Contents (1998 - 133)
Privacy and Personal Information Protection Act 1998 No 133
Part 3 Privacy codes of practice and management plans
Division 1 Privacy codes of practice
29 Operation of privacy codes of practice
(1) Privacy codes of practice may be made for the purpose of protecting the privacy of individuals.(2) A privacy code of practice may regulate the collection, use and disclosure of, and the procedures for dealing with, personal information held by public sector agencies.(3) In particular, a privacy code of practice may provide for the protection of personal information contained in a record that is more than 30 years old, and any such provision has effect despite the provisions of any other Act that deals with the disclosure of, or access to, personal information of that kind. Any such code must, to the extent that it relates to personal information contained in a State record that is more than 30 years old, be consistent with any relevant guidelines issued under section 52 of the State Records Act 1998.(4) A privacy code of practice may also provide for the disclosure of personal information to persons or bodies outside New South Wales.(5) A privacy code of practice can apply to any one or more of the following:(a) any specified class of personal information,(b) any specified public sector agency or class of public sector agency,(c) any specified activity or specified class of activity.(6) Except in the case of a privacy code of practice that is referred to in subsection (3), a code cannot affect the operation of any exemption provided under Division 3 of Part 2.(7) A code:(a) must provide standards of privacy protection that operate to protect public sector agencies from any restrictions in relation to the importation of personal information into New South Wales, and(b) must not impose on any public sector agency any requirements that are more stringent (or of a higher standard) than the information protection principles.
30 Modification of information protection principles
(1) A privacy code of practice may modify the application to any public sector agency of any one or more of the information protection principles or the application to any public sector agency of the provisions of Part 6.(2) A code may:(a) specify requirements that are different from the requirements set out in the principles, or exempt any activity or conduct of or by the public sector agency from compliance with any such principle, and(b) specify the manner in which any one or more of the information protection principles are to be applied to, or are to be followed by, the public sector agency, and(c) exempt a public sector agency, or class of public sector agency, from the requirement to comply with any information protection principle.
31 Preparation and making of privacy codes of practice
(1) The Privacy Commissioner, or any public sector agency, may:(a) initiate the preparation of a draft privacy code of practice, and(b) develop the draft code in consultation with such other persons or bodies as the Commissioner, or agency, thinks appropriate, and(c) submit the draft code to the Minister.(2) If a draft code is initiated and prepared by a public sector agency, the agency must consult with the Privacy Commissioner on the draft code before it is submitted to the Minister.(3) The Privacy Commissioner may make such submissions to the Minister in respect of a draft code as the Privacy Commissioner thinks appropriate.(4) Once a draft code is submitted to the Minister, the Minister may, after taking into consideration any submissions by the Privacy Commissioner, decide to make the code.(5) A code of practice is made by an order of the Minister published in the Gazette.(6) A code takes effect when the order making the code is published (or on such later date as may be specified in the order).(7) The procedures specified in this section extend to any amendment of a privacy code of practice.Editorial note.For the Privacy Code of Practice (General) 2003 and amendments to that Code, see www.legislation.nsw.gov.au. For other codes of practice published under this section see Gazettes No 84 of 23.7.1999, p 5152; No 81 of 30.6.2000, pp 5981, 5993, 6004, 6007, 6020, 6024; No 83 of 30.6.2000, p 6035; No 143 of 3.11.2000, p 11568; No 170 of 29.12.2000, p 14069; No 46 of 2.3.2001, p 1133; No 93 of 1.6.2001, p 3395; No 199 of 28.12.2001, p 10853; No 104 of 25.6.2004, p 4812; No 85 of 24.8.2012, p 3781; No 17 of 5.3.2015, p 632; No 34 of 6.5.2016, p 1009 and No 57 of 2.6.2017, p 1826.
32 Agencies to comply with privacy codes of practice
(1) A public sector agency must comply with any privacy code of practice applying to the agency.(2) The contravention by a public sector agency of a privacy code of practice applying to the agency is conduct to which Part 5 applies.
Division 2 Privacy management plans
33 Preparation and implementation of privacy management plans
(1) Each public sector agency must prepare and implement a privacy management plan within 12 months of the commencement of this section.(2) The privacy management plan of a public sector agency must include provisions relating to the following:(a) the devising of policies and practices to ensure compliance by the agency with the requirements of this Act or the Health Records and Information Privacy Act 2002, if applicable,(b) the dissemination of those policies and practices to persons within the agency,(c) the procedures that the agency proposes to provide in relation to internal review under Part 5,(d) such other matters as are considered relevant by the agency in relation to privacy and the protection of personal information held by the agency.(3) (Repealed)(4) An agency may amend its privacy management plan from time to time.(5) An agency must provide a copy of its privacy management plan to the Privacy Commissioner as soon as practicable after it is prepared and whenever the plan is amended.(6) The regulations may make provision for or with respect to privacy management plans, including exempting certain public sector agencies (or classes of agencies) from the requirements of this section.