You are using a version of the website built for webcrawlers and people whose devices cannot use javascript. Some functionality may not be available.
Contents (1998 - 133)
Skip contents
Privacy and Personal Information Protection Act 1998 No 133
Current version for 1 July 2017 to date (accessed 23 September 2017 at 19:05)
Part 4
Part 4 Privacy Commissioner
Division 1 Appointment of Privacy Commissioner
34   Appointment of Privacy Commissioner
(1)  The Governor may appoint a Privacy Commissioner.
(2)  The Privacy Commissioner holds office for such term not exceeding 5 years as may be specified in the instrument of appointment, but is eligible (if otherwise qualified) for re-appointment.
(3)  A person is not eligible to be appointed for more than 2 terms of office as Privacy Commissioner (whether or not consecutive terms).
(4)  A person is not eligible to be appointed as Privacy Commissioner or to act in that office if the person is the Information Commissioner.
(5)  A person is not eligible to be appointed as Privacy Commissioner or to act in that office if the person is a member of the Legislative Council or of the Legislative Assembly or is a member of a House of Parliament or legislature of another State or Territory or of the Commonwealth.
(6)  The Privacy Commissioner may be appointed on a full-time or part-time basis. If the Privacy Commissioner is appointed to office on a full-time basis, the Privacy Commissioner is required to hold the office on that basis except to the extent permitted by the Governor.
35   Veto of proposed appointment of Privacy Commissioner
(1)  A person is not to be appointed as Privacy Commissioner until:
(a)  a proposal that the person be so appointed has been referred to the Joint Committee under section 31BA of the Ombudsman Act 1974, and
(b)  the period that the Committee has under that section to veto the proposed appointment has ended without the Committee having vetoed the proposed appointment or the Committee notifies the Minister that it has decided not to veto the proposed appointment.
(2)  A person may be proposed for appointment on more than one occasion.
(3)  In this section, appointment includes re-appointment.
35A   Remuneration
(1)  The Privacy Commissioner is entitled to be paid:
(a)  remuneration in accordance with the Statutory and Other Offices Remuneration Act 1975, and
(b)  such travelling and subsistence allowances as the Minister may from time to time determine.
(2)  The Privacy Commissioner is not, if a Judge of a New South Wales Court and while receiving remuneration as such a Judge, entitled to remuneration under this Act.
35B   Vacancy in office
The office of Privacy Commissioner becomes vacant if the holder:
(a)  dies, or
(b)  completes a term of office and is not re-appointed, or
(c)  resigns the office by instrument in writing addressed to the Governor, or
(d)  is nominated for election as a member of the Legislative Council or of the Legislative Assembly or as a member of a House of Parliament or a legislature of another State or Territory or of the Commonwealth, or
(e)  becomes bankrupt, applies to take the benefit of any law for the relief of bankrupt or insolvent debtors, compounds with his or her creditors or makes an assignment of his or her remuneration for their benefit, or
(f)  becomes a mentally incapacitated person, or
(g)  is convicted in New South Wales of an offence that is punishable by imprisonment for 12 months or more or is convicted elsewhere than in New South Wales of an offence that, if committed in New South Wales, would be an offence so punishable, or
(h)  is removed from office under section 35C.
35C   Removal from office
(1)  The Governor may remove the Privacy Commissioner from office on the address of both Houses of Parliament.
(2)  The Governor may suspend the Privacy Commissioner from office:
(a)  for misbehaviour, or
(b)  for incapacity, or
(c)  if the Privacy Commissioner is absent from duty for a period in excess of his or her leave entitlement as approved by the Governor unless the absence is caused by illness or other unavoidable cause.
(3)  The Minister is to lay or cause to be laid before each House of Parliament, within 7 sitting days of that House after the Privacy Commissioner has been suspended from office, a full statement of the grounds for the suspension.
(4)  The suspension is to be lifted unless each House of Parliament, within 21 sitting days from the time when the statement was laid before it, declares by resolution that the Privacy Commissioner ought to be removed from office.
(5)  If each House does so declare within that period, the Privacy Commissioner is to be removed from office by the Governor.
(6)  For the purposes of this section, sitting days are to be counted whether or not they occur in the same session.
35D   Filling of vacancy
If the office of Privacy Commissioner becomes vacant, a person is, subject to this Act, to be appointed to fill the vacancy.
35E   Privacy Commissioner a statutory officer and not Public Service employee
The office of Privacy Commissioner is a statutory office and the provisions of the Government Sector Employment Act 2013 relating to the employment of Public Service employees do not apply to that office.
35F   Appointment of acting Privacy Commissioner
(1)  The Minister may, from time to time, appoint a person to act in the office of the Privacy Commissioner during the illness or absence of the Privacy Commissioner or during a vacancy in the office of the Privacy Commissioner. The person, while so acting, has all the functions of the Privacy Commissioner and is taken to be the Privacy Commissioner.
(2)  The Minister may, at any time, remove a person from office as acting Privacy Commissioner.
(3)  An acting Privacy Commissioner is entitled to be paid such remuneration (including travelling and subsistence allowances) as the Minister may from time to time determine.
35G   Staff of Privacy Commissioner
Persons may be employed in the Public Service under the Government Sector Employment Act 2013 to enable the Privacy Commissioner to exercise his or her functions.
Note.
 Section 59 of the Government Sector Employment Act 2013 provides that the persons so employed (or whose services the Privacy Commissioner makes use of) may be referred to as officers or employees, or members of staff, of the Privacy Commissioner. Section 47A of the Constitution Act 1902 precludes the Privacy Commissioner from employing staff.
35H   Delegation
The Privacy Commissioner may delegate the exercise of any function of the Privacy Commissioner (other than this power of delegation) to:
(a)  any member of staff of the Privacy Commissioner, or
(b)  any person, or any class of persons, authorised for the purposes of this section by the regulations.
Division 2 Functions of Privacy Commissioner
36   General functions
(1)  The Privacy Commissioner has such functions as are conferred or imposed on the Commissioner by or under this or any other Act.
(2)  In particular, the Privacy Commissioner has the following functions:
(a)  to promote the adoption of, and monitor compliance with, the information protection principles,
(b)  to prepare and publish guidelines relating to the protection of personal information and other privacy matters, and to promote the adoption of such guidelines,
(c)  to initiate and recommend the making of privacy codes of practice,
(d)  to provide assistance to public sector agencies in adopting and complying with the information protection principles and privacy codes of practice,
(e)  to provide assistance to public sector agencies in preparing and implementing privacy management plans in accordance with section 33,
(f)  to conduct research, and collect and collate information, about any matter relating to the protection of personal information and the privacy of individuals,
(g)  to provide advice on matters relating to the protection of personal information and the privacy of individuals,
(h)  to make public statements about any matter relating to the privacy of individuals generally,
(i)  to conduct education programs, and to disseminate information, for the purpose of promoting the protection of the privacy of individuals,
(j)  to prepare and publish reports and recommendations about any matter (including developments in technology) that concerns the need for, or the desirability of, legislative, administrative or other action in the interest of the privacy of individuals,
(k)  to receive, investigate and conciliate complaints about privacy related matters (including conduct to which Part 5 applies),
(l)  to conduct such inquiries, and make such investigations, into privacy related matters as the Privacy Commissioner thinks appropriate.
(3)  The Privacy Commissioner must consult with the Information Commissioner before preparing any guidelines concerning the information protection principle set out in section 18 (Limits on disclosure of personal information).
37   Requirement to give information
(1)  The Privacy Commissioner may, in connection with the exercise of the Privacy Commissioner’s functions, require any person or public sector agency:
(a)  to give the Privacy Commissioner a statement of information, or
(b)  to produce to the Privacy Commissioner any document or other thing, or
(c)  to give the Privacy Commissioner a copy of any document.
(2)  The Privacy Commissioner is not to make any such requirement if it appears to the Privacy Commissioner that:
(a)  the person or public sector agency concerned does not consent to compliance with the requirement, and
(b)  the person or public sector agency would not, in court proceedings, be required to comply with a similar requirement on the grounds of public interest, privilege against self-incrimination or legal professional privilege.
(3)  A requirement under this section must be in writing, must specify or describe the information, document or thing required, and must specify the time and manner for complying with the requirement.
(4)  This section does not confer any function on the Privacy Commissioner that may be exercised in relation to the Independent Commission Against Corruption.
38   Inquiries and investigations
(1)  For the purposes of any inquiry or investigation conducted by the Privacy Commissioner under this Act (including in relation to a complaint made under Division 3 of this Part), the Privacy Commissioner has the powers, authorities, protections and immunities conferred on a commissioner by Division 1 of Part 2 of the Royal Commissions Act 1923, and that Act (section 13 and Division 2 of Part 2 excepted) applies (subject to this section) to any witness summoned by or appearing before the Privacy Commissioner in the same way as it applies to a witness summoned by or appearing before a commissioner.
(2)  Subsection (1) does not confer any function on the Privacy Commissioner that may be exercised in relation to the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the staff of the Inspector of the Independent Commission Against Corruption, Law Enforcement Conduct Commission, Inspector of the Law Enforcement Conduct Commission, staff of the Inspector of the Law Enforcement Conduct Commission or New South Wales Crime Commission.
(3)  Any inquiry or investigation conducted by the Privacy Commissioner under this Act is to be conducted in the absence of the public, except as otherwise directed by the Privacy Commissioner.
(4)  The Privacy Commissioner, in the course of conducting an inquiry or investigation under this Act, must set aside any requirement:
(a)  to give any statement of information, or
(b)  to produce any document or other thing, or
(c)  to give a copy of any document, or
(d)  to answer any question,
if it appears to the Privacy Commissioner that the person concerned does not consent to compliance with the requirement and the person would not, in court proceedings, be required to comply with a similar requirement on the grounds of public interest, privilege against self-incrimination or legal professional privilege. However, the person must comply with any such requirement despite any duty of secrecy or other restriction on disclosure.
(5)  A person is not entitled to be represented by another person at an inquiry or investigation conducted by the Privacy Commissioner except with the leave of the Privacy Commissioner.
(6)  The Privacy Commissioner may allow any person appearing before the Privacy Commissioner to have the services of an interpreter.
39   General procedure for inquiries and investigations
The Privacy Commissioner:
(a)  may determine the procedures to be followed in exercising the Privacy Commissioner’s functions under this Act, including the procedures to be followed at an inquiry or investigation conducted by the Privacy Commissioner, and
(b)  is to act in an informal manner (including avoiding conducting formal hearings) as far as possible, and
(c)  is not bound by the rules of evidence and may inform himself or herself on any matter in any way that the Privacy Commissioner considers to be just, and
(d)  is to act according to the substantial merits of the case without undue regard to technicalities.
40   Personal information digest
(1)  The Privacy Commissioner may, from time to time, prepare and publish a personal information digest setting out the nature and source of personal information held by public sector agencies.
(2)  Any such personal information digest is to be made publicly available.
(3)  The Privacy Commissioner may, from time to time, require a public sector agency to provide the Privacy Commissioner with such details relating to the personal information held by the agency as the Commissioner may require. The public sector agency must comply with the requirement.
(4)  This section does not apply to personal information held by the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the staff of the Inspector of the Independent Commission Against Corruption, the Law Enforcement Conduct Commission, the Inspector of the Law Enforcement Conduct Commission, the staff of the Inspector of the Law Enforcement Conduct Commission or the New South Wales Crime Commission.
41   Exempting agencies from complying with principles and codes
(1)  The Privacy Commissioner, with the approval of the Minister, may make a written direction that:
(a)  a public sector agency is not required to comply with an information protection principle or a privacy code of practice, or
(b)  the application of a principle or a code to a public sector agency is to be modified as specified in the direction.
(2)  Any such direction has effect despite any other provision of this Act.
(3)  The Privacy Commissioner is not to make a direction under this section unless the Privacy Commissioner is satisfied that the public interest in requiring the public sector agency to comply with the principle or code is outweighed by the public interest in the Privacy Commissioner making the direction.
42   Information about compliance arrangements
(1)  The Privacy Commissioner may require a public sector agency to provide the Commissioner with information concerning the arrangements that have been made by the agency to enable the agency to comply with the information protection principles, and any privacy code of practice, applying to the agency.
(2)  Any such requirement must be in writing and specify a time for complying with the requirement.
(3)  This section does not confer any function on the Privacy Commissioner that may be exercised in relation to the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the staff of the Inspector of the Independent Commission Against Corruption, Law Enforcement Conduct Commission, Inspector of the Law Enforcement Conduct Commission, staff of the Inspector of the Law Enforcement Conduct Commission, New South Wales Crime Commission or Ombudsman’s Office.
43   Disclosure of Cabinet or Executive Council information
(1)  Nothing in this Act or the Health Records and Information Privacy Act 2002 authorises the Privacy Commissioner to require any person or public sector agency to disclose Cabinet information or Executive Council information.
(2)  The Secretary or General Counsel of the Department of Premier and Cabinet may certify that information is Cabinet information. Any such certificate:
(a)  is conclusive of that fact, and
(b)  authorises any person or agency who would otherwise be required under this Act or the Health Records and Information Privacy Act 2002 to disclose the information concerned to refuse to disclose it.
(3)  In this section:
Cabinet information means information that is Cabinet information under the Government Information (Public Access) Act 2009.
Executive Council information means information that is Executive Council information under the Government Information (Public Access) Act 2009.
44   (Repealed)
44A   Oversight of functions by Joint Committee
(1)  The Joint Committee has the following functions under this Act:
(a)  to monitor and review the exercise by the Privacy Commissioner of the Privacy Commissioner’s functions,
(b)  to report to both Houses of Parliament, with such comments as it thinks fit, on any matter appertaining to the Privacy Commissioner or connected with the exercise of the Privacy Commissioner’s functions to which, in the opinion of the Joint Committee, the attention of Parliament should be directed,
(c)  to examine each annual and other report of the Privacy Commissioner and report to both Houses of Parliament on any matter appearing in, or arising out of, any such report,
(d)  to recommend to both Houses of Parliament any changes to the functions of the Privacy Commissioner that the Joint Committee thinks desirable,
(e)  to inquire into any question in connection with its functions which is referred to it by both Houses of Parliament, and report to both Houses on that question.
(2)  Nothing in this section authorises the Joint Committee:
(a)  to investigate a matter relating to any particular conduct, or
(b)  to reconsider any decision to investigate, not to investigate or to discontinue investigation of any particular matter, or
(c)  to reconsider the findings, recommendations or other decisions of the Privacy Commissioner in relation to any particular matter.
(3)  The provisions of Part 4A of the Ombudsman Act 1974 apply in relation to the Joint Committee’s functions under this Act in the same way as they apply in relation to the Joint Committee’s functions under that Act.
(4)  In this section:
Joint Committee means the Committee on the Ombudsman, the Law Enforcement Conduct Commission and the Crime Commission constituted under the Ombudsman Act 1974 or such other joint committee of members of Parliament as may be appointed to exercise the functions of the Joint Committee under this Act.
Division 3 Complaints relating to privacy
45   Making of privacy related complaints
(1)  A complaint may be made to (or by) the Privacy Commissioner about the alleged violation of, or interference with, the privacy of an individual.
(2)  The subject-matter of a complaint may relate to conduct to which Part 5 applies (unless it is conduct that is alleged to have occurred before the commencement of that Part).
Note.
 Section 21 of the Health Records and Information Privacy Act 2002 provides that certain conduct under that Act by public sector agencies is conduct to which Part 5 of this Act applies.
(2A)  A complaint about a matter referred to in section 42 of the Health Records and Information Privacy Act 2002 is not to be dealt with under this Division but is to be dealt with by the Privacy Commissioner as a complaint under Part 6 of that Act.
Note.
 Section 42 of that Health Records and Information Privacy Act 2002 provides that a complaint may be made to the Privacy Commissioner about the alleged contravention by a private sector person of a Health Privacy Principle, a provision of Part 4 (Provisions for private sector persons) of that Act or a health privacy code of practice.
(3)  A complaint may be in writing or verbal, but the Privacy Commissioner may require a verbal complaint to be put in writing.
(4)  The Privacy Commissioner may require information about a complaint to be provided by the complainant in a particular manner or form, and may require a complaint to be verified by statutory declaration.
(5)  A complaint must be made within 6 months (or such later time as the Privacy Commissioner may allow) from the time the complainant first became aware of the conduct or matter the subject of the complaint.
(6)  A complainant may amend or withdraw a complaint.
46   Preliminary assessment of privacy related complaints
(1)  The Privacy Commissioner may conduct a preliminary assessment of a complaint made under this Division for the purpose of deciding whether to deal with the complaint.
(2)  If the subject-matter of the complaint relates to conduct to which Part 5 applies, the Privacy Commissioner must inform the complainant of the review process under that Part and the remedial action that may be available if the complainant decides to make an application under section 53 in respect of that conduct.
(3)  The Privacy Commissioner may decide not to deal with a complaint if the Privacy Commissioner is satisfied that:
(a)  the complaint is frivolous, vexatious or lacking in substance, or is not in good faith, or
(b)  the subject-matter of the complaint is trivial, or
(c)  the subject-matter of the complaint relates to a matter permitted or required by or under any law, or
(d)  there is available to the complainant an alternative, satisfactory and readily available means of redress, or
(e)  it would be more appropriate for the complainant to make an application under section 53.
47   Referring privacy related complaints to other authorities
(1)  The Privacy Commissioner may refer a complaint made under this Division for investigation or other action to any person or body (the relevant authority) considered by the Privacy Commissioner to be appropriate in the circumstances.
(2)  The Privacy Commissioner may communicate to the relevant authority any information that the Privacy Commissioner has obtained in relation to the complaint.
(3)  The Privacy Commissioner may only refer a complaint to a relevant authority after appropriate consultation with the complainant and the relevant authority, and after taking their views into consideration.
48   Dealing with privacy related complaints
(1)  If the Privacy Commissioner decides to deal with a complaint made under this Division, the Privacy Commissioner may:
(a)  deal with the complaint, and
(b)  make such inquiries and investigations in relation to the complaint as the Privacy Commissioner thinks appropriate.
(2)  If the Privacy Commissioner declines to deal with a complaint, the Privacy Commissioner must advise the complainant of the reasons for declining to deal with the complaint.
49   Resolution of privacy related complaints by conciliation
(1)  In dealing with a complaint made under this Division, the Privacy Commissioner must endeavour to resolve the complaint by conciliation.
(2)  The Privacy Commissioner may by written notice request the complainant, and the person or body against whom the complaint is made (the respondent), to appear before the Privacy Commissioner in conciliation proceedings.
(3)  If a respondent that is a public sector agency receives any such notice, the agency must comply with the terms of the notice.
Maximum penalty (subsection (3)): 50 penalty units.
(4)  The parties to any such conciliation proceedings before the Privacy Commissioner are not entitled to be represented by any other person except by leave of the Privacy Commissioner.
(5)  The procedures for conciliation are to be determined by the Privacy Commissioner.
50   Reports and recommendations of Privacy Commissioner
(1)  The Privacy Commissioner may make a written report as to any findings or recommendations by the Privacy Commissioner in relation to a complaint dealt with by the Commissioner under this Division.
(2)  The Privacy Commissioner may give a copy of any such report to the complainant, and to such other persons or bodies as appear to be materially involved in matters concerning the complaint.
51   Effect of dealing with privacy related complaints under this Division
Even though the Privacy Commissioner declines to deal with a complaint under this Division, or decides to refer the complaint to a relevant authority, the Privacy Commissioner may conduct an inquiry or investigation into any general issues or matters raised in connection with the complaint.