Automatic language translation
Our website uses an automatic service to translate our content into different languages. These translations should be used as a guide only. See our Accessibility page for further information.
This Privacy Management Plan (the Plan) explains how the Department of Communities and Justice (the Department) complies with its obligations under the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (HRIP Act). More information about the PPIP Act and the HRIP Act is available from the Information and Privacy Commission (IPC) at www.ipc.nsw.gov.au
This plan sets out the Department’s commitment to respecting the privacy rights of our employees and contractors, the people we provide services and support to, as well as their families and carers, and other people whose information we hold.
This Plan is produced in accordance with the requirement for a Privacy Management Plan under section 33 of the PPIP Act and demonstrates how the Department ensures compliance with the PPIP Act and HRIP Act. The Plan explains how the Department manages personal information in line with the PPIP Act and health information in line with the HRIP Act. It identifies:
The Department also use this Plan to train employees about dealing correctly and lawfully with personal and health information to promote compliance with the PPIP Act and the HRIP Act.
The first half of this Plan covers how the Department and its Divisions generally collects and handles personal information. The Department’s organisational chart is available here.
To see how each Division of the Department handles personal information specific to that Division, so far as it differs from the general approach, see the below Functional Areas of the Department. Fact sheets outlining some of the more common record types of information held by the Department are available here.
Section 33(2) of the PPIP Act sets out the requirements of this Plan. This Plan must include:
There are several aspects of compliance with privacy obligations common to all of the Department’s Divisions. The commonalities are set out in the first part of this Plan for consistency.
However, there are unique Division specific compliance and privacy obligations based on the functions of the Division and sensitivities based on the type of information held within each Division. Further details regarding the differences in obligations can be accessed through the relevant links in this Plan.
The Department aims to review this Plan every 12 to 18 months and will review the Plan earlier if any legislative, administrative, or systemic changes impact on its management of personal and health information.
The formal requirement on NSW government agencies to draft a privacy management plan is outlined at section 33 of the PPIP Act.
Section 33 sets out that each public sector agency must:
The Privacy Commissioner has oversight of Privacy Management Plans and must be provided with a copy following any amendments.
All employees are required to comply with the PPIP Act and the HRIP Act. This Plan is designed to assist employees to understand and comply with their privacy obligations. This Plan is also intended to provide the community with information about how the Department meets its privacy obligations.
The Department’s employees are responsible for:
Advice and support for employees is available from the Open Government, Information and Privacy Unit (OGIP), Legal (firstname.lastname@example.org) in relation to privacy compliance, rights and obligations.
The OGIP Unit, Legal has also developed a compulsory online training “Privacy and You” module that must be completed by all Departmental staff. This training module explores:
This compulsory training is one of the many ways the Department is raising privacy awareness and informing employees of relevant privacy policies and procedures across the Department to provide that this knowledge and support to all staff.
The PPIP Act and the HRIP Act contain criminal offence provisions applicable to Departmental employees if they access, use or disclose personal information or health information without authorisation. Employee access to Departmental databases such as OIMS ChildStory, HOMES, EDRMS/One TRIM is strictly for authorised work purposes only.
We use a broad range of electronic databases to hold the information we collect. An employee may be subject to prosecution and/or disciplinary action they access, use or disclose personal or health information for their own personal purpose. There are also offences in the Crimes Act 1900 for using a computer to access information without authority.
The PPIP Act is concerned with the handling of ‘personal information.’ Personal information is defined in the PPIP Act as being “any information or opinion about a person whose identity is apparent or can be reasonably ascertained from the information or opinion”: section 4(1).
While the definition of ‘personal information’ is very broad, there are some important exceptions to the definition. The exceptions that are most relevant to the Department is information which:
The PIPP Act, explicitly at section 6 does not apply to NSW Courts and Tribunals, including registries in the exercise of their ‘judicial functions.’
‘Judicial functions’ is defined at section 6(3) as meaning “the functions of the court or tribunal as they relate to the hearing or determination of proceedings before it” and extends to the functions of the Coroner in coronial inquests.
23 Oct 2023