Privacy in the Department

What is the Department of Communities and Justice?

This Plan relates to the information handling practices of the Department, as the lead agency in the Stronger Communities Cluster. The Department delivers a range of services, including but not limited to:

• child protection services (early intervention and preservation, statutory child protection and out-of-home-care);
• community inclusion services (carers, ageing, disability inclusion);
• assistance with housing and homelessness;
• legal, court and supervision services to the people of NSW by managing courts and justice services;
• implementing programs to reduce crime and re‑offending;
• managing custodial and community-based correctional services, protecting rights and community standards; and
• advising on law reform and legal matters.

Promoting privacy awareness in the Department

The Department takes its privacy obligations very seriously and it undertakes a range of initiatives to ensure that Departmental employees, contractors and members of the public are informed of the Departments privacy practices and obligations under the PPIP Act and the HRIP Act. The Department promotes privacy awareness and compliance by:

• publishing and promoting this Plan on the intranet and website;
• incorporating privacy information in its induction program and in the modules for Code of Conduct and Fraud and Corruption awareness;
• publishing and maintaining a dedicated privacy page on the intranet that centralises all privacy resources for Departmental employees, including the Department’s Privacy Policy and this Plan and that provides information about what to do if employees are unsure about a privacy issue;
• publishing privacy factsheets on the intranet to provide employees with practical guidance on privacy issues and considerations;
• delivering periodic face to face and online training across different business areas;
• providing a dedicated privacy advisory service to employees;
• investigating allegations of breaches of privacy and implementing recommendations made from finalised investigations;
• assessing privacy impacts of new projects or processes from the outset;
• working with senior executives endorsing a culture of good privacy practice; and,
• educating the public about their privacy rights and Departmental obligations (for example, maintaining a dedicated privacy page on its website and providing privacy information on forms that collect personal and health information).
• Promoting Privacy Awareness Week annually across the Department;
• Registering as a Privacy Awareness Week champion.

Privacy legislation and instruments that apply to the Department

There are a number of different privacy instruments in NSW, including:

• Privacy and Personal Information Protection Act 1998;
• Privacy and Personal Information Protection Regulation 2019;
• Privacy Code of Practice (General) 2003 and other Privacy Codes made under Part 3 Division 1 of the PIPP Act;
• Privacy Public Interest Directions, made under section 41 of the PIPP Act by the Privacy Commissioner;
• Health Records and Information Privacy Act 2002;
• Health Records and Information Privacy Regulation 2022;
• Health Codes of Practice made under Part 5 of the HRIP Act;
• Health Public Interest Directions, made under section 62 of the HRIP Act by the Privacy Commissioner.

We hold a range of information, including information that falls within the definition of ‘personal information’ under the PPIP Act and some ’health information’ as defined in the HRIP Act.

Further information on the Health Privacy Principles (HPPs) and the Information Protection Principles (IPPs) is available through the following links on the IPC website:

• The Health Privacy Principles (HPPs)
• The Information Protection Principles (IPPs)

Privacy Codes of Practice (Codes) and Public Interest Directions (PID) vary the application of some sections of the PPIP Act and the HRIP Act to enable the Department to perform some of its functions. These Codes and PIDs are Agency or Division specific in their operation. Applicable Codes and PIDs are discussed in greater detail in the specific Division sections of this Plan. This Plan will be amended as and when new Codes and/or PIDs are approved by the Privacy Commissioner, Attorney General and/or Health Minister.

Where parts of the above instruments are relevant to the programs of functions of a particular area of the Department, this has been outlined further, later in this Plan. 

Overview of the main classes of personal and health information held by the Department

Given the broad range of functions and activities covered by the Department’s Divisions, a general description of information commonly held by our agencies is captured below. These include:

Name of divison	Examples of kinds of information held by division
Child Protection and Permanency, District and Youth Justice Services	Child protection, family casework, out-of-home care, and adoption records relating to individuals and families. Reports and assessments about children and young persons at risk of significant harm. Information and records relating to children and young persons in custody or under supervision in the community. Information about the operation of youth justice centres. For further information relating to the care and protection of children held by the Department, or juvenile justice files pre-November 1991, please see Child Protection records. For information from November 1991 onwards, please see: Youth Justice records.
Corporate Services	Information relating to business ethics, tenders, and contracts Annual Reports, including audited financial statements, information relating to funding grants to NGOs, former Department of Family and Community Services Annual Reports and former Department of Justice Annual Reports Budgeting and financial information. Personnel and human resources-related information. Information relating to Department assets. Information such as personal and health information about clients and staff, or information obtained from third parties, held in the Federated Analytics Platform, which consolidates data from a variety of internal systems, data storage locations, file shares, legacy stores, and external systems.
Corrective Services NSW	Custodial records such as case notes, case management files, warrant files; Community Corrections records such as case notes, case history files, reports prepared for court proceedings; and Health information, limited to Psychology information. Please visit Corrective Services records for further information.
Courts, Tribunals and Service Delivery	Case files relating to current and previous proceedings in a NSW court or tribunal, which contain documents such as applications, notices of motion or evidence filed with the court, subpoenaed or summonsed documents, and orders of the relevant court or tribunal. Transcripts and audio recordings of court and tribunal proceedings. Case files relating to victim’s support services.
Housing, Disability and District Services	Tenancy files. Information and records within the Housing Operations Management Extended Services (HOMES) system, such as records of housing clients’ interactions with the Department and records of assistance provided to clients (for example, temporary accommodation, private rental subsidies, and tenancy management). Information about clients who receive housing assistance products. NSW Housing Register. For further information, please visit: FACS and DCJ records.
Law Reform and Legal Services	Legal advice, client instructions, and information relevant to proceedings to which the Department is a party. Litigation files. Ministerial correspondence. Information relating to policy and law reform proposals, including consultations and briefing notes. Subpoenas, summonses, or other orders for production issued to the Department and related records or correspondence. Access applications and informal requests under the GIPA Act and related information, including internal and external correspondence, notices of decision, and copies of information the subject of such applications and requests.
Strategy, Policy and Commissioning	Submissions and consultation responses. Correspondence.

Broadly, the Department also holds information such as:

• Personnel records;
• Administrative records;
• Correspondence;
• Submissions and consultation responses from other agencies and members of the public;
• Training resources; and
• Complaints and investigative files.

Information collected by the Departments different business units is unique to those areas of the Department. For more information about how personal information is handled by the different areas of the Department, see the Functional Areas section of the Plan. 

The Department as a Law Enforcement and Investigative Agency

The Department of Communities and Justice is a ‘law enforcement agency’ for the purposes of the PPIP Act: s 3(1). This means that in carrying out some of our functions and activities, the Department is not required to comply with some of the IPPs in the PPIP Act regarding the collection, notice, use and disclosure of personal information in particular contexts such as to prevent the commission of an offence, protect public revenue or to investigate an offence.

The Department is also an ‘investigative agency’ for the purposes of the PPIP Act and the HRIP Act when we exercise some of our functions under the authority of an Act and those functions may result in disciplinary, criminal or other formal action: section 3(1). For example, when exercising its investigative functions under the Residential Tenancies Act 2010 or the Housing Act 2001 the Department is not required to comply with some of the information protection principles in the PPIP Act, including how it collects, uses and discloses personal information.

The Department is also considered a law enforcement agency for the purposes of the PPIP Act and the HRIP Act (Corrective Service NSW and Youth Justice).

The Department is also considered a ‘human services agency’ as defined in the Privacy Code of Practice (General) 2003. In certain circumstances, it may collect information other than directly from the individual. 

Contracted Service Providers (CSPs)

The Department has responsibilities for ensuring that personal information handled on our behalf by a CSP is protected.

The Department is considered to ‘hold’ personal information as per section 4(4)(b) of the PPIP Act under any of the following circumstances:  

1. Where a CSP comes into possession of Department’s information, documents, or any materials through the course of their engagement with the Department; or
    
2. Where a CSP generates or produces personal and or health information through the course of their service engagement with the Department. 

Where an CSP subcontracts with a different organisation, and that organisation comes into possession of the Department’s data, the Department ‘holds’ such data for the purposes of section 4(4)(b) of the PPIP Act.

Where it is necessary for personal information to be transferred to a third-party provider to enable that third party to provide services to clients or to the Department, the Department develops and executes contract terms that prevent third party providers from unauthorised use or disclosure of personal information that we hold.

This Plan outlines how the Department engages with major contracted service providers in relation to the different functional areas and services of the Department.

Department’s responses to data breaches

Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) establishes the Mandatory Notification of Data Breach (MNDB) scheme. Under the MNDB scheme which commenced on 28 November 2023, all public sector agencies bound by the PPIP Act, including the Department, must notify the Privacy Commissioner and affected individuals of data breaches involving personal or health information that are likely to result in serious harm.

A data breach might occur where there is unauthorised access, disclosure or loss of information ( or where the loss is likely to result in unauthorised access or disclosure) and where the risk of serious harm cannot be mitigated.

The MNDB scheme will require agencies to have regard to any guidelines issued by the Privacy Commissioner when assessing a data breach.

We require data breaches to be promptly notified by all employees and CSPs to the OGIP Unit and to Information and Digital Services (IDS).

Where the OGIP Unit is notified of a data breach, OGIP provide advice and guidance to the relevant business unit where the breach occurred to enable the business unit to take steps (if possible) to immediately contain the breach. Advice and guidance are also provided on assessing the breach and carrying out the notification requirements of the breach if necessary.

The Department’s MNDB scheme webpage can be found here. 

Public Registers

A public register is an official list of names, events and transactions. Under certain laws, a public register must be made publicly available. The Department conducts maintenance and oversight of public registers.  The Department maintains the NSW Justices of the Peace Register. Information about the content of the register, how to access the information on the register and how a person can apply for their personal or health information to be suppressed can be accessed by clicking on the link: NSW Justices of the Peace (JP) Register

Exemptions relating to information exchanges between public sector agencies for the purpose of responding to inquiries (PPIP Act section 27A)

The Department routinely receives inquiries from members of the public and members of Parliament/Ministers. Sometimes these inquiries are misdirected to the Department or another agency. To assist the individual making the inquiry, the PIPP Act allows the Department to transfer inquiries between agencies to ensure they are responded to accurately and promptly by the correct agency with responsibility for the relevant public function.

It is important to note that this exemption only applies to personal information as no equivalent exemption exists under the HRIP Act for health information.