep a register (the compromised ID register) for compromised identity documents in a way prescribed by the regulations.
19 Secretary to record compromised identity documents
The Secretary may record an identity document in the compromised ID register if, in the Secretary’s opinion, the identity document has or may have been compromised.
20 Removal of records from register at request
(1) The Secretary must remove records about an individual from the compromised ID register if—(a) requested by the individual in the approved way, and(b) the Secretary is satisfied the request is for a purpose prescribed by the regulations.(2) The Secretary may remove records about an individual from the compromised ID register if—(a) requested by the issuer of an identity document or member of the NSW Police Force, and(b) the Secretary is satisfied the request is for a purpose prescribed by the regulations.(3) This section does not limit the exercise of the Secretary’s function to remove records from the compromised ID register for the purposes of maintaining the register.
Division 2 Disclosure of information on register
21 Disclosure of information on register
The Secretary must not disclose information on the compromised ID register unless provided for by this part or required by another Act or law.
22 Disclosure to impacted individuals
(1) The Secretary must, as soon as reasonably practicable, disclose to an individual when the individual’s identity document has been recorded on the compromised ID register.(2) The Secretary may disclose information on the compromised ID register to an individual to whom the information relates at any time.
23 Disclosure to issuers of identity documents
(1) The Secretary must, as soon as reasonably practicable, disclose to the issuer of an identity document when the identity document is recorded on the compromised ID register.(2) The Secretary must make the disclosure to the issuer by written notice.(3) The Secretary may—(a) give the issuer information that the Secretary considers relevant to the disclosure, and(b) recommend the issuer take certain steps in response to the identity document being recorded on the register.(4) The Secretary may disclose to the issuer when the identity document is removed from the compromised ID register.
Division 3 Identity fraud checks
24 Definition
In this division—relevant purpose, in relation to a life status check—see section 27.
25 Fraud check users
(1) A person who wishes to be eligible to request one or both of the following disclosures may apply to the Secretary for eligibility—(a) the disclosure of information about whether an identity document is on the compromised ID register under section 26,(b) the disclosure of information to verify the life status of an individual under section 28.(2) The application must be—(a) made in the approved way, and(b) accompanied by the fee prescribed by the regulations, if any.(3) The Secretary may, by written notice to the applicant—(a) approve the application with or without conditions, or(b) refuse the application.(4) The Secretary must not grant the approval unless the Secretary is satisfied the person meets the criteria prescribed by the regulations.(5) The Secretary may, by written notice to the approval holder, cancel or suspend the approval with or without conditions.(6) The regulations may—(a) make further provision about an approval, including the grant of an approval, under this section, or(b) prescribe persons or classes of persons who may be taken to hold an approval under this section.
26 Compromised ID register checks
(1) An eligible fraud check user may apply to the Secretary for a disclosure of information about whether an identity document is recorded on the compromised ID register.(2) The application must be—(a) made in the approved way, and(b) accompanied by the prescribed fee, if any.(3) After receiving the application, the Secretary may disclose, or refuse to disclose, the information to the fraud check user.(4) Despite subsection (3), the Secretary must not disclose the information to the fraud check user unless the Secretary is reasonably satisfied that—(a) the individual whose identity document or purported identity document is the subject of the disclosure has consented to the disclosure, and(b) the fraud check user will only use the information for one or more of the following purposes—(i) to reduce the risk of fraudulent use of the individual’s identity, or(ii) another purpose prescribed by the regulations.(5) Despite subsections (3) and (4), the Secretary—(a) must not disclose the information to the fraud check user in circumstances prescribed by the regulations, and(b) must only disclose information of a kind prescribed by the regulations.
27 Relevant purpose for life status checks
The Secretary must not use information about, or determine, the life status of an individual unless for one or more of the following purposes (a relevant purpose)—(a) for an individual whose personal information has or may have been compromised—(i) to assess the risk of harm to the individual or another person caused by the compromise, or(ii) to identify and notify the individual in relation to the compromise,(b) to reduce the risk of fraudulent use of the individual’s identity if the individual is deceased.
28 Life status checks for fraud check users
(1) An eligible fraud check user may apply to the Secretary for a disclosure of information about the life status of an individual.(2) The application must be—(a) made in the approved way, and(b) accompanied by the prescribed fee, if any.(3) After receiving the application, the Secretary may disclose, or refuse to disclose, the information to the fraud check user.(4) Despite subsection (3), the Secretary—(a) must not disclose the information unless the Secretary is satisfied the fraud check user will only use the information for a relevant purpose, and(b) must only disclose information of a kind prescribed by the regulations.
Part 4 Exemptions from privacy and other laws
Division 1 Preliminary
29 Definition
In this part—public sector agency has the same meaning as in the Privacy and Personal Information Protection Act 1998.
Division 2 Exemption from privacy laws
30 Application of division
(1) This division has effect despite any Act or law, including the following—(a) the Privacy and Personal Information Protection Act 1998, sections 9–11 and 15–19,(b) the Health Records and Information Privacy Act 2002, Schedule 1, clauses 1–4 and 6–11.(2) This division does not limit the application of section 33.
31 Collection, holding, use and disclosure of personal information for identity protection functions
(1) The Secretary may collect, hold, use and disclose personal information when exercising an identity protection function.(2) A partner authority may collect, hold, use or disclose personal information to coordinate with the Secretary in response to a personal data compromise.(3) A public sector agency may collect, hold, use or disclose personal information—(a) for the purpose of the public sector agency requesting the Secretary to exercise an identity protection function, or(b) for the purpose of the Secretary exercising an identity protection function, or(c) for another reason in connection with the Secretary exercising an identity protection function.(4) Without limiting subsections (1)–(3), a person may disclose personal information to the Secretary for the purpose of the Secretary exercising an identity protection function.
32 Unlawful conduct not exempt
(1) This division does not apply to a person if the person engages in unlawful conduct when collecting, holding, using or disclosing personal information in connection with the exercise of an identity protection function.(2) Without limiting subsection (1), this division does not apply to a person who—(a) is party to a contract or agreement with the Secretary that relates to the exercise of an identity protection function, and(b) breaches a specified provision of the contract or agreement when collecting, holding, using or disclosing personal information in connection to the exercise of the identity protection function.(3) Subsection (2) does not have effect unless, before the breach, the Secretary has given written notice to the person specifying a provision or provisions for the purpose of subsection (2)(b).
Division 3 Protected disclosures
33 Exclusion of liability for disclosures otherwise prohibited
(1) The disclosure of information between the following persons is a protected disclosure if the disclosure is for the exercise of an identity protection function—(a) a public sector agency and the Secretary,(b) a law enforcement agency and the Secretary,(c) another person and the Secretary.(2) The following applies to a person referred to in subsection (1) who makes or is involved in a protected disclosure—(a) the person does not incur civil liability, including liability—(i) for an action for defamation, or(ii) for breaching a duty of secrecy or confidentiality, or(iii) for breaching another restriction on disclosure applicable to the person, whether or not imposed by this Act or another law, and(b) the person does not incur criminal liability, including liability for breaching—(i) a law or code of conduct imposing a duty of secrecy or confidentiality, or(ii) another restriction in relation to the disclosure of information, and(c) the person is not liable to disciplinary action.(3) Subsection (2) does not apply to a person if the liability arises in relation to the person—(a) contravening a provision of this Act, or(b) breaching a contract or agreement that relates to the exercise of an identity protection function to which the Secretary is a party.
Part 5 Identity Protection and Recovery Fund
34 Establishment of Fund
(1) A fund is established in the Special Deposits Account called the Identity Protection and Recovery Fund (the Fund).(2) The Fund is administered by the Secretary.
35 Payments into Fund
The following must be paid into the Fund—(a) money appropriated by Parliament for the Fund,(b) money authorised by the Treasurer for the Fund,(c) money directed or authorised to be paid into the Fund under this Act or another Act or law,(d) money paid to the Secretary under a contract or agreement in connection with an identity protection function,(e) fees or other charges payable to the Secretary under this Act,(f) the proceeds of the investment of money in the Fund.
36 Payments out of Fund
Money may be paid out of the Fund—(a) to meet expenses for the Secretary’s functions under this Act,(b) to meet expenses in relation to the administration of the Fund and this Act,(c) to meet expenses incurred by a NSW Government agency in assisting the Secretary in the exercise of an identity protection function,(d) for payments authorised or required under another Act or law consistent with the objects of this Act.
Part 6 Miscellaneous
37 Personal liability
(1) A protected person is not personally subject to liability for anything done—(a) in good faith, and(b) for the purpose of exercising a function under this Act.(2) The liability instead attaches to the Crown.(3) In this section—done includes omitted to be done.liability means civil liability and includes action, claim or demand.protected person means the following—(a) the Minister,(b) the Secretary,(c) a person acting under the direction of the following—(i) the Minister,(ii) the Secretary,(iii) a NSW Government agency or statutory body representing the Crown.
38 Regulations
(1) The Governor may make regulations about a matter that is—(a) required or permitted by this Act to be prescribed, or(b) necessary or convenient to be prescribed for carrying out or giving effect to this Act.(2) The regulations may apply, adopt or incorporate, wholly or in part and with or without modification, a publication in force at a particular time or from time to time.(3) The Minister must consult with the Privacy Commissioner on regulations proposed to be made under the following sections before the regulations are recommended to the Governor—(a) section 10,(b) section 11,(c) section 26(5)(b),(d) section 28(4)(b).
39 Review of Act
(1) The Minister must review the operation of this Act to determine whether—(a) the policy objectives of the Act remain valid, and(b) the terms of the Act remain appropriate for achieving the policy objectives.(2) The review must be undertaken as soon as practicable after the period of 2 years from the commencement of this Act.
Schedule 1 Identity documents
section 6(1)(a)
1 | a birth certificate issued by or on behalf of an authority of the State or another State or Territory |
2 | a death certificate issued by or on behalf of an authority of the State or another State or Territory |
3 | a concession card within the meaning of the Social Security Act 1991 of the Commonwealth |
4 | a notice given under the Australian Citizenship Act 2007 of the Commonwealth, section 37, stating that a person is an Australian citizen at a particular time |
5 | a certificate issued by an authority of the State or another State or Territory indicating that an individual has changed the individual’s name |
6 | a driver licence, however described, issued by or on behalf of an authority of the State or another State or Territory |
7 | a document issued by or on behalf of an authority of the State or another State or Territory to assist an individual to prove the individual’s age or identity |
8 | a document issued to an individual, as a person who is not an Australian citizen, by an authority of the Commonwealth in which the Migration Act 1958 of the Commonwealth is administered to assist the individual to prove the individual’s identity |
9 | a certificate of marriage issued by or on behalf of an authority of the State or another State or Territory whose function is to register marriages |
10 | a document issued by a court setting out a divorce order made under the Family Law Act 1975 of the Commonwealth |
11 | an Australian travel document within the meaning of the Australian Passports Act 2005 of the Commonwealth |
12 | a certificate signed by an officer within the meaning of the Migration Act 1958 of the Commonwealth stating that, at a specified time or during a specified period, a specified person was the holder of a visa that was in effect |
13 | an entry in a Roll within the meaning of the Commonwealth Electoral Act 1918 of the Commonwealth relating to a particular individual |
14 | an aviation security identification card issued under the Aviation Transport Security Act 2004 of the Commonwealth |
15 | an MSIC issued under the Maritime Transport and Offshore Facilities Security Act 2003 of the Commonwealth |
16 | a medicare card within the meaning of the National Health Act 1953 of the Commonwealth, section 84(1) |
Schedule 2 Savings, transitional and other provisions
1 Regulations
(1) The regulations may contain provisions of a savings or transitional nature consequent on the commencement of—(a) a provision of this Act, or(b) a provision amending this Act.(2) A savings or transitional provision consequent on the commencement of a provision must not be made more than 2 years after the commencement.(3) A savings or transitional provision made consequent on the commencement of a provision is repealed 2 years after the commencement.(4) A savings or transitional provision made consequent on the commencement of a provision may take effect before that commencement but not before—(a) for a provision of this Act—the date of assent to this Act, or(b) for a provision amending this Act—the date of assent to the amending Act.(5) A savings or transitional provision taking effect before the provision’s publication on the NSW legislation website does not—(a) affect the rights of a person existing before the publication in a way prejudicial to the person, or(b) impose liabilities on a person for anything done or omitted to be done before the publication.(6) In this section—person does not include the State or an authority of the State.
Schedule 3 (Repealed)
sch 3: Rep 1987 No 15, sec 30C.
Schedule 4 Dictionary
section 4
approved way means in a way approved by the Secretary.
compromised, in relation to personal information—see section 5.
compromised ID register—section 18.
Department means the Department of Customer Service.
exercise, a function, includes perform a duty.
fraud check user means a person approved under section 25.
function includes a power, authority or duty.
Fund—see section 34(1).
identity document—see section 6.
identity fraud control functions—see section 11.
identity protection and recovery functions—see section 10.
identity protection functions—see section 9(1).
impacted individual means an individual whose personal information is the subject of a personal data compromise.
law enforcement agency means—
(a) a law enforcement agency within the meaning of the Privacy and Personal Information Protection Act 1998, or
(b) another person or body prescribed by the regulations.
life status means whether a person is alive or dead.
—see section 13(1).
personal data compromise—see section 7.
personal information includes—
(a) personal information within the meaning of the Privacy and Personal Information Protection Act 1998, and
(b) health information within the meaning of the Health Records and Information Privacy Act 2002, and
(c) an identity document.
public sector agency, for Part 4—see section 29.
relevant purpose, for Part 3, Division 3—see section 24.
Secretary means the Secretary of the Department.