You are using a version of the website built for webcrawlers and people whose devices cannot use javascript. Some functionality may not be available.
Contents (1998 - 133)
Skip contents
Privacy and Personal Information Protection Act 1998 No 133
Current version for 1 July 2017 to date (accessed 20 September 2017 at 10:11)
Part 2
Part 2 Information protection principles
Division 1 Principles
8   Collection of personal information for lawful purposes
(1)  A public sector agency must not collect personal information unless:
(a)  the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and
(b)  the collection of the information is reasonably necessary for that purpose.
(2)  A public sector agency must not collect personal information by any unlawful means.
9   Collection of personal information directly from individual
A public sector agency must, in collecting personal information, collect the information directly from the individual to whom the information relates unless:
(a)  the individual has authorised collection of the information from someone else, or
(b)  in the case of information relating to a person who is under the age of 16 years—the information has been provided by a parent or guardian of the person.
10   Requirements when collecting personal information
If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected or as soon as practicable after collection, the individual to whom the information relates is made aware of the following:
(a)  the fact that the information is being collected,
(b)  the purposes for which the information is being collected,
(c)  the intended recipients of the information,
(d)  whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided,
(e)  the existence of any right of access to, and correction of, the information,
(f)  the name and address of the agency that is collecting the information and the agency that is to hold the information.
11   Other requirements relating to collection of personal information
If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that:
(a)  the information collected is relevant to that purpose, is not excessive, and is accurate, up to date and complete, and
(b)  the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates.
12   Retention and security of personal information
A public sector agency that holds personal information must ensure:
(a)  that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and
(b)  that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and
(c)  that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and
(d)  that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.
13   Information about personal information held by agencies
A public sector agency that holds personal information must take such steps as are, in the circumstances, reasonable to enable any person to ascertain:
(a)  whether the agency holds personal information, and
(b)  whether the agency holds personal information relating to that person, and
(c)  if the agency holds personal information relating to that person:
(i)  the nature of that information, and
(ii)  the main purposes for which the information is used, and
(iii)  that person’s entitlement to gain access to the information.
14   Access to personal information held by agencies
A public sector agency that holds personal information must, at the request of the individual to whom the information relates and without excessive delay or expense, provide the individual with access to the information.
15   Alteration of personal information
(1)  A public sector agency that holds personal information must, at the request of the individual to whom the information relates, make appropriate amendments (whether by way of corrections, deletions or additions) to ensure that the personal information:
(a)  is accurate, and
(b)  having regard to the purpose for which the information was collected (or is to be used) and to any purpose that is directly related to that purpose, is relevant, up to date, complete and not misleading.
(2)  If a public sector agency is not prepared to amend personal information in accordance with a request by the individual to whom the information relates, the agency must, if so requested by the individual concerned, take such steps as are reasonable to attach to the information, in such a manner as is capable of being read with the information, any statement provided by that individual of the amendment sought.
(3)  If personal information is amended in accordance with this section, the individual to whom the information relates is entitled, if it is reasonably practicable, to have recipients of that information notified of the amendments made by the public sector agency.
(4)  This section, and any provision of a privacy code of practice that relates to the requirements set out in this section, apply to public sector agencies despite section 25 of this Act and section 21 of the State Records Act 1998.
(5)  The Privacy Commissioner’s guidelines under section 36 may make provision for or with respect to requests under this section, including the way in which such a request should be made and the time within which such a request should be dealt with.
(6)  In this section (and in any other provision of this Act in connection with the operation of this section), public sector agency includes a Minister and a Minister’s personal staff.
16   Agency must check accuracy of personal information before use
A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.
17   Limits on use of personal information
A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless:
(a)  the individual to whom the information relates has consented to the use of the information for that other purpose, or
(b)  the other purpose for which the information is used is directly related to the purpose for which the information was collected, or
(c)  the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.
18   Limits on disclosure of personal information
(1)  A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:
(a)  the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or
(b)  the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or
(c)  the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.
(2)  If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.
19   Special restrictions on disclosure of personal information
(1)  A public sector agency must not disclose personal information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities unless the disclosure is necessary to prevent a serious and imminent threat to the life or health of the individual concerned or another person.
(2)  A public sector agency that holds personal information about an individual must not disclose the information to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless:
(a)  the public sector agency reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that effectively upholds principles for fair handling of the information that are substantially similar to the information protection principles, or
(b)  the individual expressly consents to the disclosure, or
(c)  the disclosure is necessary for the performance of a contract between the individual and the public sector agency, or for the implementation of pre-contractual measures taken in response to the individual’s request, or
(d)  the disclosure is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the public sector agency and a third party, or
(e)  all of the following apply:
(i)  the disclosure is for the benefit of the individual,
(ii)  it is impracticable to obtain the consent of the individual to that disclosure,
(iii)  if it were practicable to obtain such consent, the individual would be likely to give it, or
(f)  the disclosure is reasonably believed by the public sector agency to be necessary to lessen or prevent a serious and imminent threat to the life, health or safety of the individual or another person, or
(g)  the public sector agency has taken reasonable steps to ensure that the information that it has disclosed will not be held, used or disclosed by the recipient of the information inconsistently with the information protection principles, or
(h)  the disclosure is permitted or required by an Act (including an Act of the Commonwealth) or any other law.
(3)–(5)    (Repealed)
Division 2 General provisions relating to principles
20   General application of information protection principles to public sector agencies
(1)  The information protection principles apply to public sector agencies.
(2)  The application of the principles to public sector agencies:
(a)  may be modified by privacy codes of practice, and
(b)  is otherwise subject to this Act.
(3)  Sections 8–11 do not apply in respect of personal information collected by a public sector agency before the commencement of this Part.
(4)    (Repealed)
(5)  Without limiting the generality of section 5, the provisions of the Government Information (Public Access) Act 2009 that impose conditions or limitations (however expressed) with respect to any matter referred to in section 13, 14 or 15 are not affected by this Act, and those provisions continue to apply in relation to any such matter as if those provisions were part of this Act.
21   Agencies to comply with principles
(1)  A public sector agency must not do any thing, or engage in any practice, that contravenes an information protection principle applying to the agency.
(2)  The contravention by a public sector agency of an information protection principle that applies to the agency is conduct to which Part 5 applies.
Division 3 Specific exemptions from principles
22   Operation of Division
Nothing in this Division authorises a public sector agency to do any thing that it is otherwise prohibited from doing.
23   Exemptions relating to law enforcement and related matters
(1)  A law enforcement agency is not required to comply with section 9 if compliance by the agency would prejudice the agency’s law enforcement functions.
(2)  A public sector agency (whether or not a law enforcement agency) is not required to comply with section 9 if the information concerned is collected in connection with proceedings (whether or not actually commenced) before any court or tribunal.
(3)  A public sector agency (whether or not a law enforcement agency) is not required to comply with section 10 if the information concerned is collected for law enforcement purposes. However, this subsection does not remove any protection provided by any other law in relation to the rights of accused persons or persons suspected of having committed an offence.
(4)  A public sector agency (whether or not a law enforcement agency) is not required to comply with section 17 if the use of the information concerned for a purpose other than the purpose for which it was collected is reasonably necessary for law enforcement purposes or for the protection of the public revenue.
(5)  A public sector agency (whether or not a law enforcement agency) is not required to comply with section 18 if the disclosure of the information concerned:
(a)  is made in connection with proceedings for an offence or for law enforcement purposes (including the exercising of functions under or in connection with the Confiscation of Proceeds of Crime Act 1989 or the Criminal Assets Recovery Act 1990), or
(b)  is to a law enforcement agency (or such other person or organisation as may be prescribed by the regulations) for the purposes of ascertaining the whereabouts of an individual who has been reported to a police officer as a missing person, or
(c)  is authorised or required by subpoena or by search warrant or other statutory instrument, or
(d)  is reasonably necessary:
(i)  for the protection of the public revenue, or
(ii)  in order to investigate an offence where there are reasonable grounds to believe that an offence may have been committed.
(6)  Nothing in subsection (5) requires a public sector agency to disclose personal information to another person or body if the agency is entitled to refuse to disclose the information in the absence of a subpoena, warrant or other lawful requirement.
(6A)  A public sector agency is not required to comply with the information protection principles with respect to the collection, use or disclosure of personal information if:
(a)  the agency is providing the information to another public sector agency or the agency is being provided with the information by another public sector agency, and
(b)  the collection, use or disclosure of the information is reasonably necessary for law enforcement purposes.
(7)  A public sector agency (whether or not a law enforcement agency) is not required to comply with section 19 if the disclosure of the information concerned is reasonably necessary for the purposes of law enforcement in circumstances where there are reasonable grounds to believe that an offence may have been, or may be, committed.
(8)  In this section:
(a)  a reference to law enforcement purposes includes a reference to law enforcement purposes of another State or a Territory or the Commonwealth, and
(b)  a reference to an offence includes a reference to an offence against a law of another State or a Territory or the Commonwealth, and
(c)  a reference to the protection of the public revenue includes a reference to the protection of the public revenue of another State or a Territory or the Commonwealth.
24   Exemptions relating to investigative agencies
(1)  An investigative agency is not required to comply with section 9, 10, 13, 14, 15, 18 or 19 (1) if compliance with those sections might detrimentally affect (or prevent the proper exercise of) the agency’s complaint handling functions or any of its investigative functions.
(2)  An investigative agency is not required to comply with section 17 if the use of the information concerned for a purpose other than the purpose for which it was collected is reasonably necessary in order to enable the agency to exercise its complaint handling functions or any of its investigative functions.
(3)  An investigative agency is not required to comply with section 18 or 19 (1) if the information concerned is disclosed to another investigative agency.
(4)  A public sector agency (whether or not an investigative agency) is not required to comply with section 18 or 19 (1) if non-compliance is reasonably necessary to assist another public sector agency that is an investigative agency in exercising its investigative functions.
(5)  An investigative agency is not required to comply with section 18 if:
(a)  the information concerned is disclosed to a complainant, and
(b)  the disclosure is reasonably necessary for the purpose of:
(i)  reporting the progress of an investigation into the complaint made by the complainant, or
(ii)  providing the complainant with advice as to the outcome of the complaint or any action taken as a result of the complaint.
(6)  The exemptions provided by subsections (1)–(5) extend to:
(a)  any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency, and
(b)  the Office of Local Government, or any person employed in that Office, who is investigating or otherwise handling (formally or informally) a complaint or other matter even though it is or may be the subject of a right of appeal conferred by or under an Act.
(7)  The Ombudsman’s Office is not required to comply with section 9 or 10.
(8)  An investigative agency is not required to comply with section 12 (a).
25   Exemptions where non-compliance is lawfully authorised or required
A public sector agency is not required to comply with section 9, 10, 13, 14, 15, 17, 18 or 19 if:
(a)  the agency is lawfully authorised or required not to comply with the principle concerned, or
(b)  non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).
26   Other exemptions where non-compliance would benefit the individual concerned
(1)  A public sector agency is not required to comply with section 9 or 10 if compliance by the agency would, in the circumstances, prejudice the interests of the individual to whom the information relates.
(2)  A public sector agency is not required to comply with section 10, 18 or 19 if the individual to whom the information relates has expressly consented to the agency not complying with the principle concerned.
27   Specific exemptions (ICAC, ICAC Inspector and Inspector’s staff, NSW Police Force, LECC, Inspector of LECC and Inspector’s staff and NSW Crime Commission)
(1)  Despite any other provision of this Act, the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the staff of the Inspector of the Independent Commission Against Corruption, the NSW Police Force, the Law Enforcement Conduct Commission, the Inspector of the Law Enforcement Conduct Commission, the staff of the Inspector of the Law Enforcement Conduct Commission and the New South Wales Crime Commission are not required to comply with the information protection principles.
(2)  However, the information protection principles do apply to the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the staff of the Inspector of the Independent Commission Against Corruption, the NSW Police Force, the Law Enforcement Conduct Commission, the Inspector of the Law Enforcement Conduct Commission, the staff of the Inspector of the Law Enforcement Conduct Commission and the New South Wales Crime Commission in connection with the exercise of their administrative and educative functions.
27A   Exemptions relating to information exchanges between public sector agencies
A public sector agency is not required to comply with the information protection principles with respect to the collection, use or disclosure of personal information if:
(a)  the agency is providing the information to another public sector agency or the agency is being provided with the information by another public sector agency, and
(b)  the collection, use or disclosure of the information is reasonably necessary:
(i)  to allow any of the agencies concerned to deal with, or respond to, correspondence from a Minister or member of Parliament, or
(ii)  to enable inquiries to be referred between the agencies concerned, or
(iii)  to enable the auditing of the accounts or performance of a public sector agency or group of public sector agencies (or a program administered by an agency or group of agencies).
27B   Exemptions relating to research
A public sector agency is not required to comply with the information protection principles with respect to the collection, use or disclosure of personal information if:
(a)  the collection, use or disclosure of the information is reasonably necessary for the purpose of research, or the compilation or analysis of statistics, in the public interest, and
(b)  in the case where the agency would otherwise contravene section 9 in respect of the collection of the information—it is unreasonable or impracticable for the information to be collected directly from the individual to whom the information relates, and
(c)  in the case of the use or disclosure of the information—either:
(i)  the purpose referred to in paragraph (a) cannot be served by the use or disclosure of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained and it is impracticable for the agency to seek the consent of the individual for the use or disclosure, or
(ii)  reasonable steps are taken to de-identify the information, and
(d)  in the case where the use or disclosure of the information could reasonably be expected to identify individuals—the information is not published in a publicly available publication, and
(e)  the collection, use or disclosure of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph.
27C   Exemptions relating to credit information
(1)  A courts agency is not required to comply with section 17 or 18 if:
(a)  compliance would prevent the courts agency from disclosing to a credit reporting body that an individual is a default judgment debtor and the amount of the debt, and
(b)  the courts agency is satisfied that the credit reporting body has given an enforceable undertaking not to retain the information disclosed to it after the expiry of the applicable retention period.
(2)  The applicable retention period for the purposes of subsection (1) (b) is:
(a)  if the debt of the default judgment debtor is satisfied—the period of 2 years commencing on the date that the debt was satisfied, or
(b)  if the debt of the default judgment debtor remains unsatisfied—the period of 5 years commencing on the date the judgment was given,
whichever is the earlier.
(3)  In this section:
courts agency means:
(a)  the Department of Justice (including any Public Service executive agency that is related to the Department for the purposes of the Government Sector Employment Act 2013), and
(b)  any court or tribunal referred to in Schedule 1 to the Civil Procedure Act 2005.
credit reporting body has the same meaning as in the Privacy Act 1988 of the Commonwealth.
default judgment debtor means an individual against whom a default judgment has been given by a court or tribunal under the uniform rules within the meaning of the Civil Procedure Act 2005.
28   Other exemptions
(1)  The Ombudsman’s Office, Health Care Complaints Commission, Anti-Discrimination Board and Guardianship Board are not required to comply with section 19.
(2)  The information protection principles do not apply in respect of personal information collected or held by Multicultural NSW if:
(a)  the information is collected or held by Multicultural NSW for the purpose only of translating the information, and
(b)  all documents held by Multicultural NSW in which the information is contained are destroyed or returned to the person who submitted the information for translation when Multicultural NSW is satisfied that the documents are no longer required for the provision of the translation service, and
(c)  in a case where it is necessary for the information to be given to another person in connection with the provision of the translation service, everything reasonably within the power of Multicultural NSW is done to prevent unauthorised disclosure of the information by that other person.
(3)  Nothing in section 17, 18 or 19 prevents or restricts the disclosure of information:
(a)  by a public sector agency to another public sector agency under the administration of the same Minister if the disclosure is for the purposes of informing that Minister about any matter within that administration, or
(b)  by a public sector agency to any public sector agency under the administration of the Premier if the disclosure is for the purposes of informing the Premier about any matter.