Automatic language translation
Our website uses an automatic service to translate our content into different languages. These translations should be used as a guide only. See our Accessibility page for further information.
This Plan relates to the information handling practices of the Department, as the lead agency in the Stronger Communities Cluster. The Department delivers a range of services, including but not limited to:
The Department takes its privacy obligations very seriously and it undertakes a range of initiatives to ensure that Departmental employees, contractors and members of the public are informed of the Departments privacy practices and obligations under the PPIP Act and the HRIP Act. The Department promotes privacy awareness and compliance by:
There are a number of different privacy instruments in NSW, including:
We hold a range of information, including information that falls within the definition of ‘personal information’ under the PPIP Act and some ’health information’ as defined in the HRIP Act.
Further information on the Health Privacy Principles (HPPs) and the Information Protection Principles (IPPs) is available through the following links on the IPC website:
Privacy Codes of Practice (Codes) and Public Interest Directions (PID) vary the application of some sections of the PPIP Act and the HRIP Act to enable the Department to perform some of its functions. These Codes and PIDs are Agency or Division specific in their operation. Applicable Codes and PIDs are discussed in greater detail in the specific Division sections of this Plan. This Plan will be amended as and when new Codes and/or PIDs are approved by the Privacy Commissioner, Attorney General and/or Health Minister.
Where parts of the above instruments are relevant to the programs of functions of a particular area of the Department, this has been outlined further, later in this Plan.
Given the broad range of functions and activities covered by the Department’s Divisions, a general description of information commonly held by our agencies is captured below. These include:
Name of divison | Examples of kinds of information held by division |
---|---|
Child Protection and Permanency, District and Youth Justice Services |
For further information relating to the care and protection of children held by the Department, or juvenile justice files pre-November 1991, please see Child Protection records. For information from November 1991 onwards, please see: Youth Justice records. |
Corporate Services |
Information such as personal and health information about clients and staff, or information obtained from third parties, held in the Federated Analytics Platform, which consolidates data from a variety of internal systems, data storage locations, file shares, legacy stores, and external systems. |
Corrective Services NSW |
Please visit Corrective Services records for further information. |
Courts, Tribunals and Service Delivery |
|
Housing, Disability and District Services |
|
Law Reform and Legal Services |
|
Strategy, Policy and Commissioning |
|
Broadly, the Department also holds information such as:
Information collected by the Departments different business units is unique to those areas of the Department. For more information about how personal information is handled by the different areas of the Department, see the Functional Areas section of the Plan.
The Department of Communities and Justice is a ‘law enforcement agency’ for the purposes of the PPIP Act: s 3(1). This means that in carrying out some of our functions and activities, the Department is not required to comply with some of the IPPs in the PPIP Act regarding the collection, notice, use and disclosure of personal information in particular contexts such as to prevent the commission of an offence, protect public revenue or to investigate an offence.
The Department is also an ‘investigative agency’ for the purposes of the PPIP Act and the HRIP Act when we exercise some of our functions under the authority of an Act and those functions may result in disciplinary, criminal or other formal action: section 3(1). For example, when exercising its investigative functions under the Residential Tenancies Act 2010 or the Housing Act 2001 the Department is not required to comply with some of the information protection principles in the PPIP Act, including how it collects, uses and discloses personal information.
The Department is also considered a law enforcement agency for the purposes of the PPIP Act and the HRIP Act (Corrective Service NSW and Youth Justice).
The Department is also considered a ‘human services agency’ as defined in the Privacy Code of Practice (General) 2003. In certain circumstances, it may collect information other than directly from the individual.
The Department has responsibilities for ensuring that personal information handled on our behalf by a CSP is protected.
The Department is considered to ‘hold’ personal information as per section 4(4)(b) of the PPIP Act under any of the following circumstances:
Where an CSP subcontracts with a different organisation, and that organisation comes into possession of the Department’s data, the Department ‘holds’ such data for the purposes of section 4(4)(b) of the PPIP Act.
Where it is necessary for personal information to be transferred to a third-party provider to enable that third party to provide services to clients or to the Department, the Department develops and executes contract terms that prevent third party providers from unauthorised use or disclosure of personal information that we hold.
This Plan outlines how the Department engages with major contracted service providers in relation to the different functional areas and services of the Department.
Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) establishes the Mandatory Notification of Data Breach (MNDB) scheme. Under the MNDB scheme which commenced on 28 November 2023, all public sector agencies bound by the PPIP Act, including the Department, must notify the Privacy Commissioner and affected individuals of data breaches involving personal or health information that are likely to result in serious harm.
A data breach might occur where there is unauthorised access, disclosure or loss of information ( or where the loss is likely to result in unauthorised access or disclosure) and where the risk of serious harm cannot be mitigated.
The MNDB scheme will require agencies to have regard to any guidelines issued by the Privacy Commissioner when assessing a data breach.
We require data breaches to be promptly notified by all employees and CSPs to the OGIP Unit and to Information and Digital Services (IDS).
Where the OGIP Unit is notified of a data breach, OGIP provide advice and guidance to the relevant business unit where the breach occurred to enable the business unit to take steps (if possible) to immediately contain the breach. Advice and guidance are also provided on assessing the breach and carrying out the notification requirements of the breach if necessary.
The Department’s MNDB scheme webpage can be found here.
A public register is an official list of names, events and transactions. Under certain laws, a public register must be made publicly available. The Department conducts maintenance and oversight of public registers. The Department maintains the NSW Justices of the Peace Register. Information about the content of the register, how to access the information on the register and how a person can apply for their personal or health information to be suppressed can be accessed by clicking on the link: NSW Justices of the Peace (JP) Register
The Department routinely receives inquiries from members of the public and members of Parliament/Ministers. Sometimes these inquiries are misdirected to the Department or another agency. To assist the individual making the inquiry, the PIPP Act allows the Department to transfer inquiries between agencies to ensure they are responded to accurately and promptly by the correct agency with responsibility for the relevant public function.
It is important to note that this exemption only applies to personal information as no equivalent exemption exists under the HRIP Act for health information.
30 Oct 2023