Communities and Justice

Functional areas of the Department


Victims Register

Other relevant pieces of privacy legislation or privacy instruments

  • Part 16 of the Crimes (Administration of Sentences) Act 1999 (CAS Act).
  • Victims Rights and Support Act 2013


Personal information is collected and held by the NSW Victim Register on a voluntary basis and is only  collected if a victim requests that they be recorded in the Register (CAS Act section 279(2)(a)(ii)).

The following types of personal information is collected by the Victims Register

  • Information relating to an adult offender including sentencing details, impending release or changes to the offenders earliest possible release date, changes in the offender’s classification, if the offender will be considered for parole, escape or eligibility for absence from custody of an offender, the death of an offender in custody or a transfer to another jurisdiction or immigration detention facility.
  • The personal information of the victim, including the name, address and telephone number of the victim and/ or their nominated representative.
  • The victim’s application and any attachments or documents attached, any correspondence from the victim and any submissions the victim might make to CSNSW, for example regarding parole.


The Victims Register exists for the primary purpose of notifying victims of specific information relating to an inmate convicted of committing a crime against that victim. This information includes:

  • Change to an offender’s earliest possible release date;
  • The security classification of the offender;
  • The eligibility of the offender for parole, or when they have been granted parole;
  • ·         If an offender has been given a leave permit.

The Victims Register Unit is a part of CSNSW. The inmates’ personal information held by CSNSW is used by the Victims Register Unit to inform the victim of changes in the inmate’s leave eligibility, parole, escape and release from custody.

The victim’s personal information is used to contact them for the purposes of sharing the above types of information with the victim and receiving and considering any submissions made by the victim to CSNSW.

Submissions from victims are used by CSNSW when considering approvals for leave or parole where a relevant submission has been made by the victim.


Given the sensitivity of victim related information, confidentiality is of the highest priority to the Department.

Regarding the disclosure of victim information, an inmate is not made aware that they have a victim listed on the Victims Register and no personal information regarding the victim is shared with the inmate.

The Victims Charter gives victims a legal right to be given certain information, some of which is personal information relating to an inmate who has committed a crime against that victim.

The disclosure of inmates’ information to a registered victim is authorised by the CAS Act, and therefore the exemption at section 25 of the PIPP Act and the equivalent provision of the HRIP Act applies. However, to uphold the privacy of the inmate, registered victims are only provided with the information authorised to be disclosed under the relevant provisions of the CAS Act.


Registered victims that wish to access their information held by the Department can contact the Victims Register Unit directly at

National Redress Scheme

Other relevant pieces of privacy legislation or privacy instruments

  • National Redress Scheme for Institutional Child Sexual Abuse Act 2018
  • National Redress Scheme for Institutional Child Sexual Abuse Rules 2018


The National Redress Scheme (‘Scheme’) is administered by the federal Department of Social Services (‘Scheme Operator’). The Department is a participating institution under the Scheme.

The Scheme collects the personal information of applicants for Redress on a voluntary basis by receiving the individual’s application for Redress. An application for Redress may include the following kinds of personal information:

  • personal information about an applicant such as a name, gender, age, date of birth, bank details, ethnicity and other contact details;
  • information about an applicant’s circumstances, such as any power of attorney, guardianship, or financial management order; nominee details; cultural and linguistic background and language preferences; relevant disabilities, or citizenship and residency information; and
  • personal information specific to the redress application such as: a description of the abuse and impact of the abuse, information about their attendance at a an institution(s), childhood living arrangements (e.g. foster care, orphanage, youth detention), information about the alleged abuser, any documents to support the application (e.g., police reports, witness statements, testimonies or signed statements, photographs, doctor’s certificate), whether the applicant has received any prior payments in relation to the abuse disclosed, whether the applicant has accessed any redress support services to assist with an application, any criminal convictions that resulted in a single conviction with imprisonment for a period of 5 years or more and any information about other people who knew about the abuse.

The Department will receive an application for Redress from the Scheme Operator, and therefore collect and use the personal information contained in that application, in the following circumstances:

  • The NSW Central Coordination Team receives all applications for Redress made under the Commonwealth legislation where the alleged abuse occurred in a NSW institution. The function of the Central Coordination Team is performed by the Victims Services Unit within the Department.
  • Where the Scheme Operator requires further information from the Department as the alleged abuse occurred in an institution administered by the Department or a historic institution administered by the Department or the former Department(s);
  • Where the Scheme Operator is required to request advice from the NSW Specified Advisor on whether an application for Redress should be prevented from proceeding because the applicant is in custody or the applicant has been convicted of a ‘serious criminal conviction’ (section 63 of the National Redress Scheme for Institutional Child Sexual Abuse Act 2018).


Information collected under this Scheme by the Department is used for different purposes depending on the purpose for which  it was collected:  

  • Where information is collected by the Central Coordination Team regarding other NSW Institutions, the information is used to communicate with NSW institutions about a request for information from the Scheme Operator, the acceptance or rejection of an offer for Redress, to provide counselling and psychological services, to arrange for a personal response to an applicant and to make redress payments;
  • In responding to requests for information from the Scheme Operator to confirm, the personal information of the applicant contained in the application for Redress is used to confirm details and information about the applicant’s time in an institution and to search the Department’s record holdings for corresponding and relevant information about the applicant to support their application for Redress;
  • Where the NSW Specified Advisor is required to give advice to the Scheme Operator, personal information contained in the application for Redress is used to formulate the advice in accordance with the criteria at section 63 of the National Redress Scheme for Institutional Child Sexual Abuse Act 2018 and the NSW Framework.


In performing its functions related to the Scheme, the Department routinely discloses personal information of redress applicants to the Scheme Operator, the Department of Social Services and NSW participating institutions, however these disclosure are authorised and/or required by the National Redress Scheme legislation, which enlivens the exemption at section 25 of the PIPP Act and the equivalent exemption at clause 11(2) of Schedule 1 to the HRIP Act. Further, the National Redress Scheme for Institutional Child Sexual Abuse Act 2018 at section 27 explicitly overrides any NSW legislation that may prevent complying with a request under the Scheme.

Disclosures may be made to the following bodies in order to enable the functions and activities laid out under the relevant Scheme legislation:

  • an independent decision maker appointed under the National Redress legislation to consider an application;
  • the Australian Criminal Intelligence Commission, to undertake police/criminal checks;
  • Services Australia and/or the Department of Veterans Affairs, to undertake proof of identity checks and confirmation of the Centrelink CRN or DVA number;
  • the relevant Attorney(s)-General (Commonwealth and/or state and territory), and their relevant government agencies in connection with decisions about applications by persons with serious criminal convictions, or in gaol;
  • Australian embassies and consulates if an application for redress is made from outside of Australia;
  • contracted service providers of support and/or counselling and psychological care services;
  • a nominee;
  • the relevant participating institution(s);
  • other relevant third parties including bodies that may assist with fraud, compliance and administrative functions.

There are additional protections against disclosure of “protected information” under the National Redress Scheme for Institutional Child Sexual Abuse Act 2018, being personal information contained in applications for Redress.

Storage and Security

All correspondence from the Scheme Operator, including the transfer of personal information is conducted through the purpose-built Scheme database PRODA, using the secure platform Kiteworks of the Department of Social Services secure email system.

The Department stores all personal information regarding redress securely on the Department’s secure database ONETrim, with security settings placed on Redress files to limit access to relevant teams.


A person can apply directly for access to any personal information this Scheme holds about them. To apply for this, contact the DSS Feedback and Complaints Team using the email: or telephone: 1800 634 035.

Victims Services

Other relevant pieces of privacy legislation or privacy instruments

  • Victims Rights and Support Act 2013


Personal information is collected by Victims Services directly from individuals as well as from health service providers and other government and non-government agencies to identify clients, provide supporting evidence for the determination of claims, in restitution proceedings and in the investigation of Charter Complaints.


Information is only used for the purpose for which it was collected, that is for client identification, the determination of client claims and applications, restitution proceeding and the investigation of alleged breaches of the Charter of Victim’s Rights.


Where nominated by a client, information may be provided to third parties to assist in providing support to meet client needs. Information, including whether a person is a client of Victims Services in any capacity is treated in the strictest of confidence at all times, and is only released to those who have a right to the information. Client information may be disclosed in proceedings before courts and tribunals as directed or required by law.

Storage and Security

Information is stored in Victims Services' business systems (VSC and CARES) and in hard copy files, which are stored in compactus’ in secure office environments, or at the Government Records Repository. Digitised records are stored in the Department’s EDRMS, accessible only by Victims Services’ employees.


A person can apply directly to Victims Services for access to their personal information, free of charge under the PPIP Act by contacting

Veterans and Seniors

Office of Veteran Affairs


The types of personal information collected and held by the OVA includes:

  • photographs and film footage including that of Premier's Anzac Memorial Scholarship students, names, date of birth, occupation, marital status, residential details, telephone numbers, email addresses, social media profiles, details of parents, school and or education details, employment and or business details such as ABN's, passport information, account and banking information
  • medical and health care and treatment information, risk management information for student behaviour
  • service history and employment information.

When collecting personal information OVA takes reasonable steps to ensure that the person to whom it relates is made aware of certain matters including the purpose for which it is being collected and the intended recipients of the information.


The OVA generally uses and discloses personal information for the primary purpose for which it was collected. These primary purposes include:

  • administering the Premier's Anzac Memorial Scholarship, and related educational initiatives
  • running specific grants programs
  • delivering commemorative programs delivering the Veterans employment program
  • employment and personnel matters for the Department's employees and contractors


The OVA does not disclose or publish information that identifies individuals, or potentially identifies sub-groupings of addresses, without consent or otherwise in accordance with the PPIP Act.

Some circumstances where information may be disclosed, with consent, include:

  • advertising for scholarships
  • advertising grants program
  • to Department of Education and Catholic/private schools for relevant programs in relation to the Veterans Employment Program

Seniors Card


A person can apply for a Seniors Card using the online form on the Seniors Card website, or in a Service NSW Service Centre, and their personal information will be collected by Service NSW through their MyServiceNSW Account.

This personal information is then shared with the Department, who are the agency responsible for delivering and administering the program.

Seniors Card only collects personal information that is necessary for the Department to perform its functions and will only use or disclose this information for the purposes for which it was provided. These include providing a person with their Seniors Card, annual Discount Directory, mail outs and information about activities for members. Seniors Card may also survey some members in order to improve our services.

The personal information the Department collects and holds about individuals includes information they provide when they apply for a Seniors Card or complete an online form on the Departments website. This will include a person’s name, address, date of birth and contact details.

The only personal information which the Department collects about individuals who use its website is what the person tells us about themselves, for example, by completing an online form or by sending us an email. The Department will record an individual’s email address when they send the Department an email.


Seniors Card may use a persons information to:

  • Assess information about eligibility for a Seniors Card under the Terms and Conditions. This may include verifying an individuals’ identity by comparing the personal information supplied with other information Service NSW holds about that person, like their driver’s license.
  • Provide a person with a Seniors Card, annual Discount Directory and information about the program, by mail to a person’s address or email.
  • If a person opts in, to provide that person with information about activities for members, ongoing discounts and offers available to Seniors Card holders, by mail to their address or email.
  • If a person chooses to provide additional demographic information (language spoken at home, gender, pension status, Aboriginal and/or Torres Strait Islander status), this will be used for the sole purpose of personalising the information we send that person about activities, discounts and offers. It is not mandatory to provide this information to receive a Seniors Card.
  • From time to time, ask if a person if they wish to participate in a survey in order to improve the Departments services.


Seniors Card only uses or discloses an individuals personal information for the purpose for which a person provided it to the Department, unless:

  • The Department has the person’s consent to use or disclose their information for that different purpose
  • it is required or authorised by law
  • it meets an exemption or exception under the PPIP Act.


All requests for access to an individual’s personal information will be processed by our Seniors Card team at

Contracted Service Providers

The Department may provide a person’s personal information to external service providers who are contracted by the Department to perform certain functions necessary to the program on behalf of the Department, for example information technology services, mail house services and our call centre.

External service providers to whom the Department outsources these functions must sign a confidentiality agreement that prevents them from using a persons’ details for any other purpose.

Disability Services



The Community Justice Program (CJP) is a community forensic disability service. Individuals with an intellectual disability join the program after exiting a correctional facility. Personal Information of CJP participants is collected following a referral to the intake team where information is collected from the individual or, if the individual lacks capacity, from an authorised representative.


The Department uses the personal information of participants to deliver the program to participants, including case management, behaviour intervention, psychological therapy, drop-in support and accommodation services.


In administering programs such as the Integration Support Program (ISP), routine disclosure takes place between Ageing Disability and Home Care, NSW Health and Housing NSW in order to facilitate the multi-agency program which aims to assist participants who have complex needs and barriers to accessing coordinated services. Consent is sought from participants for this disclosure to take place as part of taking part in the program.

Contracted service providers

Many of the Department’s disability services including the CJP are delivered by non-government organisations contracted by the Department to deliver these services. 

NSW Companion Card

Other relevant pieces of privacy legislation or privacy instruments


Information is collected directly from applicants or authorised third parties.


The Department  only uses or discloses this information for the purposes for which it was provided. These include providing a person with their Companion Card, re-issued Companion Card, direct correspondence relating to their application and updates and newsletters. Companion Card may also survey some members in order to improve our services.


Personal information may also be disclosed to the NSW Registry of Births Deaths and Marriages to ensure cards are valid and issued to recipients with an entitlement

Restrictive Practices Authorisation

Other relevant pieces of privacy legislation or privacy instruments

  • Under the NDIS Quality and Safeguarding Framework 2016, states and territories have responsibility for the authorisation of regulated restrictive practices.
  • The NSW Government’s responsibility to regulate restrictive practices is set out in the Bilateral Agreement between the Commonwealth of Australia and the State of NSW. This is administered by the Department.


The Department provides an online portal, known as the ‘NSW Restrictive Practices Authorisation System’, which is used by service providers to record information about NDIS participants who access their services and who are subject to restrictive practices. Sensitive health and personal information, including support plans, and other medical records are uploaded by service providers to the portal as the first step in a service provider applying for restrictive practices to be applied to their client.

The Department does not collect this information directly from the client.

In responding to enquiries, the Department will sometimes collect client information from the service provider by email or phone where the Department is assisting with the upload of documents to the portal, confirming details already contained in the portal or providing guidance on NSW Restrictive Practices Policy.

The purpose of collection is to centrally record the use of restrictive practices in NSW for compliance and oversight purposes.


While the service provider is responsible for the application for restrictive practices, where requested by the service provider, the Department may assist the service provider to allocate an Independent Specialist to form part of the Restrictive Practices Authorisation Panel.

The Department’s Independent Specialist (IS) provide expert advice to the NDIS Service Providers to inform decisions about the inclusion of restrictive practices in people’s Behaviour Support Plans. This expert advice is provided during RPA Panels, following review of an RPA application and other associated documents. The Department’s IS’s are funded by the Department and are selected using a tender process.

The Department also uses information collected on the portal to assist the service provider with any enquiries regarding the requirements of an application, NSW Policy and Procedure regarding Restrictive Practices Authorisation and use of the portal generally. To prevent delay and cost in the Application process, the Department also performs high level checks to ensure all required documentation has been uploaded prior to the formation of the Panel.

The Panel, made up of the Independent Specialist, a senior staff member from the service provider, the client and a behaviour support practitioner,  use the information in the portal to decide on whether to approve the application for Restrictive Practices. 

Service providers seek written or verbal consent from clients or their guardian to share their personal information at a RPA panel.  In addition, consent is obtained from the participant or guardian to implement any authorised restrictive practices. Responsibility for seeking consent sits with the service provider. 

Storage and Security

The Central Restrictive Practices Team uses a portal known as the NSW Restrictive Practices (RPA) System, to collect and store personal and health information. The portal is specifically designed to host this information under the Restrictive Practices Authorisation.

Given the sensitivity of the information, the NSW RPA System is designated as “OFFICIAL: Sensitive- Health Information.” 


NDIS Service Providers who use the NSW RPA System are able download reports related to the data they have entered on behalf of their clients.

Contracted Service Providers

Dialog Information Technology (Dialog) host and provide support services for the NSW RPA System. A security assessment forms part of the contract between the Department and Dialog.

Housing Services

Housing and Homelessness

Other relevant pieces of legislation or privacy instruments

  • Privacy Code of Practice: Department of Housing
  • Housing Act


If a person is a Departmental Housing client or has engaged with a Departmental Housing service, the Department may have collected the following information about them:

  • Basic personal details (name, date of birth, address, phone number, email address);
  • Their income or benefits;
  • Their Housing History;
  • Any relevant health conditions they may have that affect their Housing needs; and
  • Who they live with

This information may be collected a number of different ways:

  • Information the Department collects about a person if they visit a Housing office or speak to the Department on the phone about their Housing matter or make an enquiry about Housing
  • Information a person provides to the Department by filling out a Housing form – for example an Application for Housing Assistance, Application for Additional Occupant and Rent Subsidy Application etc;
  • correspondence – emails or letters a person has sent the Department or someone has sent on their behalf, complaints, maintenance requests, forms and applications they have submitted;
  • Information collected by the Housing Contact Centre
  • information of clients receiving a Bond Loan;
  • the NSW Housing Register and public housing tenancy information


Housing uses information about its tenants or applicants for ‘directly related’ purposes such as:

  • the conduct of surveys to monitor client satisfaction
  • to train employees
  • where it is reasonably necessary for funding, planning or evaluating the provision of a service.


Housing NSW is a central point of contact for:

  • The NSW Police Force in relation to information sharing under Section 71 of the Housing Act 2001and the
  • Non-government organisations including Legal Aid and the NSW Trustee and Guardian where client consent has been provided 

The Department shares information with the NSW Police Force via the Memorandum of Understanding. Legislation that governs this information sharing includes the Housing Act 2001, the Child and Young Persons (Care and Protection) Act 1998 and Crimes (Domestic and Personal Violence) Act 2007.

Along with the NSW Police Force and Corrective Service NSW, the Department shares information in order to provide appropriate housing assistance to a registrable person. Legislation that governs this information sharing includes Chapter 16A of the Children’s and Young Persons Care and Protection Act 1998 and Sections 19BA and 21E of the Child Protection (Offender Registration) Act 2000.  The Guidelines for the Housing of Registrable Persons outlines the arrangements between each organisation in relation to exchanging information on registrable persons seeking housing assistance.

Housing also routinely makes disclosures to:

  • The Aboriginal Housing Office (‘AHO’
  • Land and Housing Corporation (‘LAHC’)

Both LAHC and AHO form part of the Department of Planning and Environment. In certain circumstances, disclosures to the LAHC and AHO are lawful under the Housing Act to allow the Department to disclose information to these agencies to support their functions under the Housing Act. Disclosures are made to pass relevant enquiries on to LAHC and AHO, which fall within the section 27A exemption of the PPIP Act.

The Department is also bound to the Commonwealth’s Centrelink Confirmation eServices (CCeS) policy in disclosing personal information about its clients or tenants, where the person has consented to that disclosure. The CCeS policy operates within the legislative requirements of the confidentiality provisions contained in various pieces of legislation administered by Centrelink, for example the Social Security (Administration) Act 1999 and the A New Family (Family Assistance) (Administration) Act 1999, as well as the Privacy Act 1988.

The Department’s Housing sometimes discloses personal and health information to the NSW Police, independent investigative bodies such as the NSW Ombudsman, or other “prescribed bodies” where permitted or required by other Acts, including:

  • Housing Act 2001
  • Children and Young Persons (Care and Protection) Act 1998,
  • Ombudsman Act 1974
  • Coroners Act 2009.   

Storage and Security

The Department uses a number of systems and databases to records and store personal and health information collected from our clients.

Across the Department OneTRIM, a secure document management system is used to securely store client information.

Housing uses an additional database, HOMES, to record and store profiles of Housing clients.


Housing clients can access their personal information through a number of means:

  • By contacting a Housing Office;
  • Through an application under the Government Information (Public Access) Act 2009.

Contracted service Providers

Community housing providers (‘CHPs’) that partner with the Department to deliver or facilitate access to housing assistance products and services must first demonstrate a mandated level of competency and knowledge before being granted read/write access to the Department’s record management systems.

CHPs operate under the same policies and procedures as the Department for these business related functions, and are informed of and have access to the Department’s privacy, information sharing and security related policies.

CHP’s have access to the Department’s databases including the HOMES database to synchronise service delivery between the Department and the CHPs, to ensure data security and to implement the Department’s “no wrong doors” policy in the Housing space, being that a client can access services no matter what area they contact. 

Boarding House Team

The Department’s Boarding Houses Team (BHT) collects Screening Tool of Entry into Assisted Boarding Houses assessments. The assessments are conducted by Australian Unity and provided by email to the BHT in accordance with their funding contract. Screening Tool assessments are a requirement of Clause 14 of the Boarding Houses Regulation 2013.  

Boarding House Enforcement Officers may need to request information from the NSW Police Force regarding police attendance at an Assisted Boarding House if they believe the manager of the boarding house may be in breach of the Boarding House Regulation and the Act by failing to report the police attendance to FACS. A protocol for this is in place. This information may include:

  • date of incident
  • full name of resident/s involved in the incident
  • reason for the attendance of the police
  • outcome of police attendance
  • NSW Police Force ‘COPS’ Event number.

Section 24 of the PPIP Act states that an investigative agency is not required to comply with sections 18 or 19(1) of the PPIP Act if the information concerned is disclosed to another investigative agency. The Department’s BHT meets the definition of an ‘investigative agency’ under the PPIP Act as it is a public sector agency with investigative functions that are exercisable under the authority of an Act, and the exercise of the functions may result in the Department taking or instituting proceedings against a person or body under investigation.

Boarding House Enforcement Officers may also need to make enquiries to establish the needs of a particular person if they are investigating whether any premises are an unauthorised assisted boarding house as defined under section 41 of the Boarding Houses Act 2012. In addition, these officers may also need to disclose information about people banned from a particular premise to the tenants so that the tenants are able to determine who may not enter the premises.

The information collected above is not otherwise disclosed unless there is a legal requirement to do so from another organisation or with legal authority, for example, the NSW Ombudsman.  

Corrective Services NSW (CSNSW)

Other relevant pieces of legislation or privacy instruments

  • Privacy Code of Practice (General) 2003 – Part 5
    This Code varies the effect of the IPPs in certain circumstances in the course of CSNSW’s supervision of inmates. This includes how information is collected, used and disclosed
  • Crimes (Administration of Sentences) Act
  • Crimes (Administration of Sentences) Regulations


Who the Department collects information from:

  • From Courts;
  • From NSWPF;
  • From Correctional Services in other states;
  • From you directly;
  • From your family;
  • From NSWPF;
  • From Justice Health.

What information the Department collects:

  • Personal information (names, date of birth, address);
  • Criminal history;
  • Psychological information;
  • Intelligence or information for law enforcement purposes;
  • Health information.

Where the Department holds information:

  • Custodial records such as case notes, case management files, warrant files;
  • Community Corrections records such as case notes, case history files, reports prepared for court proceedings.


Information may be used by CSNSW for activities such as:

  • classification, placement and designation purposes
  • visits and telephone call purposes
  • intelligence gathering
  • processing of applications and inmate requests
  • inquiry and complaint handling
  • Corrective Services Industries employment purposes
  • operation of specialist programs such as drug and alcohol programs, education and vocational training programs
  • provision of health services, such as psychology
  • assessment (including pre-sentence reports) and case management in correctional facilities and in the community
  • administration of custodial and community sentences
  • providing access to accredited chaplains and arranging participation in religious observances
  • maintaining safe and secure facilities under the control of CSNSW
  • law enforcement
  • preparation of reports for bodies such as the NSW State Parole Authority (SPA) and the Serious Offenders Review Council (SORC)
  • investigations
  • processing requests and complaints of individuals and organisations
  • restorative justice programs including victim-offender conferencing and mediation, and
  • research, evaluation and statistics.
  • security screening such as x-ray body scanning
  • in-cell and portable tablet devices
  • visits and telephone call purposes should be extended to include audio visual link (AVL)
  • informing public health responses.


CSNSW routinely discloses information regarding inmates or individuals subject to supervision by Community Corrections to:

  • Justice Health
  • Correctives agencies of other states and territories.

This is in accordance with the Part 5 of the Privacy Code (General) 2003, the law enforcement exemption at section 23 of the PIPP Act, the exemption at section 25 of the PIPP Act or one of the exceptions at section 18 of the PIPP Act. Where the information is health information, in accordance with one of the exceptions at clause 11(1) of Schedule 1 of the HRIP Act or the exemption at clause 11(2).

CSNSW has a temporary declaration of the Commonwealth Parliament, making it an ‘enforcement agency’ for the purposes of the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act).  This declaration is temporary, pending amendment of the TIA to make this permanent.

Storage and Security

CSNSW uses a number of systems and databases to record and store personal and health information collected from our clients.

Across the Department OneTRIM, a secure document management system is used to securely store client information. CSNSW uses a version of TRIM known as EDRMS.

Due to the nature of the custodial environment, a number of CSNSW records and documents are kept as a physical hard copy. These records are stored securely at the correctional centre where they can be accessed for filing or review by correctional officers. Once an inmate leaves custody, these hardcopy documents are archived and stored in accordance with the State Records Act.

CSNSW uses an additional database, the Offender Integrated Management System (‘OIMS’). OIMS is used by the different business units of CSNSW to record details about offenders and inmates such as case notes, incidents, programs and services or employment of inmates, to record and store profiles for our Housing clients.


Individuals who have or have had contact with CSNSW can access their personal information through a number of means:

  • If they are in custody, by submitting an inmate request form to gain access to their personal information;
  • By requesting access through their Community Corrections Office; 
  • Through an application under the Government Information (Public Access) Act 2009.

Contracted Service providers

Private correctional centres

“Managed correctional centre” as defined under the Crimes (Administration of Sentences) Act 1999 (CAS Act) means “a correctional centre that is for the time being managed under a management agreement”—with Management Agreements referred to in section 238 of the CAS Act.

  • Each Management Agreement requires that the management company:
    • not (and must ensure that its subcontractors and associates do not) collect any Personal Information except in accordance with the service specifications and all Laws and Policies;
    • not disclose any Personal Information to any person other than as is necessary to provide the Services or to comply with Laws, and then only in accordance with the service specifications, all Laws and Policies; and
    • keep available to the State on request, records detailing the recipient of any Personal Information that the management company its subcontractor or associate has disclosed, the date of disclosure and the Personal Information that has been disclosed.

NSW Courts and Tribunals (CTSD)

Other relevant pieces of privacy legislation or privacy instruments

  • According to section 6 of the PPIP Act, nothing in the PPIP Act affects the way a court or tribunal exercises the court, tribunal or judicial functions.

Under the Electronic Transactions Act 2000, any information contained in an Electronic Court Management system is taken to relate to a court's judicial functions and therefore also exempt under section 6 of the PPIP Act.


Both personal and health information can be collected and received by courts for the purpose of facilitating court proceedings. Information can be held by a court in paper-based and/or digital formats. 


The use of some information within CTSD is not subject to the PIPP Act or HRIP Act, as the information relates to the “judicial functions” of a court or tribunal.

Each court or tribunal is founded based on legislation and has specific legal and administrative matters over which it has authority or jurisdiction.


Access to digital records held by courts are provided to other government agencies that have a shared need to access information relating to court proceedings.  Those agencies include:

  • NSW Police Force
  • NSW Bureau of Crime of Statistics and Research
  • NSW Corrective Services
  • Youth Justice NSW
  • Office of the Director of Public Prosecutions
  • Legal Aid NSW
  • Roads and Maritime Services
  • Revenue NSW
  • Department of Communities and Justice

Access to digital information relating to court proceedings is provided to those agencies through a secure portal called Common Information Model (CIM) that each agency can subscribe to and access the information relevant to their agency’s business.  

Storage and Security

Information held in paper-based formats are held securely in court premises or transferred to a government records repository. Digital records can be held in various databases including the JusticeLink database (primary courts database), JudCom and Phoenix.  Access to those databases is restricted to employees with a legitimate business reason for accessing the information held. The log-in procedure for the JusticeLink database requires officers to agree to the terms of use in accordance with the Departments Code of Conduct each time they access the database.

Paper-based administrative records relevant to court or tribunal proceedings containing personal and health information, for example, applications to postpone, waive or remit court fees, are stored separately from court proceeding documents until they no longer serve any business purpose in accordance with the General Disposal Authority GDA 28, and later securely destroyed.

Courts can also direct that certain records be sealed; those records may then only be accessed by a judicial officer or other person ordered as having permission to access. Sealed records may be retained in sealed envelopes on the court file or can be removed and held in a secure location within a court registry.

Approved credit agencies are provided information about civil judgments as permitted by court rules. This includes personal information that identifies a person against whom a judgment has been made. This information is provided to four companies Equifax (previously known as Veda) and Illion (previously known as Dunn and Bradstreet), Experian and CreditorWatch. The operation of section 27C of the PPIP Act exempts a court from complying with sections 17 (use) and 18 (disclosure) of the PPIP Act relating to using and where necessary, disclosing information to a credit reporting body and further sets out retention periods of between 2 and 5 years for information disclosed.


If a person is a party to proceedings, most courts will allow access to Court information through a request to the relevant Court Registry, depending on the information requested.

Contracted Service Providers

Personal and health information may be provided to and received from contracted service providers for the purpose of preparing reports to courts or supporting persons attending court.  These include health services and non-government organisations such as Domestic Violence Court Advocacy Services. Access to those records is managed in accordance with legislation governing access to court records.



Other relevant pieces of privacy legislation or privacy instruments

  • Privacy Code of Practice: Bureau of Crime Statistics and Research


BOCSAR collects information from Police, Courts, Corrective Services, Youth Justice and the NSW Registry of Birth Deaths and Marriages. Personal information is used for demographic breakdowns (age, address etc) as well as linking individuals between data collections (e.g. name, date of birth) when creating the Reoffending Database and now the Linked Data Asset. Additionally, BOCSAR’s Criminal Courts collection counting unit reports on ‘finalised defendant information’ (court information) so personal information such as a person’s name is used to link records within the collection.


BOCSAR’s 'unit record data' is used at the lowest level in BOCSAR to evaluate government policies, report performance against government targets such as the Premier's Priority to reduce reoffending and specifically domestic violence reoffending, publish statistical reports etc.  Often, even internal uses of unit record data is conducted on de-identified personal information, therefore, in most cases, the PPIP Act will not apply to these uses.


Unit record data is only ever presented externally in an aggregate de-identified format, therefore, as the information is no longer “personal information” or “health information”, the PPIP Act and HRIP Act will not apply.

BOCSAR’s deidentified data may also be made available to external bona fide researchers on request and according to strict conditions. BOCSAR data is never used for operational purposes. It is contrary to the conditions in the Privacy Code of Practice: Bureau of Crime and Statistics and Research for this data to be used for anything other than research.


Various parts of the Department may collect, use and/or disclosure of personal information for research purposes in the public interest and report on such research publicly in a de-identified and/or aggregate way.

Section 27B of the PPIP Act provides the Department is not required to comply with the IPPs with respect to the collection, use or disclosure of personal information if the collection, use or disclosure of the information is reasonably necessary for the purpose of research, or the compilation or analysis of statistics, in the public interest. When doing so, the Department must take reasonable steps to de-identify the information or where the information cannot be de-identified, the information is not to be published in a publicly available publication. The collection, use or disclosure of the information under section 27B of PPIP must be done in accordance with the Section 27B Statutory Guideline issued by the Privacy Commissioner.

BOCSAR does not release unit record information with personal details. The exception is research requests with ethics approval for example where a cohort of data including names may be provided to BOCSAR for matching against the Reoffending Database (ROD) and the ROD data is provided back to the researcher along with the names from the original cohort. Another example is the crime victim file which will be provided to the Commonwealth government to build the National Disability Data Asset – this file will include names for adults, but Statistical Linkage Key (SLK) for Youth.

Contracted Service Providers

BOCSAR uses a Statistical Linkage Key when providing criminal court unit record level data to the Australia Bureau of Statistics.

Family and Community Services Insights Analysis and Research (FACSIAR)


FACSIAR information is collected as part of the Departments administrative functions in providing services and supports to its clients.

FACSIAR (via I-view, an external data collection agency) undertakes direct data collection as part of the Pathways of Care Longitudinal Study: Outcomes of Children and Young People in Out-of-Home Care (the POCLS). Information was collected about a cohort of children and young people who entered care for the first time between May 2010 and October 2011. Information is collected from children and young people, care givers, teachers and caseworkers. The overall aim of this study is to collect detailed information about the life course development of children who enter OOHC for the first time and the factors that influence their development in order to enable the Department to improve its service delivery in the OOHC space.

The POCLS has ethics approval from the University of NSW Human Research Ethics Committee (approval number HC10335 & HC16542), Aboriginal Health and Medical Research Council of NSW Ethics Committee (approval number 766/10), NSW Department of Education and Communities State Education Research Approval Process (SERAP, approval number 2012250), and the NSW Population & Health Services Research Ethics Committee (Ref: HREC/14/CIPHS/74 Cancer Institute NSW: 2014/12/570).


Unit record data is used within FACSIAR to:

  • undertake research and analysis
  • evaluate government policies and programs
  • report performance against government targets such as the Premier’s Priorities and State Outcomes
  • undertake annual and national reporting.

Unit record data is predominantly used in a de-identified form, therefore, as the information is no longer “personal information” or “health information”, the PPIP Act and HRIP Act will not apply.


Unit record data is only ever presented externally in an aggregate de-identified format, therefore, as the information is no longer “personal information” or “health information”, the PPIP Act and HRIP Act will not apply.

Administrative unit record data may be made available to external researchers on request and under the following strict conditions:

  • that the release must be governed by a signed agreement
  • a risk assessment is conducted by Information Security to ensure that data/information will be managed appropriately
  • there must be a legal basis for releasing the information and there are no identified privacy issues
  • approval must be sought from the Department’s Data Custodian.

Storage and Security

The POCLS de-identified data is stored within the Secure Unified Research Environment (SURE) at the SAX Institute. Access to this information is governed by the ethics approvals and a signed Service Level Agreement.

Children and young people

Inclusion and Early Intervention

Other relevant pieces of privacy legislation or privacy instruments

  • Children and Young Persons (Care and Protection) Act 1998


The Department’s Inclusion and Early Intervention functions are predominantly delivered by Targeted Earlier Intervention Programs (TEI), often run by the Department’s contracted service providers.

TEI service providers collect data through a Data Exchange. This collection can only occur with a client’s consent. Collection may include the following personal information:

  • ·first name;
  • last name;
  • street-level address.

This consent only applies to personal information. If a client does not consent, the collection of other information about the client which does not identify them can still occur (e.g. gender, date of birth, cultural background, client outcome and satisfaction information).


The Department of Social Services (DSS) and the Department use this information in a de-identified form, therefore the PPIP act and HRIP Act do not apply. This means that these agencies cannot see a client’s personal information.

  • DSS uses this de-identified data stored in the Data Exchange for policy development, grants program administration, and research and evaluation. This includes producing reports for other organisations. They may link this information with other data sources (e.g. data collected from other government departments);
  • The Department will use the data to monitor a service provider’s performance and ensure they adhere to their contract. The data is used to ensure service levels are reached and client outcomes are achieved;
  • The Department will also use the data to evaluate early intervention programs. When the Department evaluates the early intervention programs they are only interested in aggregated data. No results for individual clients will be reported;
  • client data can be linked to other datasets, including Commonwealth datasets and NSW Government datasets. When this occurs all the data is de-identified.


All information collected in the TEI Data Exchange is used in an aggregate, de-identified manner and therefore is not governed by the PPIP Act as it is not considered to be personal information.

Storage and Security

Service providers must report data in an IT system called the Data Exchange. This system is hosted by the Australian Government Department of Social Services (DSS). Where an organisation stores personal information in the Data Exchange, only they can access the personal information. Strict IT security protocols prevent DSS employees from accessing personal information for any purpose other than confirming that the privacy protocols are working correctly. Storage in the Data Exchange is protected by the following:

  • when personal information is stored in the Data Exchange, only the organisation has access to it. Strict IT security protocols prevent staff from accessing personal information for any purpose other than confirming that the privacy protocols are working;
  • information stored in the Data Exchange is de-identified. De-identification means removing all identifying information so a person’s identity can no longer be ‘worked out’;
  • the Data Exchange de-identifies client data through a Statistical Linkage Key (SLK) and data aggregation. Data is presented in a summarised format, rather than on a record-by-record basis.

Contracted Service Providers

The Inclusion and Early Intervention Unit oversees several programs and do not generally collect or store client personal information. This information is handled by program funded service providers, for example the Targeted Earlier Intervention (TEI) Program. Privacy obligations are imposed on funded service providers via their contract with the Department - the Human Services Agreement (HSA) Standard Terms. The HSA stipulates that -funded service providers must comply with privacy legislation PPIP Act, HRIP Act and the Commonwealth Privacy Act 1988.

Youth Justice

Other relevant pieces of privacy legislation or privacy instruments

  • Youth Justice operates under the Children (Detention Centres) Act 1987, the , the Young Offenders Act 1997 and the Children (Interstate Transfer of Offenders) Act 1988.
  • Public Interest Directions for the Human Services Dataset

Youth Justice’s Research and Information Unit relies on the Public Interest Directions as they permit Youth Justice (as Participating Agency) “to disclose Tier One Data relating to persons in the Project Cohort, or which is reasonably relevant to the Project, to the Data Linkage Centre” (7.1) and periodically update this information (19). It also provides details around the process of providing Tier One data to the Data Linkage Centre (16-20) and limits who can collect and disclose the required information (29).

  • Privacy Code of Practice for the exchange of information by participating agencies in the Youth on Track scheme
  • Health Privacy Code of Practice for the exchange of information by participating agencies in the Youth on Track scheme


Youth Justice deals with sensitive information relating to children, young people and their families. Youth Justice collects information on children, young people and their families in contact with Youth Justice for a range of reasons including to provide effective support and supervision, to determine eligibility for programs, to identify types and levels of need and appropriate service responses, reporting, program monitoring, quality improvement processes, program reviews and evaluations.


Youth Justice is committed to seeking the consent and / or informing the young person of a request for their personal information wherever this is reasonably possible, even in circumstances where the legislation allows the sharing of information without consent. 

Contracted Service Providers

The Youth on Track program has Privacy, Confidentiality and Managing Disclosures Guidelines that provide a clear framework for staff for the use and disclosure of personal information and health information that is consistent with legal and policy requirements.

These guidelines set out how Youth on Track service providers are required to comply with the PPIP Act and HRIP Act regarding the collection and management of information. 

Child protection

Other relevant pieces of privacy legislation or privacy instruments

  • ·Children and Young Persons (Care and Protection) Act 1998


Information is collected from members of the public, other government agencies or service providers, directly from families or through the ChildStory Reporter website or calls made to the Child Protection hotline.


Caseworkers employed by the Department use information obtained in connection with the Department’s child protection functions to assess whether to use the Secretary’s authority under the Children and Young Persons (Care and Protection) Act 1998, and if so, what level of intervention is required.

Personal information is used to perform a range of the Department’s functions under the Children and Young Persons (Care and Protection) Act 1998.


The Department cannot be compelled to disclose any information, including in response to a subpoena or summons, that would identify a reporter except in very limited circumstances. The Department takes the protection of reporter identities very seriously.

The Department routinely discloses information regarding the protection and welfare of children under the provisions of Chapter 16A with other “prescribed bodies”. These provisions are discussed more below.

The Department is also permitted to disclose information under the Children and Young Persons (Care and Protection) Act 1998 with different individuals, such as parents, families and carers where permitted by the Act.

The Department may be required to share personal information with statutory bodies such as the NSW Ombudsman, Children’s Guardian, Children’s Court, NSW Police and the Coroner’s Court and this is only done in strict accordance with legislation.

Storage and Security

Child protection information is predominantly stored in the Department’s purpose built secure database ChildStory. Personal information may also be stored in securely paper files or on the Department’s database OneTRIM.

All Department staff must undergo stringent checks including criminal history checks and working with children checks and also must complete mandatory training before being given access to ChildStory. As part of this, staff must read and accept the data privacy statement, which details that personal information held by the Department must be handled in accordance with NSW privacy legislation.

Contracted Service Providers

Contractors and NGOs play an important role in delivering the Department’s child protection functions. Staff providing child protection services on behalf of the Department employed by a contracted service provider may be given ChildStory Partner access to carry out their functions on behalf of the Department.  

Contracted service providers are bound to comply with NSW privacy legislation when performing functions on behalf of the Department under the Children and Young Persons (Care and Protection) Act 1998.

Family Finding

Other relevant pieces of privacy legislation or privacy instruments

  • Children and Young Persons (Care and Protection) Act 1998
  • Community Welfare Act 1987


The family preservation system is a program that has been recommissioned to bring all family services in the Department under one umbrella.

The new single integrated system will have three program streams: family preservation, intensive family preservation and Aboriginal family preservation.

This program, in the first stage of its recommissioning (2020-2024) will develop a minimum data set and work with contracted service providers to begin collecting data from families for example parental risk factors, demographic data, family size, ROSH reports and so on.

The collection of information by contracted service providers must be collected lawfully and where possible directly from the person.

The second stage of the recommissioning process will include opportunities to develop and implement a standardised mechanism to collect client outcomes data across all family preservation programs. This will help assess the effectiveness of services and will support the integration of lessons learned from new trial programs into the new single program structure.


Personal information cannot be used for anything not relevant to the delivery of a service such as advertising, research or marketing. However, information can be used for program or service analysis and internal reporting.


Because each of these services is contracted, it is important to explain that the Department has an immediate right of access to the following information:

  • Information that relates directly to the performance of the services provided by the Department;
  • Information collected by the service provider from members of the public where they provide, or offer to provide services;
  • Information received from the Department to enable a provider to provide services in accordance with your contract.

The Department’s immediate right of access is required to meet its legislative obligations under the Government Information (Public Access) Act 2009 (GIPA Act).

Contracted Service Providers

Some of the Department’s programs that use family finding are delivered by contracted service providers.

Chapter 16A of the Children and Young Persons (Care and Protection) Act 1998

Other relevant pieces of privacy legislation or privacy instruments

  • Children and Young Persons (Care and Protection) Act 1998

Chapter 16A of the Children and Young Persons (Care and Protection) Act 1998 (the Care Act) makes provisions for the sharing of information between prescribed bodies where the information relates to the safety, welfare and wellbeing of a child (a person under 16 years of age) or a young person (a person 16 or 17 years of age).


The Department is not required to comply with the disclosure or collection IPPs in the PPIP Act in sections 9, 10, 13, 14, 15, 17, 18 or 19 when carrying out its functions in accordance with Chapter 16A. This is because section 25 provides an exemption from compliance with those sections that where another act lawfully authorises or contemplates non-compliance. Further, section 245H of the Care Act explicitly states that no other law that restricts the disclosure of information overrides the provisions of Chapter 16A.


  • The information under Chapter 16A can be used to: make a decision, assessment or plan; initiate or conduct an investigation; or provide a service or manage a risk that might arise in the recipient’s capacity as an employer or designated agency in relation to the safety, welfare or wellbeing of a child or young person.
  • The Department cannot use information that does not relate to the safety, welfare or wellbeing of a child or young person unless there is another lawful purpose for its use.


  • The information under section 16A can be shared with other prescribed bodies who require the information in order to: make a decision, assessment or plan; initiate or conduct an investigation; provide a service; or manage a risk that might arise in the recipient’s capacity as an employer or designated agency in relation to the safety, welfare or wellbeing of a child, young person;
  • Prescribed bodies can provide information to another prescribed body (with or without a request) that relates the safety, welfare or wellbeing of a child or young person (or class of children or young persons) if the provider reasonably believes that the provision of the information would assist the agency receiving the information to:
    • make any decision, assessment or plan or to initiate or conduct any investigation, or to provide any service, relating to the safety, welfare or wellbeing of the child or young person (or class of children and young people); or
    • to manage any risk to a child or young person (or class of children and young people) that may arise in the recipient’s capacity as an employer or designated agency.
  • Before disclosing information, consideration is given as to whether the child/young person or parent/carer consented to or was informed of the initial exchange of information and whether they should consent to or be informed of the proposed provision to another prescribed body.

Storage and security

A written record of exchanges of information under Chapter 16A is required to be made and stored in a way that is consistent with the existing legislation (including the State Records Act 1998, Privacy and Personal Information Protection Act 1998 and the Health Records and Information Protection Act 2002).

Internal Departmental Services

Ministerial and Parliamentary Services (MAPS)


MAPS does not collect generally personal information, however requests for information received from Office of the Secretary and Stronger Communities Cluster Ministers’ offices are generally registered by MAPS in the Department’s electronic record management systems for the purpose of the Department assisting in the formulation of a response.  

Personal information may also from time to time pass through in the form of Cabinet and Executive Council minutes.


Correspondence received and registered by MAPS is allocated to specific business units to prepare Ministerial responses and/or briefing advice. In these cases, the use of this information is consistent with the purpose for which it was collected.

This use is directly related to the purpose of collection, being to respond to an enquiry, complaint or request for assistance received through correspondence to the Ministers or in a request from the NSW Parliament.


The Department may disclose personal information to other public sector agencies under the administration of the same Ministers for the purposes of informing that Minister about any matter within that administration.

The Department therefore will on occasion, disclose personal information to another agency or to the Minister’s office for the purpose of enabling responses to inquiries received by the Minister or to advise the Minister on issues under their administration.

Such disclosures are exempt from the IPP relating to disclosure because of the exemption in section 27A of the PIPP Act and or the exemption at section 28(3) of the PPIP Act.

Strategic Finance and Procurement (SFP)


For procurement activities, SFP collects personal and commercial information generally through agreed data requests associated with tender information, as well as personal information of members of tender evaluation panels who are required to provide personal information to manage any conflict of interest.

Across the Department, numerous divisions receive payment card data from the public which by its nature is personal information. In processing card payments, the Department applies Payment Card Industry Data Security Standards (PCIDSS), a set of comprehensive requirements for enhancing payment account data security and forms industry best practice for any entity that stores, processes and/or transmits cardholder data.


SPF manage and deliver financial services and reporting. SPF regularly accesses human resources related and summary data including personal information of Departmental employees via reporting or online data produced by Enterprise Resource Planning (ER) systems. Information gathered is obtained through specific requests for the purposes of enabling employees and vendor payments to be processed, financial statements and reports to be prepared and financial analysis and audits to be undertaken, including analysis of abnormal or significant transactions. Information may be provided to the Secretary and Audit and the Risk Committee.

Storage and Security

All personal information is stored within secure corporate record management systems with access restricted to authorised officers and used in-line with specific accounting standards and Treasury and Audit requirements.

Federated Analytics Platform (FAP)

The Department has implemented a Federated Analytics Platform (FAP) to meet its data analytics and reporting requirements. The FAP consolidates data from across the Department to provide an integrated view of critical information. Based on the Google Cloud Platform and supported by Collibra, the FAP consists of several feature-rich tools that unlock the potential of our data to produce deeper, more meaningful insights which supports and drives Department’s business decisions.

The FAP provides a secure environment for periodic and ad hoc analysis of data to support the Department in:

  • development of a single view of clients for purposes of planning and delivering coordinated and targeted programs and services to clients and client groups;
  • identification of systemic issues and solutions to inform policy making and program and service planning;
  • resource planning;
  • corporate performance reporting;
  • costing and evaluation of programs and services; and
  • providing secure access to a controlled environment for research.


Data on the FAP is collected by the Department’s divisions and business units as part of their ongoing functions. Data, including non-personal information is also collected from third parties, such as other individuals, other NSW government agencies, non-government organisations (NGOs) providing contracted services to clients on behalf of the Department and agencies in other jurisdictions.

The data includes human resources data, financial information, geospatial information and asset information. The data also includes personal and health information which is collected and used for policy making, program and service planning, service delivery, monitoring and reporting, program and service evaluation and research.

Additionally, the Department collects information relating to its client groups from data sets maintained by research bodies. Generally, this data is de-identified and/or in aggregate form.

Where possible, the Department ingests and uses de-identified data in the FAP for data analytics to minimise the risk of identifying individuals for internal reporting and dashboards.


Personal and health information may be used on the FAP for analytics, data matching and data integration to support policy making, service planning and delivery of targeted services to meet client needs. This specifically includes the following analytics:

  • on personal and health information to identify issues and solutions regarding policy making, program management and service planning and delivery;
  • on personal and health information for the purposes of determining which programs, services and types of support clients are receiving and which programs, services and support might be appropriate for them;
  • using information from a range of sources, such as information collected from third parties (such as other agencies with the Department, NSW government agencies, non-government service providers); and
  • for anticipated secondary purposes (for example, that personal information may be subject to data analytics which seeks to determine the cost and effectiveness of services delivered to clients or the benefits of programs and services.

Generally, a ‘use’ of information contained within the FAP will be for a purpose directly related to the collection of the personal information, that is a ‘use’ within the same ‘domain,’ Examples of a ‘domain’ are the divisions within the Department, for example Housing and Child Protection.

Information is de-identified before it is used across different domains. As the personal information in this case has been de-identified, the PPIP Act and HRIP Act do not apply in these circumstances.


Disclosures of information arising from the FAP are generally of non-personal information, for example de-identified information including high-level statistical analysis. In the event that personal information is to be disclosed, such a disclosure is considered on a case-by case basis to ensure compliance with the PPIP Act and any other relevant governing legislation or lawful requirement.

Storage and security

Data is owned, securely stored and managed by the Department on the FAP in accordance with contractual terms between the Department and the FAP provider (Google Cloud Platform). These terms include requirements to comply with privacy and record keeping laws and to store and manage information on the FAP in Australia.

Placement, storage, use, disclosure and retention/disposal of data on the FAP is governed using the Collibra data governance tool. The tool supports management of authorisations for placement of data on the FAP, access to data on the FAP, quality of data, and use and disclosure its data.

Access to the FAP is strictly limited to those with a legitimate business need and strict requirements including a criminal history check, working with children check and completion of privacy and Cyber security training.

Contracted service provider

External service providers to whom the Department outsources any functions relating to the FAP must sign a confidentiality agreement that prevents them from using of disclosing the Department’s information for any other purpose.

Legal Services


The Department provides legal services mainly for other divisions and business units in the Department. The Department is sometimes required to correspond with and collect personal information directly from members of the public. For example, personal information may be collected in the following circumstances:

  • coronial inquests or inquiries where the Department is acting as counsel assisting the coroner;
  • applications made under the Government Information (Public Access) Act;
  • applications for internal review made under section 53 of the Privacy and Personal Information Protection Act 1998;
  • facilitating applications for Redress under the National Redress Scheme for Institutional Child Sexual Abuse Act 2018;
  • various legal applications, for example the royal prerogative of mercy, ex gratia payments, applications under the Costs in Criminal Cases Act 1967 or the Suitors’ Fund Act 1951; and
  • responding to subpoenas and summons to produce documents.

The Department will collect information regarding the above matters directly from applicants, or where relevant, from other public sector agencies or directly from the relevant court in accordance with NSW privacy legislation.


Personal information can be used to deliver legal advice to the Department, the Attorney General or to facilitate the provision of information members of the public under the Government Information (Public Access) Act.

Where information is considered for release to members of the public in response to an application for information, the information is used for the purpose for which it was collected. Where other personal information is held by the Department as part of its other functions, this information is ordinarily used and disclosed with the consent of the person, for a directly related secondary purpose to the purpose it was collected or on another lawful basis such as a subpoena or search warrant.


As a rule, internal legal advice is treated confidentially and protected from disclosure in legal proceedings by legal professional privilege, unless waived by the Department.

In responding to subpoenas and in its work with the courts, the Department routinely discloses information as compelled by subpoenas and statutory orders.

The Department will also routinely disclose information to statutory bodies such as the NSW Ombudsman, the Information and Privacy Commissioner and the Ageing and Disability Commission in accordance with relevant statute and exemptions under the privacy legislation


Human Resources (HR)

Other relevant pieces of privacy legislation or privacy instruments

·         Section 4(3) of the PPIP Act provides that information or an opinion about an individual’s suitability for appointment or employment as a public sector official is not personal information for the purposes of the PPIP Act and is not subject to the Information Protection Principles. Therefore, where relevant and required HR will use and share information internally for the purposes of assessing an individuals’ suitability for employment which includes initial employment or an internal promotion or transfer.

  • Government Sector Employment Act 2013 


For various reasons, such as leave management, workplace health and safety and operational requirements, we must collect the following information from employees to maintain employee records: 

  • documents related to recruitment processes
  • payroll, attendance and leave records including where relevant medical conditions and illnesses
  • banking details and tax file numbers for payroll functions
  • training records
  • worker’s compensation records
  • workplace health and safety records
  • records of gender, ethnicity and disability of employees for workplace adjustments and equal opportunity reporting purposes
  • next of kin and emergency contacts
  • secondary employment
  • conflicts of interests
  • Working with Children Check information
  • Criminal history check information
  • COVID Vaccination Records

This information is generally collected directly from employees and is managed in accordance with the provisions of the PPIP Act and the HRIP Act. Health information may also be collected and retained consistent with our obligations under the HRIP Act.

Information of this kind is collected from individuals engaged by the Department as contractors.


Employee and contractor personal and health information is used for Human Resources purposes, for example to manage leave, managing performance, conducting payroll and making workplace adjustments.


Employees are able to access their employee records by requesting their file directly from Payroll or under the Government Information (Public Access) Act where the information requested contains information about other individuals. 

HR - Workplace Health and Safety and Injury Management


Personal information is collected that is specific to the management of workers compensation injuries by the relevant Injury Management and Rehabilitation Co-ordinator (IMRC).


Personal/health information is used for the purposes of injury management, return to work and recover at work discussions plus general claims management. 


Information collected by the Injury Management Unit is routinely used and disclosed to key stakeholders including injured workers and their representatives for example, the Public Service Association, their solicitor, nominated treating doctors, service providers and insurer/claims manager.

Personal information is provided to the iCare appointed insurer/claims manager to assist with overall general claims management. iCare can also engage other service providers to obtain or request personal information such as independent medical examinations, factual investigations, legal referrals where an exchange of health and or personal information takes place.

All IMRCs have access to the insurer/claims manager’s Case Management system/portal as ‘view only’ and are subject to a User Declaration confirming that access is only to be used to assist in the management of workers compensation claims.

All approvals for insurer access is signed off by the Department’s Workers Compensation & Injury Management Manager who explains the terms and conditions associated with same.

Storage and Security

All information is stored securely on corporate records systems and the new Work Health and Safety injury management system ‘Safety Suite.’

Information and Digital Services (IDS)


IDS deliver technology, systems and related services to the Department and independent statutory bodies supported by IDS.

IDS do not collect personal information from members of the public. IDS collect and personal information of employees of the Department and independent statutory bodies supported by IDS which is supplied to them by the employees or others or available to them by virtue of appropriate levels of IT accesses.


Personal information of Departmental employees and officers of independent statutory bodies is used by IDS to provide information and digital support services.


Other relevant pieces of legislation

  • Work Health and Safety Act 2011
  • Workplace Surveillance Act 2005
  • Surveillance Devices Act 2008


The Telematics system is a GPS tracking system which electronically identifies and continuously records a driver's trip aimed to keep employees safe. Telematics devices will collect data on driver actions and vehicle usage, which includes employee personal information to ensure driver safety and safe vehicle handling.

The following information will be collected by the Department for Fleet vehicles with the Telematics device:

  • Employee Number;
  • Date and time;
  • Location (Long/ Lats/ Altitude);
  • Odometer;
  • Speed;
  • Direction of travel;
  • Whether the trip is for business or personal use;
  • Stopped with ignition on;
  • Start moving after stopped;
  • Ignition on and ignition off;
  • Vehicle voltage;
  • Internal battery voltage;
  • Duration of Trip.


In February 2021, the NSW Procurement Board mandated the implementation of Telematics for passenger vehicles across the NSW Government fleet of work-use vehicles. Telematics is a component of the NSW Government Travel and Transport Policy (“Policy”) which is intended to provide a framework for all NSW Government agencies and officials who are travelling using public money.

The information collected by the Telematics system is used for the purpose of:

·         Complying with the Policy;

  • Complying with its obligations under the Work Health and Safety Act 2011 (“WHS Act”) to provide a work environment without risks to health and safety;
  • To improve fleet vehicle utilisation and asset management; and
  • For the automated capture of vehicle usage data to support the Department’s Fringe Benefit Tax record keeping obligations;
  • To facilitate protection of public revenue; and
  • To improve driver behaviour and decrease costs.

The information may also be used for research or the compilation or analysis of statistics and reporting purposes. As a NSW government agency, the Department is required to comply with this Policy.


It may also be used by the Department or disclosed to a third party if the use/ disclosure is required or authorised by law (e.g. subpoena or other statutory requirement), the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of an individual, to enable the Department to comply with law enforcement requests and functions or to investigate employee misconduct or misuse of public funds.  

< i="">

Access to the information collected and held via Telematics devices and any amendments to this information should be directed to the Fleet Management Team (

Security and Storage

Information is stored and securely maintained on the Telematics system. Once information is collected by the Telematics system, the recorded information is then transmitted via mobile phone or satellite networks to the Telematics suppliers’ applications and is presented on a software platform, accessible to Departmental staff, drivers and Telematics supplier’s staff. Navman is the Department’s supplier.

Contracted Service Providers

The personal information collected via Telematics will be provided to a third party for the purposes of it supplying and providing support services for Telematics devices that are installed on the Department’s fleet vehicle. 

Process and Technology Harmonisation (PaTH)

The Process and Technology Harmonisation (PaTH) Program consolidates multiple versions of SAP to a new system called myWorkZone to be used across six NSW Government portfolios, to one core technology to simplify our corporate and shared service system and support:

  • HR management;
  • finance and procurement management;
  • asset and real estate management; and
  • data standards and systems.

On 3 July 2023, myWorkZone was launched for 13,000 staff across the Department (excluding Corrective Services and Youth Justice which will be moved to PaTH in mid 2024).

A Public Interest Direction relating to the PaTH program was made under section 41(1) of the PPIP Act on 31 January 2023 and has effect for a period of three years. The direction exempts or modifies certain IPPs as they apply to a ‘Shared Services Hub Operator.’


The personal and health information handled in the PaTH Program and stored in AESG 2.0 falls within five general categories:

  • Personal information that is regulated by the Privacy Act (Commonwealth) and not the PPIP Act or the HRIP Act (for example, tax file number information for payroll purposes); 
  • Limited health information required to facilitate reasonable adjustments for example;
  • Personal information such as an individual’s ethnic or racial origin or trade union membership that falls within the scope of s. 19(1) of the PPIP Act (for example, personal information collected in the context of workforce diversity information or providing approval for an individual’s union membership fees to be deducted directly from their wages);
  • Personal information such as employee names and addresses; and
  • Personal information previously held by participating agencies.

In the first stage of PaTH, personal information held by the 40 agencies from the Stronger Communities, Planning and Environment, Regional NSW and Premier and Cabinet clusters will provide their data to the Department for collection and inclusion in the program.


The PaTH Program will progressively consolidate shared services operations and enterprise resource planning (“ERP”) systems across NSW government agencies by standardising processes, technology and other supporting systems.  

In the first stage the Department will administer a scalable ERP platform (“AESG 2.0”) and a shared services operating model. In administering this program, the Department will have access to some or all of the data held by the program for the purposes of providing shared services to these agencies and will only access and use the data for these purposes.  

The information may also be used for research or the compilation or analysis of statistics and reporting purposes.

This consolidation aims to reduce costs and improve efficiency, productivity, data quality and workforce agility and mobility across the NSW public sector. 


Security and Storage

Personal information will be collected and stored on the AESG 2.0, being the ERP system selected for use by the PaTH program.

This is a secure system that allows agencies to access information about their own employees, with the Department having greater access for the purpose of delivering the shared services model.


Employees seeking access to the information held on AESG 2.0 or to amend this information should contact their own agency employer.

Statutory bodies

Under section 6(1) of the PIPP Regulations, smaller Statutory Bodies who are supported by the Department are exempt from the requirement to have a Privacy Management Plan, where the Plan of another agency states that the Plan extends to those other bodies.

This Privacy Management Plan extends to the below Statutory Bodies supported by the Department:

NSW Law Reform Commission and Sentencing Council

The NSW Law Reform Commission & Sentencing Council generally publishes submissions on its website and refers to submissions in its publications. Sometimes submissions include personal information. The NSW Law Reform Commission & Sentencing Council will always seek the consent of the person to whom the information relates before publishing it. When the NSW Law Reform Commission & Sentencing Council accesses personal information as part of a research project, for example, information contained in a confidential court case, the information is always de-identified prior to it being published.

It is the practice of the NSW Law Reform Commission to keep submissions published on their website indefinitely as part of a record of the review process and to assist in the analysis of their reports.

Public Defenders’ Office

The Public Defender's Office uses information provided by their clients either via their solicitors or obtained from other sources for the purpose of providing legal representation in serious criminal cases and may collect information in the course of legal representation in courts. The office will only disclose information to other parties representing their clients including the solicitor, any paralegals or when seeking reports from forensic witnesses such as psychiatrists, psychologists or similar. Individuals who are not employees such as students undertaking internships or other placements are required to sign a confidentiality form and are given specific directions on the handling of information.

Anti-Discrimination NSW

Anti-Discrimination NSW handles personal information in order to administer the Anti‑Discrimination Act 1977 (NSW) (ADA) which makes it unlawful to discriminate in specified areas of public life against a person on grounds which include their sex, race, age, disability, homosexuality, marital or domestic status, transgender status and carer’s responsibilities or vilify on the grounds of race, homosexuality, transgender status or HIV/AIDS status is also unlawful. Personal and health information is handled in accordance with this Privacy Management Plan and relevant legislative requirements.

Anti-Discrimination NSW is not required to comply with the use and disclosure HPPs in relation to its complaint handling, investigative, review and reporting functions (Schedule 1, clauses 10(3) and 11(3) of HRIPA).

Office of the Legal Services Commissioner

The Office of the Legal Services Commissioner receives and deals with complaints about lawyers or law practices in accordance with the exercise of the Office of the Legal Services Commissioner's statutory functions under the Legal Profession Uniform Law (NSW). The Office of the Legal Services Commissioner is subject to a general statutory prohibition on the disclosure of any information obtained in the administration of the Legal Profession Uniform Law (see section 462), unless a specified exception applies under section 462(2).

The Office of the Legal Services Commissioner is considered an ‘investigative agency’ for the purposes of section 3 of the PPIP Act and is therefore not required to comply with certain provisions of the PPIP Act in accordance with section 24 of the PPIP Act when exercising investigative functions.

Last updated:

23 Oct 2023