Automatic language translation
Our website uses an automatic service to translate our content into different languages. These translations should be used as a guide only. See our Accessibility page for further information.
Other relevant pieces of privacy legislation or privacy instruments
Personal information is collected and held by the NSW Victim Register on a voluntary basis and is only collected if a victim requests that they be recorded in the Register (CAS Act section 279(2)(a)(ii)).
The following types of personal information is collected by the Victims Register
The Victims Register exists for the primary purpose of notifying victims of specific information relating to an inmate convicted of committing a crime against that victim. This information includes:
The Victims Register Unit is a part of CSNSW. The inmates’ personal information held by CSNSW is used by the Victims Register Unit to inform the victim of changes in the inmate’s leave eligibility, parole, escape and release from custody.
The victim’s personal information is used to contact them for the purposes of sharing the above types of information with the victim and receiving and considering any submissions made by the victim to CSNSW.
Submissions from victims are used by CSNSW when considering approvals for leave or parole where a relevant submission has been made by the victim.
Given the sensitivity of victim related information, confidentiality is of the highest priority to the Department.
Regarding the disclosure of victim information, an inmate is not made aware that they have a victim listed on the Victims Register and no personal information regarding the victim is shared with the inmate.
The Victims Charter gives victims a legal right to be given certain information, some of which is personal information relating to an inmate who has committed a crime against that victim.
The disclosure of inmates’ information to a registered victim is authorised by the CAS Act, and therefore the exemption at section 25 of the PIPP Act and the equivalent provision of the HRIP Act applies. However, to uphold the privacy of the inmate, registered victims are only provided with the information authorised to be disclosed under the relevant provisions of the CAS Act.
Registered victims that wish to access their information held by the Department can contact the Victims Register Unit directly at victims.register@dcj.nsw.gov.au.
Other relevant pieces of privacy legislation or privacy instruments
The National Redress Scheme (‘Scheme’) is administered by the federal Department of Social Services (‘Scheme Operator’). The Department is a participating institution under the Scheme.
The Scheme collects the personal information of applicants for Redress on a voluntary basis by receiving the individual’s application for Redress. An application for Redress may include the following kinds of personal information:
The Department will receive an application for Redress from the Scheme Operator, and therefore collect and use the personal information contained in that application, in the following circumstances:
Information collected under this Scheme by the Department is used for different purposes depending on the purpose for which it was collected:
In performing its functions related to the Scheme, the Department routinely discloses personal information of redress applicants to the Scheme Operator, the Department of Social Services and NSW participating institutions, however these disclosure are authorised and/or required by the National Redress Scheme legislation, which enlivens the exemption at section 25 of the PIPP Act and the equivalent exemption at clause 11(2) of Schedule 1 to the HRIP Act. Further, the National Redress Scheme for Institutional Child Sexual Abuse Act 2018 at section 27 explicitly overrides any NSW legislation that may prevent complying with a request under the Scheme.
Disclosures may be made to the following bodies in order to enable the functions and activities laid out under the relevant Scheme legislation:
There are additional protections against disclosure of “protected information” under the National Redress Scheme for Institutional Child Sexual Abuse Act 2018, being personal information contained in applications for Redress.
All correspondence from the Scheme Operator, including the transfer of personal information is conducted through the purpose-built Scheme database PRODA, using the secure platform Kiteworks of the Department of Social Services secure email system.
The Department stores all personal information regarding redress securely on the Department’s secure database ONETrim, with security settings placed on Redress files to limit access to relevant teams.
A person can apply directly for access to any personal information this Scheme holds about them. To apply for this, contact the DSS Feedback and Complaints Team using the email: complaints@dss.gov.au or telephone: 1800 634 035.
Other relevant pieces of privacy legislation or privacy instruments
Personal information is collected by Victims Services directly from individuals as well as from health service providers and other government and non-government agencies to identify clients, provide supporting evidence for the determination of claims, in restitution proceedings and in the investigation of Charter Complaints.
Information is only used for the purpose for which it was collected, that is for client identification, the determination of client claims and applications, restitution proceeding and the investigation of alleged breaches of the Charter of Victim’s Rights.
Where nominated by a client, information may be provided to third parties to assist in providing support to meet client needs. Information, including whether a person is a client of Victims Services in any capacity is treated in the strictest of confidence at all times, and is only released to those who have a right to the information. Client information may be disclosed in proceedings before courts and tribunals as directed or required by law.
Information is stored in Victims Services' business systems (VSC and CARES) and in hard copy files, which are stored in compactus’ in secure office environments, or at the Government Records Repository. Digitised records are stored in the Department’s EDRMS, accessible only by Victims Services’ employees.
A person can apply directly to Victims Services for access to their personal information, free of charge under the PPIP Act by contacting vs@justice.nsw.gov.au.
The types of personal information collected and held by the OVA includes:
When collecting personal information OVA takes reasonable steps to ensure that the person to whom it relates is made aware of certain matters including the purpose for which it is being collected and the intended recipients of the information.
The OVA generally uses and discloses personal information for the primary purpose for which it was collected. These primary purposes include:
The OVA does not disclose or publish information that identifies individuals, or potentially identifies sub-groupings of addresses, without consent or otherwise in accordance with the PPIP Act.
Some circumstances where information may be disclosed, with consent, include:
A person can apply for a Seniors Card using the online form on the Seniors Card website, or in a Service NSW Service Centre, and their personal information will be collected by Service NSW through their MyServiceNSW Account.
This personal information is then shared with the Department, who are the agency responsible for delivering and administering the program.
Seniors Card only collects personal information that is necessary for the Department to perform its functions and will only use or disclose this information for the purposes for which it was provided. These include providing a person with their Seniors Card, annual Discount Directory, mail outs and information about activities for members. Seniors Card may also survey some members in order to improve our services.
The personal information the Department collects and holds about individuals includes information they provide when they apply for a Seniors Card or complete an online form on the Departments website. This will include a person’s name, address, date of birth and contact details.
The only personal information which the Department collects about individuals who use its website is what the person tells us about themselves, for example, by completing an online form or by sending us an email. The Department will record an individual’s email address when they send the Department an email.
Seniors Card may use a persons information to:
Seniors Card only uses or discloses an individuals personal information for the purpose for which a person provided it to the Department, unless:
All requests for access to an individual’s personal information will be processed by our Seniors Card team at Contact.SeniorsCard@facs.nsw.gov.au
The Department may provide a person’s personal information to external service providers who are contracted by the Department to perform certain functions necessary to the program on behalf of the Department, for example information technology services, mail house services and our call centre.
External service providers to whom the Department outsources these functions must sign a confidentiality agreement that prevents them from using a persons’ details for any other purpose.
The Community Justice Program (CJP) is a community forensic disability service. Individuals with an intellectual disability join the program after exiting a correctional facility. Personal Information of CJP participants is collected following a referral to the intake team where information is collected from the individual or, if the individual lacks capacity, from an authorised representative.
The Department uses the personal information of participants to deliver the program to participants, including case management, behaviour intervention, psychological therapy, drop-in support and accommodation services.
In administering programs such as the Integration Support Program (ISP), routine disclosure takes place between Ageing Disability and Home Care, NSW Health and Housing NSW in order to facilitate the multi-agency program which aims to assist participants who have complex needs and barriers to accessing coordinated services. Consent is sought from participants for this disclosure to take place as part of taking part in the program.
Many of the Department’s disability services including the CJP are delivered by non-government organisations contracted by the Department to deliver these services.
Other relevant pieces of privacy legislation or privacy instruments
Information is collected directly from applicants or authorised third parties.
The Department only uses or discloses this information for the purposes for which it was provided. These include providing a person with their Companion Card, re-issued Companion Card, direct correspondence relating to their application and updates and newsletters. Companion Card may also survey some members in order to improve our services.
Personal information may also be disclosed to the NSW Registry of Births Deaths and Marriages to ensure cards are valid and issued to recipients with an entitlement
Other relevant pieces of privacy legislation or privacy instruments
The Department provides an online portal, known as the ‘NSW Restrictive Practices Authorisation System’, which is used by service providers to record information about NDIS participants who access their services and who are subject to restrictive practices. Sensitive health and personal information, including support plans, and other medical records are uploaded by service providers to the portal as the first step in a service provider applying for restrictive practices to be applied to their client.
The Department does not collect this information directly from the client.
In responding to enquiries, the Department will sometimes collect client information from the service provider by email or phone where the Department is assisting with the upload of documents to the portal, confirming details already contained in the portal or providing guidance on NSW Restrictive Practices Policy.
The purpose of collection is to centrally record the use of restrictive practices in NSW for compliance and oversight purposes.
While the service provider is responsible for the application for restrictive practices, where requested by the service provider, the Department may assist the service provider to allocate an Independent Specialist to form part of the Restrictive Practices Authorisation Panel.
The Department’s Independent Specialist (IS) provide expert advice to the NDIS Service Providers to inform decisions about the inclusion of restrictive practices in people’s Behaviour Support Plans. This expert advice is provided during RPA Panels, following review of an RPA application and other associated documents. The Department’s IS’s are funded by the Department and are selected using a tender process.
The Department also uses information collected on the portal to assist the service provider with any enquiries regarding the requirements of an application, NSW Policy and Procedure regarding Restrictive Practices Authorisation and use of the portal generally. To prevent delay and cost in the Application process, the Department also performs high level checks to ensure all required documentation has been uploaded prior to the formation of the Panel.
The Panel, made up of the Independent Specialist, a senior staff member from the service provider, the client and a behaviour support practitioner, use the information in the portal to decide on whether to approve the application for Restrictive Practices.
Service providers seek written or verbal consent from clients or their guardian to share their personal information at a RPA panel. In addition, consent is obtained from the participant or guardian to implement any authorised restrictive practices. Responsibility for seeking consent sits with the service provider.
The Central Restrictive Practices Team uses a portal known as the NSW Restrictive Practices (RPA) System, to collect and store personal and health information. The portal is specifically designed to host this information under the Restrictive Practices Authorisation.
Given the sensitivity of the information, the NSW RPA System is designated as “OFFICIAL: Sensitive- Health Information.”
NDIS Service Providers who use the NSW RPA System are able download reports related to the data they have entered on behalf of their clients.
Dialog Information Technology (Dialog) host and provide support services for the NSW RPA System. A security assessment forms part of the contract between the Department and Dialog.
Other relevant pieces of legislation or privacy instruments
If a person is a Departmental Housing client or has engaged with a Departmental Housing service, the Department may have collected the following information about them:
This information may be collected a number of different ways:
Housing uses information about its tenants or applicants for ‘directly related’ purposes such as:
Housing NSW is a central point of contact for:
The Department shares information with the NSW Police Force via the Memorandum of Understanding. Legislation that governs this information sharing includes the Housing Act 2001, the Child and Young Persons (Care and Protection) Act 1998 and Crimes (Domestic and Personal Violence) Act 2007.
Along with the NSW Police Force and Corrective Service NSW, the Department shares information in order to provide appropriate housing assistance to a registrable person. Legislation that governs this information sharing includes Chapter 16A of the Children’s and Young Persons Care and Protection Act 1998 and Sections 19BA and 21E of the Child Protection (Offender Registration) Act 2000. The Guidelines for the Housing of Registrable Persons outlines the arrangements between each organisation in relation to exchanging information on registrable persons seeking housing assistance.
Housing also routinely makes disclosures to:
Both LAHC and AHO form part of the Department of Planning and Environment. In certain circumstances, disclosures to the LAHC and AHO are lawful under the Housing Act to allow the Department to disclose information to these agencies to support their functions under the Housing Act. Disclosures are made to pass relevant enquiries on to LAHC and AHO, which fall within the section 27A exemption of the PPIP Act.
The Department is also bound to the Commonwealth’s Centrelink Confirmation eServices (CCeS) policy in disclosing personal information about its clients or tenants, where the person has consented to that disclosure. The CCeS policy operates within the legislative requirements of the confidentiality provisions contained in various pieces of legislation administered by Centrelink, for example the Social Security (Administration) Act 1999 and the A New Family (Family Assistance) (Administration) Act 1999, as well as the Privacy Act 1988.
The Department’s Housing sometimes discloses personal and health information to the NSW Police, independent investigative bodies such as the NSW Ombudsman, or other “prescribed bodies” where permitted or required by other Acts, including:
The Department uses a number of systems and databases to records and store personal and health information collected from our clients.
Across the Department OneTRIM, a secure document management system is used to securely store client information.
Housing uses an additional database, HOMES, to record and store profiles of Housing clients.
Housing clients can access their personal information through a number of means:
Community housing providers (‘CHPs’) that partner with the Department to deliver or facilitate access to housing assistance products and services must first demonstrate a mandated level of competency and knowledge before being granted read/write access to the Department’s record management systems.
CHPs operate under the same policies and procedures as the Department for these business related functions, and are informed of and have access to the Department’s privacy, information sharing and security related policies.
CHP’s have access to the Department’s databases including the HOMES database to synchronise service delivery between the Department and the CHPs, to ensure data security and to implement the Department’s “no wrong doors” policy in the Housing space, being that a client can access services no matter what area they contact.
The Department’s Boarding Houses Team (BHT) collects Screening Tool of Entry into Assisted Boarding Houses assessments. The assessments are conducted by Australian Unity and provided by email to the BHT in accordance with their funding contract. Screening Tool assessments are a requirement of Clause 14 of the Boarding Houses Regulation 2013.
Boarding House Enforcement Officers may need to request information from the NSW Police Force regarding police attendance at an Assisted Boarding House if they believe the manager of the boarding house may be in breach of the Boarding House Regulation and the Act by failing to report the police attendance to FACS. A protocol for this is in place. This information may include:
Section 24 of the PPIP Act states that an investigative agency is not required to comply with sections 18 or 19(1) of the PPIP Act if the information concerned is disclosed to another investigative agency. The Department’s BHT meets the definition of an ‘investigative agency’ under the PPIP Act as it is a public sector agency with investigative functions that are exercisable under the authority of an Act, and the exercise of the functions may result in the Department taking or instituting proceedings against a person or body under investigation.
Boarding House Enforcement Officers may also need to make enquiries to establish the needs of a particular person if they are investigating whether any premises are an unauthorised assisted boarding house as defined under section 41 of the Boarding Houses Act 2012. In addition, these officers may also need to disclose information about people banned from a particular premise to the tenants so that the tenants are able to determine who may not enter the premises.
The information collected above is not otherwise disclosed unless there is a legal requirement to do so from another organisation or with legal authority, for example, the NSW Ombudsman.
Who the Department collects information from:
What information the Department collects:
Where the Department holds information:
Information may be used by CSNSW for activities such as:
CSNSW routinely discloses information regarding inmates or individuals subject to supervision by Community Corrections to:
This is in accordance with the Part 5 of the Privacy Code (General) 2003, the law enforcement exemption at section 23 of the PIPP Act, the exemption at section 25 of the PIPP Act or one of the exceptions at section 18 of the PIPP Act. Where the information is health information, in accordance with one of the exceptions at clause 11(1) of Schedule 1 of the HRIP Act or the exemption at clause 11(2).
CSNSW has a temporary declaration of the Commonwealth Parliament, making it an ‘enforcement agency’ for the purposes of the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act). This declaration is temporary, pending amendment of the TIA to make this permanent.
CSNSW uses a number of systems and databases to record and store personal and health information collected from our clients.
Across the Department OneTRIM, a secure document management system is used to securely store client information. CSNSW uses a version of TRIM known as EDRMS.
Due to the nature of the custodial environment, a number of CSNSW records and documents are kept as a physical hard copy. These records are stored securely at the correctional centre where they can be accessed for filing or review by correctional officers. Once an inmate leaves custody, these hardcopy documents are archived and stored in accordance with the State Records Act.
CSNSW uses an additional database, the Offender Integrated Management System (‘OIMS’). OIMS is used by the different business units of CSNSW to record details about offenders and inmates such as case notes, incidents, programs and services or employment of inmates, to record and store profiles for our Housing clients.
Individuals who have or have had contact with CSNSW can access their personal information through a number of means:
“Managed correctional centre” as defined under the Crimes (Administration of Sentences) Act 1999 (CAS Act) means “a correctional centre that is for the time being managed under a management agreement”—with Management Agreements referred to in section 238 of the CAS Act.
Under the Electronic Transactions Act 2000, any information contained in an Electronic Court Management system is taken to relate to a court's judicial functions and therefore also exempt under section 6 of the PPIP Act.
Both personal and health information can be collected and received by courts for the purpose of facilitating court proceedings. Information can be held by a court in paper-based and/or digital formats.
The use of some information within CTSD is not subject to the PIPP Act or HRIP Act, as the information relates to the “judicial functions” of a court or tribunal.
Each court or tribunal is founded based on legislation and has specific legal and administrative matters over which it has authority or jurisdiction.
Disclosure
Access to digital records held by courts are provided to other government agencies that have a shared need to access information relating to court proceedings. Those agencies include:
Access to digital information relating to court proceedings is provided to those agencies through a secure portal called Common Information Model (CIM) that each agency can subscribe to and access the information relevant to their agency’s business.
Information held in paper-based formats are held securely in court premises or transferred to a government records repository. Digital records can be held in various databases including the JusticeLink database (primary courts database), JudCom and Phoenix. Access to those databases is restricted to employees with a legitimate business reason for accessing the information held. The log-in procedure for the JusticeLink database requires officers to agree to the terms of use in accordance with the Departments Code of Conduct each time they access the database.
Paper-based administrative records relevant to court or tribunal proceedings containing personal and health information, for example, applications to postpone, waive or remit court fees, are stored separately from court proceeding documents until they no longer serve any business purpose in accordance with the General Disposal Authority GDA 28, and later securely destroyed.
Courts can also direct that certain records be sealed; those records may then only be accessed by a judicial officer or other person ordered as having permission to access. Sealed records may be retained in sealed envelopes on the court file or can be removed and held in a secure location within a court registry.
Approved credit agencies are provided information about civil judgments as permitted by court rules. This includes personal information that identifies a person against whom a judgment has been made. This information is provided to four companies Equifax (previously known as Veda) and Illion (previously known as Dunn and Bradstreet), Experian and CreditorWatch. The operation of section 27C of the PPIP Act exempts a court from complying with sections 17 (use) and 18 (disclosure) of the PPIP Act relating to using and where necessary, disclosing information to a credit reporting body and further sets out retention periods of between 2 and 5 years for information disclosed.
If a person is a party to proceedings, most courts will allow access to Court information through a request to the relevant Court Registry, depending on the information requested.
Personal and health information may be provided to and received from contracted service providers for the purpose of preparing reports to courts or supporting persons attending court. These include health services and non-government organisations such as Domestic Violence Court Advocacy Services. Access to those records is managed in accordance with legislation governing access to court records.
Other relevant pieces of privacy legislation or privacy instruments
BOCSAR collects information from Police, Courts, Corrective Services, Youth Justice and the NSW Registry of Birth Deaths and Marriages. Personal information is used for demographic breakdowns (age, address etc) as well as linking individuals between data collections (e.g. name, date of birth) when creating the Reoffending Database and now the Linked Data Asset. Additionally, BOCSAR’s Criminal Courts collection counting unit reports on ‘finalised defendant information’ (court information) so personal information such as a person’s name is used to link records within the collection.
BOCSAR’s 'unit record data' is used at the lowest level in BOCSAR to evaluate government policies, report performance against government targets such as the Premier's Priority to reduce reoffending and specifically domestic violence reoffending, publish statistical reports etc. Often, even internal uses of unit record data is conducted on de-identified personal information, therefore, in most cases, the PPIP Act will not apply to these uses.
Unit record data is only ever presented externally in an aggregate de-identified format, therefore, as the information is no longer “personal information” or “health information”, the PPIP Act and HRIP Act will not apply.
BOCSAR’s deidentified data may also be made available to external bona fide researchers on request and according to strict conditions. BOCSAR data is never used for operational purposes. It is contrary to the conditions in the Privacy Code of Practice: Bureau of Crime and Statistics and Research for this data to be used for anything other than research.
Various parts of the Department may collect, use and/or disclosure of personal information for research purposes in the public interest and report on such research publicly in a de-identified and/or aggregate way.
Section 27B of the PPIP Act provides the Department is not required to comply with the IPPs with respect to the collection, use or disclosure of personal information if the collection, use or disclosure of the information is reasonably necessary for the purpose of research, or the compilation or analysis of statistics, in the public interest. When doing so, the Department must take reasonable steps to de-identify the information or where the information cannot be de-identified, the information is not to be published in a publicly available publication. The collection, use or disclosure of the information under section 27B of PPIP must be done in accordance with the Section 27B Statutory Guideline issued by the Privacy Commissioner.
BOCSAR does not release unit record information with personal details. The exception is research requests with ethics approval for example where a cohort of data including names may be provided to BOCSAR for matching against the Reoffending Database (ROD) and the ROD data is provided back to the researcher along with the names from the original cohort. Another example is the crime victim file which will be provided to the Commonwealth government to build the National Disability Data Asset – this file will include names for adults, but Statistical Linkage Key (SLK) for Youth.
BOCSAR uses a Statistical Linkage Key when providing criminal court unit record level data to the Australia Bureau of Statistics.
FACSIAR information is collected as part of the Departments administrative functions in providing services and supports to its clients.
FACSIAR (via I-view, an external data collection agency) undertakes direct data collection as part of the Pathways of Care Longitudinal Study: Outcomes of Children and Young People in Out-of-Home Care (the POCLS). Information was collected about a cohort of children and young people who entered care for the first time between May 2010 and October 2011. Information is collected from children and young people, care givers, teachers and caseworkers. The overall aim of this study is to collect detailed information about the life course development of children who enter OOHC for the first time and the factors that influence their development in order to enable the Department to improve its service delivery in the OOHC space.
The POCLS has ethics approval from the University of NSW Human Research Ethics Committee (approval number HC10335 & HC16542), Aboriginal Health and Medical Research Council of NSW Ethics Committee (approval number 766/10), NSW Department of Education and Communities State Education Research Approval Process (SERAP, approval number 2012250), and the NSW Population & Health Services Research Ethics Committee (Ref: HREC/14/CIPHS/74 Cancer Institute NSW: 2014/12/570).
Unit record data is used within FACSIAR to:
Unit record data is predominantly used in a de-identified form, therefore, as the information is no longer “personal information” or “health information”, the PPIP Act and HRIP Act will not apply.
Unit record data is only ever presented externally in an aggregate de-identified format, therefore, as the information is no longer “personal information” or “health information”, the PPIP Act and HRIP Act will not apply.
Administrative unit record data may be made available to external researchers on request and under the following strict conditions:
The POCLS de-identified data is stored within the Secure Unified Research Environment (SURE) at the SAX Institute. Access to this information is governed by the ethics approvals and a signed Service Level Agreement.
The Department’s Inclusion and Early Intervention functions are predominantly delivered by Targeted Earlier Intervention Programs (TEI), often run by the Department’s contracted service providers.
TEI service providers collect data through a Data Exchange. This collection can only occur with a client’s consent. Collection may include the following personal information:
This consent only applies to personal information. If a client does not consent, the collection of other information about the client which does not identify them can still occur (e.g. gender, date of birth, cultural background, client outcome and satisfaction information).
The Department of Social Services (DSS) and the Department use this information in a de-identified form, therefore the PPIP act and HRIP Act do not apply. This means that these agencies cannot see a client’s personal information.
All information collected in the TEI Data Exchange is used in an aggregate, de-identified manner and therefore is not governed by the PPIP Act as it is not considered to be personal information.
Service providers must report data in an IT system called the Data Exchange. This system is hosted by the Australian Government Department of Social Services (DSS). Where an organisation stores personal information in the Data Exchange, only they can access the personal information. Strict IT security protocols prevent DSS employees from accessing personal information for any purpose other than confirming that the privacy protocols are working correctly. Storage in the Data Exchange is protected by the following:
The Inclusion and Early Intervention Unit oversees several programs and do not generally collect or store client personal information. This information is handled by program funded service providers, for example the Targeted Earlier Intervention (TEI) Program. Privacy obligations are imposed on funded service providers via their contract with the Department - the Human Services Agreement (HSA) Standard Terms. The HSA stipulates that -funded service providers must comply with privacy legislation PPIP Act, HRIP Act and the Commonwealth Privacy Act 1988.
Youth Justice’s Research and Information Unit relies on the Public Interest Directions as they permit Youth Justice (as Participating Agency) “to disclose Tier One Data relating to persons in the Project Cohort, or which is reasonably relevant to the Project, to the Data Linkage Centre” (7.1) and periodically update this information (19). It also provides details around the process of providing Tier One data to the Data Linkage Centre (16-20) and limits who can collect and disclose the required information (29).
Youth Justice deals with sensitive information relating to children, young people and their families. Youth Justice collects information on children, young people and their families in contact with Youth Justice for a range of reasons including to provide effective support and supervision, to determine eligibility for programs, to identify types and levels of need and appropriate service responses, reporting, program monitoring, quality improvement processes, program reviews and evaluations.
Youth Justice is committed to seeking the consent and / or informing the young person of a request for their personal information wherever this is reasonably possible, even in circumstances where the legislation allows the sharing of information without consent.
The Youth on Track program has Privacy, Confidentiality and Managing Disclosures Guidelines that provide a clear framework for staff for the use and disclosure of personal information and health information that is consistent with legal and policy requirements.
These guidelines set out how Youth on Track service providers are required to comply with the PPIP Act and HRIP Act regarding the collection and management of information.
Information is collected from members of the public, other government agencies or service providers, directly from families or through the ChildStory Reporter website or calls made to the Child Protection hotline.
Caseworkers employed by the Department use information obtained in connection with the Department’s child protection functions to assess whether to use the Secretary’s authority under the Children and Young Persons (Care and Protection) Act 1998, and if so, what level of intervention is required.
Personal information is used to perform a range of the Department’s functions under the Children and Young Persons (Care and Protection) Act 1998.
The Department cannot be compelled to disclose any information, including in response to a subpoena or summons, that would identify a reporter except in very limited circumstances. The Department takes the protection of reporter identities very seriously.
The Department routinely discloses information regarding the protection and welfare of children under the provisions of Chapter 16A with other “prescribed bodies”. These provisions are discussed more below.
The Department is also permitted to disclose information under the Children and Young Persons (Care and Protection) Act 1998 with different individuals, such as parents, families and carers where permitted by the Act.
The Department may be required to share personal information with statutory bodies such as the NSW Ombudsman, Children’s Guardian, Children’s Court, NSW Police and the Coroner’s Court and this is only done in strict accordance with legislation.
Child protection information is predominantly stored in the Department’s purpose built secure database ChildStory. Personal information may also be stored in securely paper files or on the Department’s database OneTRIM.
All Department staff must undergo stringent checks including criminal history checks and working with children checks and also must complete mandatory training before being given access to ChildStory. As part of this, staff must read and accept the data privacy statement, which details that personal information held by the Department must be handled in accordance with NSW privacy legislation.
Contractors and NGOs play an important role in delivering the Department’s child protection functions. Staff providing child protection services on behalf of the Department employed by a contracted service provider may be given ChildStory Partner access to carry out their functions on behalf of the Department.
Contracted service providers are bound to comply with NSW privacy legislation when performing functions on behalf of the Department under the Children and Young Persons (Care and Protection) Act 1998.
Other relevant pieces of privacy legislation or privacy instruments
The family preservation system is a program that has been recommissioned to bring all family services in the Department under one umbrella.
The new single integrated system will have three program streams: family preservation, intensive family preservation and Aboriginal family preservation.
This program, in the first stage of its recommissioning (2020-2024) will develop a minimum data set and work with contracted service providers to begin collecting data from families for example parental risk factors, demographic data, family size, ROSH reports and so on.
The collection of information by contracted service providers must be collected lawfully and where possible directly from the person.
The second stage of the recommissioning process will include opportunities to develop and implement a standardised mechanism to collect client outcomes data across all family preservation programs. This will help assess the effectiveness of services and will support the integration of lessons learned from new trial programs into the new single program structure.
Personal information cannot be used for anything not relevant to the delivery of a service such as advertising, research or marketing. However, information can be used for program or service analysis and internal reporting.
Because each of these services is contracted, it is important to explain that the Department has an immediate right of access to the following information:
The Department’s immediate right of access is required to meet its legislative obligations under the Government Information (Public Access) Act 2009 (GIPA Act).
Some of the Department’s programs that use family finding are delivered by contracted service providers.
Other relevant pieces of privacy legislation or privacy instruments
Chapter 16A of the Children and Young Persons (Care and Protection) Act 1998 (the Care Act) makes provisions for the sharing of information between prescribed bodies where the information relates to the safety, welfare and wellbeing of a child (a person under 16 years of age) or a young person (a person 16 or 17 years of age).
The Department is not required to comply with the disclosure or collection IPPs in the PPIP Act in sections 9, 10, 13, 14, 15, 17, 18 or 19 when carrying out its functions in accordance with Chapter 16A. This is because section 25 provides an exemption from compliance with those sections that where another act lawfully authorises or contemplates non-compliance. Further, section 245H of the Care Act explicitly states that no other law that restricts the disclosure of information overrides the provisions of Chapter 16A.
A written record of exchanges of information under Chapter 16A is required to be made and stored in a way that is consistent with the existing legislation (including the State Records Act 1998, Privacy and Personal Information Protection Act 1998 and the Health Records and Information Protection Act 2002).
MAPS does not collect generally personal information, however requests for information received from Office of the Secretary and Stronger Communities Cluster Ministers’ offices are generally registered by MAPS in the Department’s electronic record management systems for the purpose of the Department assisting in the formulation of a response.
Personal information may also from time to time pass through in the form of Cabinet and Executive Council minutes.
Correspondence received and registered by MAPS is allocated to specific business units to prepare Ministerial responses and/or briefing advice. In these cases, the use of this information is consistent with the purpose for which it was collected.
This use is directly related to the purpose of collection, being to respond to an enquiry, complaint or request for assistance received through correspondence to the Ministers or in a request from the NSW Parliament.
The Department may disclose personal information to other public sector agencies under the administration of the same Ministers for the purposes of informing that Minister about any matter within that administration.
The Department therefore will on occasion, disclose personal information to another agency or to the Minister’s office for the purpose of enabling responses to inquiries received by the Minister or to advise the Minister on issues under their administration.
Such disclosures are exempt from the IPP relating to disclosure because of the exemption in section 27A of the PIPP Act and or the exemption at section 28(3) of the PPIP Act.
For procurement activities, SFP collects personal and commercial information generally through agreed data requests associated with tender information, as well as personal information of members of tender evaluation panels who are required to provide personal information to manage any conflict of interest.
Across the Department, numerous divisions receive payment card data from the public which by its nature is personal information. In processing card payments, the Department applies Payment Card Industry Data Security Standards (PCIDSS), a set of comprehensive requirements for enhancing payment account data security and forms industry best practice for any entity that stores, processes and/or transmits cardholder data.
SPF manage and deliver financial services and reporting. SPF regularly accesses human resources related and summary data including personal information of Departmental employees via reporting or online data produced by Enterprise Resource Planning (ER) systems. Information gathered is obtained through specific requests for the purposes of enabling employees and vendor payments to be processed, financial statements and reports to be prepared and financial analysis and audits to be undertaken, including analysis of abnormal or significant transactions. Information may be provided to the Secretary and Audit and the Risk Committee.
All personal information is stored within secure corporate record management systems with access restricted to authorised officers and used in-line with specific accounting standards and Treasury and Audit requirements.
The Department has implemented a Federated Analytics Platform (FAP) to meet its data analytics and reporting requirements. The FAP consolidates data from across the Department to provide an integrated view of critical information. Based on the Google Cloud Platform and supported by Collibra, the FAP consists of several feature-rich tools that unlock the potential of our data to produce deeper, more meaningful insights which supports and drives Department’s business decisions.
The FAP provides a secure environment for periodic and ad hoc analysis of data to support the Department in:
Data on the FAP is collected by the Department’s divisions and business units as part of their ongoing functions. Data, including non-personal information is also collected from third parties, such as other individuals, other NSW government agencies, non-government organisations (NGOs) providing contracted services to clients on behalf of the Department and agencies in other jurisdictions.
The data includes human resources data, financial information, geospatial information and asset information. The data also includes personal and health information which is collected and used for policy making, program and service planning, service delivery, monitoring and reporting, program and service evaluation and research.
Additionally, the Department collects information relating to its client groups from data sets maintained by research bodies. Generally, this data is de-identified and/or in aggregate form.
Where possible, the Department ingests and uses de-identified data in the FAP for data analytics to minimise the risk of identifying individuals for internal reporting and dashboards.
Personal and health information may be used on the FAP for analytics, data matching and data integration to support policy making, service planning and delivery of targeted services to meet client needs. This specifically includes the following analytics:
Generally, a ‘use’ of information contained within the FAP will be for a purpose directly related to the collection of the personal information, that is a ‘use’ within the same ‘domain,’ Examples of a ‘domain’ are the divisions within the Department, for example Housing and Child Protection.
Information is de-identified before it is used across different domains. As the personal information in this case has been de-identified, the PPIP Act and HRIP Act do not apply in these circumstances.
Disclosures of information arising from the FAP are generally of non-personal information, for example de-identified information including high-level statistical analysis. In the event that personal information is to be disclosed, such a disclosure is considered on a case-by case basis to ensure compliance with the PPIP Act and any other relevant governing legislation or lawful requirement.
Data is owned, securely stored and managed by the Department on the FAP in accordance with contractual terms between the Department and the FAP provider (Google Cloud Platform). These terms include requirements to comply with privacy and record keeping laws and to store and manage information on the FAP in Australia.
Placement, storage, use, disclosure and retention/disposal of data on the FAP is governed using the Collibra data governance tool. The tool supports management of authorisations for placement of data on the FAP, access to data on the FAP, quality of data, and use and disclosure its data.
Access to the FAP is strictly limited to those with a legitimate business need and strict requirements including a criminal history check, working with children check and completion of privacy and Cyber security training.
External service providers to whom the Department outsources any functions relating to the FAP must sign a confidentiality agreement that prevents them from using of disclosing the Department’s information for any other purpose.
The Department provides legal services mainly for other divisions and business units in the Department. The Department is sometimes required to correspond with and collect personal information directly from members of the public. For example, personal information may be collected in the following circumstances:
The Department will collect information regarding the above matters directly from applicants, or where relevant, from other public sector agencies or directly from the relevant court in accordance with NSW privacy legislation.
Personal information can be used to deliver legal advice to the Department, the Attorney General or to facilitate the provision of information members of the public under the Government Information (Public Access) Act.
Where information is considered for release to members of the public in response to an application for information, the information is used for the purpose for which it was collected. Where other personal information is held by the Department as part of its other functions, this information is ordinarily used and disclosed with the consent of the person, for a directly related secondary purpose to the purpose it was collected or on another lawful basis such as a subpoena or search warrant.
As a rule, internal legal advice is treated confidentially and protected from disclosure in legal proceedings by legal professional privilege, unless waived by the Department.
In responding to subpoenas and in its work with the courts, the Department routinely discloses information as compelled by subpoenas and statutory orders.
The Department will also routinely disclose information to statutory bodies such as the NSW Ombudsman, the Information and Privacy Commissioner and the Ageing and Disability Commission in accordance with relevant statute and exemptions under the privacy legislation
· Section 4(3) of the PPIP Act provides that information or an opinion about an individual’s suitability for appointment or employment as a public sector official is not personal information for the purposes of the PPIP Act and is not subject to the Information Protection Principles. Therefore, where relevant and required HR will use and share information internally for the purposes of assessing an individuals’ suitability for employment which includes initial employment or an internal promotion or transfer.
For various reasons, such as leave management, workplace health and safety and operational requirements, we must collect the following information from employees to maintain employee records:
This information is generally collected directly from employees and is managed in accordance with the provisions of the PPIP Act and the HRIP Act. Health information may also be collected and retained consistent with our obligations under the HRIP Act.
Information of this kind is collected from individuals engaged by the Department as contractors.
Employee and contractor personal and health information is used for Human Resources purposes, for example to manage leave, managing performance, conducting payroll and making workplace adjustments.
Employees are able to access their employee records by requesting their file directly from Payroll or under the Government Information (Public Access) Act where the information requested contains information about other individuals.
Personal information is collected that is specific to the management of workers compensation injuries by the relevant Injury Management and Rehabilitation Co-ordinator (IMRC).
Personal/health information is used for the purposes of injury management, return to work and recover at work discussions plus general claims management.
Information collected by the Injury Management Unit is routinely used and disclosed to key stakeholders including injured workers and their representatives for example, the Public Service Association, their solicitor, nominated treating doctors, service providers and insurer/claims manager.
Personal information is provided to the iCare appointed insurer/claims manager to assist with overall general claims management. iCare can also engage other service providers to obtain or request personal information such as independent medical examinations, factual investigations, legal referrals where an exchange of health and or personal information takes place.
All IMRCs have access to the insurer/claims manager’s Case Management system/portal as ‘view only’ and are subject to a User Declaration confirming that access is only to be used to assist in the management of workers compensation claims.
All approvals for insurer access is signed off by the Department’s Workers Compensation & Injury Management Manager who explains the terms and conditions associated with same.
All information is stored securely on corporate records systems and the new Work Health and Safety injury management system ‘Safety Suite.’
IDS deliver technology, systems and related services to the Department and independent statutory bodies supported by IDS.
IDS do not collect personal information from members of the public. IDS collect and personal information of employees of the Department and independent statutory bodies supported by IDS which is supplied to them by the employees or others or available to them by virtue of appropriate levels of IT accesses.
Personal information of Departmental employees and officers of independent statutory bodies is used by IDS to provide information and digital support services.
Other relevant pieces of legislation
The Telematics system is a GPS tracking system which electronically identifies and continuously records a driver's trip aimed to keep employees safe. Telematics devices will collect data on driver actions and vehicle usage, which includes employee personal information to ensure driver safety and safe vehicle handling.
The following information will be collected by the Department for Fleet vehicles with the Telematics device:
In February 2021, the NSW Procurement Board mandated the implementation of Telematics for passenger vehicles across the NSW Government fleet of work-use vehicles. Telematics is a component of the NSW Government Travel and Transport Policy (“Policy”) which is intended to provide a framework for all NSW Government agencies and officials who are travelling using public money.
The information collected by the Telematics system is used for the purpose of:
· Complying with the Policy;
The information may also be used for research or the compilation or analysis of statistics and reporting purposes. As a NSW government agency, the Department is required to comply with this Policy.
It may also be used by the Department or disclosed to a third party if the use/ disclosure is required or authorised by law (e.g. subpoena or other statutory requirement), the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of an individual, to enable the Department to comply with law enforcement requests and functions or to investigate employee misconduct or misuse of public funds.
Access to the information collected and held via Telematics devices and any amendments to this information should be directed to the Fleet Management Team (fleet_services@dcj.nsw.gov.au).
Information is stored and securely maintained on the Telematics system. Once information is collected by the Telematics system, the recorded information is then transmitted via mobile phone or satellite networks to the Telematics suppliers’ applications and is presented on a software platform, accessible to Departmental staff, drivers and Telematics supplier’s staff. Navman is the Department’s supplier.
The personal information collected via Telematics will be provided to a third party for the purposes of it supplying and providing support services for Telematics devices that are installed on the Department’s fleet vehicle.
The Process and Technology Harmonisation (PaTH) Program consolidates multiple versions of SAP to a new system called myWorkZone to be used across six NSW Government portfolios, to one core technology to simplify our corporate and shared service system and support:
On 3 July 2023, myWorkZone was launched for 13,000 staff across the Department (excluding Corrective Services and Youth Justice which will be moved to PaTH in mid 2024).
A Public Interest Direction relating to the PaTH program was made under section 41(1) of the PPIP Act on 31 January 2023 and has effect for a period of three years. The direction exempts or modifies certain IPPs as they apply to a ‘Shared Services Hub Operator.’
The personal and health information handled in the PaTH Program and stored in AESG 2.0 falls within five general categories:
In the first stage of PaTH, personal information held by the 40 agencies from the Stronger Communities, Planning and Environment, Regional NSW and Premier and Cabinet clusters will provide their data to the Department for collection and inclusion in the program.
The PaTH Program will progressively consolidate shared services operations and enterprise resource planning (“ERP”) systems across NSW government agencies by standardising processes, technology and other supporting systems.
In the first stage the Department will administer a scalable ERP platform (“AESG 2.0”) and a shared services operating model. In administering this program, the Department will have access to some or all of the data held by the program for the purposes of providing shared services to these agencies and will only access and use the data for these purposes.
The information may also be used for research or the compilation or analysis of statistics and reporting purposes.
This consolidation aims to reduce costs and improve efficiency, productivity, data quality and workforce agility and mobility across the NSW public sector.
Security and Storage
Personal information will be collected and stored on the AESG 2.0, being the ERP system selected for use by the PaTH program.
This is a secure system that allows agencies to access information about their own employees, with the Department having greater access for the purpose of delivering the shared services model.
Employees seeking access to the information held on AESG 2.0 or to amend this information should contact their own agency employer.
Under section 6(1) of the PIPP Regulations, smaller Statutory Bodies who are supported by the Department are exempt from the requirement to have a Privacy Management Plan, where the Plan of another agency states that the Plan extends to those other bodies.
This Privacy Management Plan extends to the below Statutory Bodies supported by the Department:
The NSW Law Reform Commission & Sentencing Council generally publishes submissions on its website and refers to submissions in its publications. Sometimes submissions include personal information. The NSW Law Reform Commission & Sentencing Council will always seek the consent of the person to whom the information relates before publishing it. When the NSW Law Reform Commission & Sentencing Council accesses personal information as part of a research project, for example, information contained in a confidential court case, the information is always de-identified prior to it being published.
It is the practice of the NSW Law Reform Commission to keep submissions published on their website indefinitely as part of a record of the review process and to assist in the analysis of their reports.
The Public Defender's Office uses information provided by their clients either via their solicitors or obtained from other sources for the purpose of providing legal representation in serious criminal cases and may collect information in the course of legal representation in courts. The office will only disclose information to other parties representing their clients including the solicitor, any paralegals or when seeking reports from forensic witnesses such as psychiatrists, psychologists or similar. Individuals who are not employees such as students undertaking internships or other placements are required to sign a confidentiality form and are given specific directions on the handling of information.
Anti-Discrimination NSW handles personal information in order to administer the Anti‑Discrimination Act 1977 (NSW) (ADA) which makes it unlawful to discriminate in specified areas of public life against a person on grounds which include their sex, race, age, disability, homosexuality, marital or domestic status, transgender status and carer’s responsibilities or vilify on the grounds of race, homosexuality, transgender status or HIV/AIDS status is also unlawful. Personal and health information is handled in accordance with this Privacy Management Plan and relevant legislative requirements.
Anti-Discrimination NSW is not required to comply with the use and disclosure HPPs in relation to its complaint handling, investigative, review and reporting functions (Schedule 1, clauses 10(3) and 11(3) of HRIPA).
The Office of the Legal Services Commissioner receives and deals with complaints about lawyers or law practices in accordance with the exercise of the Office of the Legal Services Commissioner's statutory functions under the Legal Profession Uniform Law (NSW). The Office of the Legal Services Commissioner is subject to a general statutory prohibition on the disclosure of any information obtained in the administration of the Legal Profession Uniform Law (see section 462), unless a specified exception applies under section 462(2).
The Office of the Legal Services Commissioner is considered an ‘investigative agency’ for the purposes of section 3 of the PPIP Act and is therefore not required to comply with certain provisions of the PPIP Act in accordance with section 24 of the PPIP Act when exercising investigative functions.
23 Oct 2023