Communities and Justice



This Privacy Management Plan (the Plan) explains how the Department of Communities and Justice (the Department) complies with its obligations under the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (HRIP Act). More information about the PPIP Act and the HRIP Act is available from the Information and Privacy Commission (IPC) at

This plan sets out the Department’s commitment to respecting the privacy rights of our employees and contractors, the people we provide services and support to, as well as their families and carers, and other people whose information we hold.

This Plan is produced in accordance with the requirement for a Privacy Management Plan under section 33 of the PPIP Act and demonstrates how the Department ensures compliance with the PPIP Act and HRIP Act. The Plan explains how the Department manages personal information in line with the PPIP Act and health information in line with the HRIP Act. It identifies:

  1. who a person can contact to ask questions about the personal or health information we hold; and
  2. how information can be accessed or amended and what to do if there is a concern about a breach of the PPIP Act or HRIP Act.

The Department also use this Plan to train employees about dealing correctly and lawfully with personal and health information to promote compliance with the PPIP Act and the HRIP Act.

The first half of this Plan covers how the Department and its Divisions generally collects and handles personal information. The Department’s organisational chart is available here.

To see how each Division of the Department handles personal information specific to that Division, so far as it differs from the general approach, see the below Functional Areas of the Department. Fact sheets outlining some of the more common record types of information held by the Department are available here.

What the Plan covers

Section 33(2) of the PPIP Act sets out the requirements of this Plan. This Plan must include:

  • information about how the Department develops policies and practices in line with the PPIP Act and the HRIP Act;
  • how the Department trains employees in these policies and practices;
  • the Department’s internal review procedures;
  • anything else that the Department considers relevant to the plan in relation to privacy and the personal and health information it holds.

There are several aspects of compliance with privacy obligations common to all of the Department’s Divisions. The commonalities are set out in the first part of this Plan for consistency.

However, there are unique Division specific compliance and privacy obligations based on the functions of the Division and sensitivities based on the type of information held within each Division. Further details regarding the differences in obligations can be accessed through the relevant links in this Plan.

Review of the Plan

The Department aims to review this Plan every 12 to 18 months and will review the Plan earlier if any legislative, administrative, or systemic changes impact on its management of personal and health information.

Mandatory requirements

The formal requirement on NSW government agencies to draft a privacy management plan is outlined at section 33 of the PPIP Act.

Section 33 sets out that each public sector agency must:

  1. Prepare and implement a plan;
  2. A plan must make provisions for the devising of policies and procedures regarding privacy and the implementation of those policies and procedures;
  3. An agencies procedure in relation to privacy internal reviews; and
  4. Any other relevant matters.

The Privacy Commissioner has oversight of Privacy Management Plans and must be provided with a copy following any amendments. 


All employees are required to comply with the PPIP Act and the HRIP Act. This Plan is designed to assist employees to understand and comply with their privacy obligations. This Plan is also intended to provide the community with information about how the Department meets its privacy obligations.

The Department’s employees are responsible for:

  • familiarising themselves with and complying with the Privacy Management Plan when dealing with personal and health information;
  • identifying whether new projects are likely to raise privacy issues and consulting Legal ( where appropriate;
  • identifying and raising privacy concerns with their Manager or Director, and Legal, as appropriate; and
  • participating in privacy training to improve their knowledge and awareness of privacy obligations.

Advice and support for employees is available from the Open Government, Information and Privacy Unit (OGIP), Legal ( in relation to privacy compliance, rights and obligations.

The OGIP Unit, Legal has also developed a compulsory online training “Privacy and You” module that must be completed by all Departmental staff. This training module explores:

  • how privacy applies to you as a Departmental employee;
  • the type of information you need to handle carefully;
  • what it means to comply with privacy legislation, including security, collection, use, storage and disclosure;
  • how to manage privacy complaints.

This compulsory training is one of the many ways the Department is raising privacy awareness and informing employees of relevant privacy policies and procedures across the Department to provide that this knowledge and support to all staff. 

Employee access to databases

The PPIP Act and the HRIP Act contain criminal offence provisions applicable to Departmental employees if they access, use or disclose personal information or health information without authorisation. Employee access to Departmental databases such as OIMS ChildStory, HOMES, EDRMS/One TRIM is strictly for authorised work purposes only.

We use a broad range of electronic databases to hold the information we collect. An employee may be subject to prosecution and/or disciplinary action they access, use or disclose personal or health information for their own personal purpose. There are also offences in the Crimes Act 1900 for using a computer to access information without authority. 

Application of our Privacy Management Plan

The PPIP Act is concerned with the handling of ‘personal information.’ Personal information is defined in the PPIP Act as being “any information or opinion about a person whose identity is apparent or can be reasonably ascertained from the information or opinion”: section 4(1).

While the definition of ‘personal information’ is very broad, there are some important exceptions to the definition. The exceptions that are most relevant to the Department is information which:

  • arises out of a Royal Commission or Special Commission of Inquiry;
  • is contained in Cabinet documents;
  • is about an individual's suitability for appointment or employment as a public sector official; and
  • arises from the exercise of specific statutory law enforcement powers such as telephone interception, controlled operations and witness protection.

The PIPP Act, explicitly at section 6 does not apply to NSW Courts and Tribunals, including registries in the exercise of their ‘judicial functions.’

‘Judicial functions’ is defined at section 6(3) as meaning “the functions of the court or tribunal as they relate to the hearing or determination of proceedings before it” and extends to the functions of the Coroner in coronial inquests. 

Last updated:

23 Oct 2023