Communities and Justice

General Overview of the Information Privacy Principles and the Health Privacy Principles

Information Privacy Principles

Collection (PPIP Act sections 8-11, HRIP Act HPP 1-4)

Personal information and health information must only be collected by lawful means for purposes related to Departmental functions and activities. Wherever possible the Department must generally collect personal information and health information directly from the individual to whom the information relates. The collection of personal information and health information must not unreasonably intrude into the personal affairs of the individual.

The Department takes active measures to ensure the Collection principle is upheld by encouraging business units to regularly review its privacy collection notices and practices to ensure they accurately reflect the collection of personal information relevant for business needs.

Generally, when the Department collect personal and health information, the information is collected directly from the individual. However, the individual may authorise the collection of their information from another person, or an exemption or exception may apply. Given the breadth of the functions and activities of the Departments divisions, the collection of information by each Division is broadly set out here.

When collecting personal and health information from individuals, the Department provides a privacy notice to the individual to whom the information relates. Section 10 of the PPIP Act and clause 4(1) of Schedule 1 to the HRIP Act sets out what is required in this notification. This includes the purpose for collection, intended use and recipients, whether the information is required to be collected by law or is voluntary and the individual's right and method of access and amendment to that information. Where health information is collected from someone other than the individual, the individual is notified as soon as possible after the collection unless an exemption or exception applies.

Storage and Security of Personal Information (PPIP Act section 12, HRIP Act HPP 5)

The Department takes all reasonable security safeguards to protect personal and health information from loss, unauthorised access, use, modification or disclosure, and against all other misuse. The Department ensures personal and health information is stored securely, not kept longer than necessary, and disposed of appropriately.

The Department uses a variety of information management systems to manage its storage and security obligations including paper-based filing systems, and electronic records forming part of secure computerised databases. Strict rules are followed for storing personal information and health information in all its formats to protect personal information and health information from unauthorised access, loss or other misuse. Only those employees who need to know particular personal information or health information in order to carry out their work can have access to it.

Personal information and health information, both paper-based and electronic format, must be stored securely in these electronic systems and protected from unauthorised access and alteration. Generally, personal information and health information must be kept only as long as it is necessary for the purposes for which it may lawfully be used. When it is no longer needed, the personal information or health information must be destroyed using a secure waste destruction service (for paper-based documents) and formal deletion processes for electronic documents and data.

Personal and health information held in Departmental records can only be disposed of in accordance with the NSW State Records Act 1998 and relevant disposal authorities. This link provides a list of relevant Functional Disposal Authorities that apply to the Department. A list of the specific storage, security and disposal authorities for some divisions is set out by division later in this Plan.  

The information held by the Department, both internally and externally is subject to security policies. This is available for employees on the intranet. Relevant policies are available to the public via the Department’s Resource Centre.

Where it is necessary for personal or health information to be transferred to a CSP in connection with the provision of a service to the public, the Department takes all reasonable steps to prevent unauthorised use and disclosure of that information. The Department complies with its obligations by reviewing contracts to ensure that privacy obligations are imposed on contracted service providers and that they comply with the IPPs and the HPPs.

Access and Amendment (PPIP Act section 14 -15, HRIP Act HPP 7-8)

The PPIP Act and the HRIP Act both establish a right of access to information for individuals about themselves.

Individuals are entitled to know whether information about them is held by us, the nature of the information, the main purposes for which it is used, and how they can gain access to it, including a right of correction if details are not correct.

A person wanting to access or amend their own personal or health information can make a request by contacting the relevant business unit that manages their information. Generally, this request should be made in writing. If a person is not satisfied with the outcome of their informal request, they can lodge a complaint with OGIP (  A business unit in receipt of an access or amendment application if uncertain about providing access to personal information sought by an individual, may seek advice from OGIP by email at

The Department aims to respond to applications in 30 working days, depending on the volume of information requested, and advises the applicant approximately how long the application will take to process, particularly if it may take longer than expected.

Most records held about an employee are on their Personnel File (P File) which is managed by the Department’s Payroll. To access their file, current employees can log a ticket through the 'Service Now’ portal available on the Intranet. Former employees can write to the Department’s Payroll via email

Limits and reasons for refusal

The Department does not charge for providing access to personal information under the PPIP Act, but reasonable fees may be charged for providing access to health information. 

If the person lacks capacity to apply for information, their guardian or their ‘personal information custodian’ may act on their behalf in requesting access.

Where an application to access information held by the Department includes the personal information of one or more persons who are not the applicant, a formal access application should be made under the Government Information (Public Access) Act 2009 (GIPA Act). Further information about GIPA is available from the Department’s access to information webpage.

Access to information held by a contracted service provider

If access is sought to personal or health information held by a contracted service provider that is providing a service to the public on behalf of the Department, individuals may access their personal information directly from the contracted service provider. If they experience any difficulties obtaining access to their personal or health information held by a contracted service provider, they are able to contact the Department at

If an individual has any enquiries about accessing their personal information, they are able to contact the Open Government, information and Privacy Unit at

Amendment or Correction of personal information

An individual can make a request to amend their personal information.  A request to amend personal information held by the Department is dealt within a reasonable timeframe, which is generally 30 working days of receipt of the request.

An amendment application can be made verbally or in writing to the relevant business unit that holds the information or by emailing the Department at and detailing the nature of the records and the specific request for amendment. A request for amendment may be subject to the obligations imposed on the Department by other legislation such as the State Records Act 1998 (NSW) to keep, accurate and complete records. If the Department does not amend a record when requested to do so, the Department must allow the individual to attach a statement to its records, which provide the individual’s view on the amendment.

Certain records, such as medical reports, expressions of opinion or case notes that capture information recorded at a point in time will not be deleted or amended in response to an amendment request. However, a statement may be affixed to the existing record to be read in conjunction with a statement of reasonable length noting the amendments sought.

Our employees are authorised to make appropriate amendments to general personal information (such as contact details) when a request is made. This ensures our information is accurate, relevant, up to date, complete and not misleading.

Accuracy (PPIP Act section 16, HRIP Act (HPP 9)

The PPIP Act and the HRIP Act place an obligation on the Department to take reasonable steps, depending on the circumstances to ensure that, having regard to the purpose for which personal information held by the Department is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.

Generally, the Department collects personal information and health information directly from the individual and relies on the person providing the information to confirm its accuracy. Sometimes the Department independently verifies the information, if the information has been collected indirectly, for example, in conducting its child protection functions, the Department may interview a number of individuals to understand varying perspectives. It may take steps to verify the accuracy of the information depending on the reliability of the source of the information, the lapse in time between the point of collection and any proposed use or disclosure of the information. 

Use (PPIP Act section 17, HRIP Act HPP 10)

In general, to ‘use’ information means to handle information that has been collected, and requires some administrative action or consequence for example, an employee using a person’s personal information to prepare a report.

When considering whether to use personal information or health information we hold, the Department must consider whether:

  • the proposed use is consistent with the purpose for which it was collected;
  • the proposed secondary use is directly related to the purpose of collection;
  • the individual has consented for use of their personal information for that purpose; or
  • it is necessary to prevent or lessen a serious and imminent threat to life or health of a person.

If the Department seeks to use an individual’s personal information outside of the above lawful reasons, then generally it will need to obtain the individual’s consent.

How information is used by various Divisions and Business Units and is discussed in the section below titled Handling of information by Division.  

Disclosure (PPIP Act section 18, HRIP Act HPP 11)

To ‘disclose’ information generally means to give information collected by the Department to a person or body outside of the Department, for example, if we were to provide information to the NSW Police Force.

The Department will only disclose personal or health information if one or more of the following applies:

  1. at the time we collected their information, the person was given a privacy notice to inform them their personal information would or might be disclosed to the proposed recipient;
  2. the disclosure is directly related to the purpose for which the information was collected and the Department has no reason to believe that the individual concerned would object to the disclosure;
  3. The Department has reasonable grounds to believe that disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the person the information is about or another person;
  4. the person concerned has consented to the proposed disclosure;
  5. it is required for law enforcement or investigation purposes. In such instances, a valid warrant or court order (subpoena) may be required;
  6. the disclosure is required, permitted, implied or reasonably contemplated by an act or any other law; or
  7. the disclosure is permitted by a Public Interest Direction or Code made by the NSW Privacy Commissioner.

It is important to note that the Department is compelled to disclose personal and health information to other law enforcement agencies without the consent of the individual concerned when a search warrant, subpoena, summons or statutory order has been served on it, or when the disclosure:

  • concerns proceedings for an offence or for law enforcement purposes;
  • is related to the whereabouts of a person reported as missing to the police, and the disclosure is to be made directly to a law enforcement agency; or
  • is reasonably necessary for the protection of public revenue or to investigate an offence where there are reasonable grounds to believe that an offence has been committed.

Personal and health information must be protected from unauthorised use and disclosure. Any use or disclosure made, must be recorded.

Restricted personal information

The following categories of personal information are given more stringent protection under section 19 of the PPIP Act:

  • an individual's ethnic or racial origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership; and
  • sexual activities.

These categories of information are only collected when required for a particular function or activity and may generally only be disclosed if it is necessary to prevent a serious or imminent threat to the life or health of the individual concerned or of another person.

Other exemptions apply in Division 3 of Part 1 of the PPIP Act including where other legislation requires or reasonably contemplates disclosure (see section 25 of the PPIP Act).

Additional Health Privacy Principles

Identifiers and anonymity

The HRIP Act has an additional Health Privacy Principle (HPP) (HPP 12) concerning the use of identifiers assigned by organisations to protect individuals' identities. The Department only identifies individuals by using unique identifiers if it is reasonably necessary for it to carry out its functions.

Identifiers are used to uniquely identify an individual and their health records. An identifier does not need to use a person’s name as they are designed to be unique to a specific individual (for example, a customer number or unique patient number). Identifiers that have no meaning outside of the Department, should be assigned where possible in the case of the provision of ‘health information’ for research purposes so that the data is de-identified.

Health information is defined in section 6 of the HRIP Act and broadly covers information about the physical or mental health of an individual, genetic information about an individual or a health service provided or to be provided to an individual. The Department takes additional care when handling health information.

The NSW Privacy Commissioner has developed four statutory guidelines under the HRIP Act. They are legally binding documents that define the scope of particular exemptions in the HPPs and can be accessed here. The Department complies with these statutory guidelines in relation to the use and disclosure of health information.

In many circumstances, numbers are widely used to de-identify an individual. For example, Medicare (Services Australia) maintain Medicare numbers and Individual Reference Numbers. The Department may collect, user or disclose these numbers for children in OOHC when accessing health care services. The use and disclosure of the identifier itself is governed by the same requirements as identified personal or health information.

HPP13 provides the right of individuals to be given the opportunity to not identify themselves when entering into transactions with or receiving health services from the Department, where this is practicable and lawful. Where possible the Department provides individuals with the opportunity to transact anonymously or with the use of a pseudonym for example, in responding to general enquiries.

Transferrals and linkage

The Department cannot transfer health information outside New South Wales or to the Commonwealth unless it reasonably believes the receiving jurisdiction has a similar standard of privacy protection for health information. The Department must not include health information about any individual in a health records linkage system unless the individual has expressly consented to this.

The Department only uses health records linkage systems when individuals have expressly consented to their information being included on such a system, or for research purposes which have been approved by an Ethics Committee and in accordance with the Statutory Guidelines on Research.

Last updated:

24 Oct 2023