Privacy NSW Privacy Management Plan
PRIVACY NSW
PRIVACY MANAGEMENT PLAN
Amended Privacy Management Plan (Version 2) – 26 July 2006
Privacy NSW is the Office of the NSW Privacy Commissioner
established on 1 February 1999 under the Privacy and Personal Information Protection Act 1998.
It also administers the Health Records and information Privacy Act 2002.
CONTENTS
1. Introduction
1.1 Privacy management plan
1.2 Plan adopts NSW Attorney Generals Department Plan
1.3 Personal information
1.4 Amendment to plan
2. Role of Privacy NSW
2.1 Role of Privacy NSW
2.2 Collection, holding and using personal information
3 Personal Information
3.1 Personal information.
4. Existing law and policies relating to personal information
4.1 Range of other legislation and policies
4.2 Powers and obligations of the Privacy Commissioner NSW
4.3 Freedom of Information Act 1999
5. Policies and Protocols of Privacy NSW
5.1 Various policies and protocols – handling of personal information
5.2 Protocol for the Handling of Complaints
5.3 Protocol for the Handling of Requests for Advice
5.4 Procedures for requests for Internal Reviews under the PPIP Act
5.5 Media Protocol
5.6 Information Sharing Agreement
5.7 Attorney Generals Department Code of Conduct and Ethics
6. Dissemination of policies and procedures regarding compliance
6.1 Specific policies and procedures circulated
6.2 Strategies for Compliance with PPIP Act
6.3 Compliance with Information Protection Principles
6.4 Security and Access Issues
7. Attorney Generals Department Policy statement - Records
7.1 The Departments records
7.2 Department commitment
7.3 Staff to observe
8. Security and the workplace area
9. Security Checklist: Security starts with you
APPENDIX A: Legislation affecting the processing of information
Privacy Management Plan
April 2006
Privacy NSW is the Office of the NSW Privacy Commissioner established on 1 February 1999
under the Privacy and Personal Information Protection Act 1998.
1. Introduction
1.1 This Privacy Management Plan sets out how Privacy NSW complies with the principles and requirements of the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (the HRIP Act).
1.2 This plan adopts the Privacy Management Plan of the NSW Attorney General’s Department (the Department) and should be read in conjunction with the Department’s plan. Where the Department’s plan is inconsistent with this plan, this plan has precedence. See the Department’s Privacy Management Plan.
1.3 In addition, this plan addresses particular matters that affect personal information held by Privacy NSW. This plan gives officers of Privacy NSW guidance on compliance with the requirements of the PPIP Act and the HRIP Act with respect to these matters, and sets out policies and procedures that have been or will be adopted by Privacy NSW to minimise or eliminate the risk of non-compliance.
1.4 This plan was amended in April 2006. The review included consideration of any amendments made since the date of this plan to the Department’s Privacy Management Plan.
2. Role of Privacy NSW
2.1 The role of Privacy NSW is to:
- educate the people of NSW about the meaning and value of privacy and to assist them in the protection and enhancement of that privacy
- promote the adoption of world’s best privacy practice by all holders of personal data, particularly NSW Government agencies, thereby promoting an increased level of trust in the community, especially between people and their government.
2.2 Privacy NSW collects, holds, uses and discloses personal information for the purpose of carrying out its functions. For instance, Privacy NSW may handle personal information for the purpose of providing assistance to individuals and public sector agencies about privacy related matters, investigating complaints about the alleged violation or interference with the privacy of an individual, and conducting research about privacy related matters.
3. Personal Information
3.1 Personal information is any information or opinion about an identifiable person. This could include:
- written records about a person
- a photograph or image of a person
- fingerprints or DNA samples that identify a person
| The PPIP Act and HRIP Act define 'personal information' as "information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion”. The HRIP Act definition of health information incorporates a definition of personal information which is similar to that of the PPIP Act (section 6 of HRIP Act). |
4. Existing law and policies relating to personal information
4.1 In addition to the PPIP Act, a range of other legislation and policies apply generally to the way in which Privacy NSW handles personal information (see Appendix A).
4.2 The PPIP Act itself contains specific powers and obligations concerning personal information handled by the Privacy Commissioner and staff of Privacy NSW:
- The Privacy Commissioner can require, in connection with the exercise of his or her functions, any person or public sector agency to provide information to the Commissioner (s.37);
- The Privacy Commissioner has the powers of a commissioner under the Royal Commissions Act 1923 for the purpose of conducting inquiries and investigations (s.38);
- The Privacy Commissioner may make a special report to Parliament on any matter arising in connection with his or her functions (s.65);
- There are criminal penalties for the unauthorised disclosure of personal and health information by the Privacy Commissioner or his staff (eg. S.67 of PPIP Act and s.65 of HRIP Act).
4.3 The Freedom of Information Act 1989 (FOI Act) contains a specific exemption for Privacy NSW in relation to its complaint handling, investigative and reporting functions (Schedule 2 of the FOI Act). The effect of this exemption means, for instance, that a third party cannot access personal information held by Privacy NSW about a complainant.
5. Policies and Protocols of Privacy NSW
5.1 There are various policies and protocols that affect the handling of personal information by Privacy NSW.
.
5.2 Protocol For The Handling Of Complaints
In accordance with the requirements of the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002, Privacy NSW undertakes to investigate complaints about alleged breaches of privacy in both the private and the public sectors. In handling complaints Privacy NSW will deal with complaints in a courteous and efficient manner with a minimum of formality.
Privacy NSW’s Protocol for the Handling of Complaints is available at: www.lawlink.nsw.gov.au/pc.nsf/pages/complaints
.
5.3 Protocol for the Handling of Requests for advice from Privacy NSW April 2006
In accordance with the requirements of the Privacy and Personal Information Protection Act 1998, and as part of our commitment to public service, Privacy NSW undertakes to handle requests for advice in a timely, accurate and informative matter. This protocol deals with:
- procedures for providing advice
- requests by postal mail
- requests by facsmile
- requests via email
- request for advice form members of parliament or heads of agencies
- requests for advice form the Attorney general
A copy is also available on our website at www.lawlink.nsw.gov.au/privacynsw
5.4 Procedures for requests for Internal Reviews under the PPIP Act
Individuals who wish to make a complaint about the way in which Privacy NSW has handled their personal information may request that Privacy NSW conduct an Internal Review of the conduct complained about.
Requests for an Internal Review should preferably include a completed copy of the Internal Review application form available on Privacy NSW’s website at:www.lawlink.nsw.gov.au/pc.nsf/pages/irapplication
Requests for an Internal Review should be marked “confidential” and addressed to:Privacy NSW
GPO Box 6
SYDNEY NSW 2001
Upon receipt of a request for an Internal Review, the Privacy Commissioner or his or her delegate will determine whether the Internal Review can be conducted by an officer of Privacy NSW who was not substantially involved in any matter relating to the conduct and who is otherwise suitably qualified to deal with the matters raised by the request (as required by s53(4) of the PPIP Act). Where the Privacy Commissioner or his or her delegate determines that it is not possible to satisfy the above requirements, he or she will refer the request for Internal Review to the Privacy Contact Officer of the Attorney General’s Department who shall conduct the Review.
For further information about making a request for an Internal Review, complainants can contact Privacy NSW on telephone (02) 9228 8585; Fax (02) 9228 8577
5.5 Media Protocol
Privacy NSW does not at present have Media Protocol that sets out policies and procedures for making statements to the media. Reference should be made to the AGD’s media policy that includes detail on:
- Handling media enquiries
- How to respond to media requests
- Monitoring statewide media coverage
- Ministerial requests and urgent approvals
- Guidelines for liaison with the Minister's office on media issues
- Department generated media releases
- Provision of materials to the media
- Film, television and radio recording in the courts
- Courts and Tribunals
- Misuse of information
- Privacy Legislation
Any media inquiries should be referred to the Privacy Services Manager or the Acting Privacy Commissioner.
5.6 Information Sharing Agreement
Privacy NSW has signed an Information Sharing Arrangement and Complaint Referral Arrangement with the NSW Ombudsman, Anti Discrimination Board, Health Care Complaints Commission and Legal Services Commission. These Arrangements allow the sharing of personal information between Privacy NSW and these agencies in certain circumstances. For example, if Privacy NSW receives a complaint that is more appropriately dealt with by another agency, it may refer that complaint to the agency with the express consent of the complainant. The Arrangement requires that copies of this document are to publicly available for public inspection at the Privacy NSW office during office hours and accessible on Privacy NSW’s website. Inquiries should be directed to Privacy NSW on (02) 9228 8585 and up to date copies can be found in here.
5.7 AGD’s Code of Conduct and Ethics
The code outlines the minimum standards of professional and ethical behavior expected of all of us. The Code of Conduct and Ethics is supported by a number
A copy code is available on our website at: www.lawlink.nsw.gov.au/privacynsw
6. Dissemination of policies and procedures regarding compliance
6.1 A number of specific policies and procedures in this plan have been the subject of circulars provided to all staff, as outlined above. This plan will be circulated to all staff of Privacy NSW once finalised and will also be the subject of staff circulars and meetings.
6.2 Strategies for Compliance with the PPIP Act
Classes of personal information held by Privacy NSW
The main classes of personal information held by Privacy NSW are:
- Records of advice, including written, e-mail and telephone advice;
- Records of complaints, including written correspondence and file notes of telephone conversations;
- Records of investigations conducted under Part 4 of the PPIP Act;
- Records of applications for internal and external review made under Part 5 of the PPIP Act;
Administrative records containing personal information about staff or contractors, including personnel records.
6.3 Compliance with the Information Protection Principles
- All personal information held by Privacy NSW is subject to the Information Protection Principles (IPPs) under the PPIP Act. Privacy NSW adopts the general strategies identified in the Department’s Privacy Management Plan in relation to the collection, storage, use and disclosure of personal information.
- In addition, Privacy NSW has identified the retention and security of personal information (IPP 5) as requiring specific policies and procedures to ensure compliance by Privacy NSW with the requirements of the PPIP Act.
6.4 Inasmuch as Privacy NSW holds any health information, it will comply with the 15 Health Privacy Principles.
6.5 Security and Access Issues
Privacy NSW has implemented a new file database and records system PRISM. PRISM provides levels of security and access as “a trusted site”. To ensure the utmost degree of security is apparent within the system, access levels have been designed. These access levels incorporate the seniority of staff working with the Privacy Records and Information System as well as the job functions associated with the numerous staff working within the Privacy NSW.
7. AGD Policy statement - Records
7.1 The Department’s records are its corporate memory, provide evidence of actions and decisions and represent a vital asset to support daily functions and operations. They support policy formation and managerial decision-making, protect the interests of the organisation and of the Government as well as the rights of employees, clients and citizens, and help in the delivery of services in a consistent and equitable way. Records assist the Department to make good use of precedents and of organisational experience. They also support consistency, continuity, efficiency and productivity in program delivery, management and administration.
Those records that are eventually kept as State archives form part of the cultural resources of the State.
7.2 The Department is committed to meeting its responsibilities under the State Records Act 1998 and to implementing applicable and appropriate Policies, Standards and Codes of best practice in its records management processes and systems. All practices and procedures concerning records management within organisational areas of the Department must have regard to this policy and be available for audit.
7.3 All staff are required to observe the following rules associated with the records management system;
- staff are to use the authorised ‘records’ system to document all substantive official business;
- staff are not to maintain individual or separate files or unauthorised record keeping systems;
- no records are to be disposed of unless covered by a disposal schedule authorised by State Records; or under relevant legislation as directed in part 3 of the Act (Appendix 1); or through ‘normal administrative practice’ as defined in the Act. This applies to electronic records as well as ‘hardcopy’ records. Records disposal is addressed in more detail later;
- all formal documents generated within business centres, including outgoing correspondence, should bear a file reference number;
- only authorised staff may create new files or modify or close existing files or record file movements on the authorised organisational records system;
- the location of every record should be accurate and up to date at all times. Staff are responsible for recording location changes when passing a file to another staff member, by notifying the responsible records person;
- no file should be removed from the records administration area without informing a records administration person so that records can be updated;
- staff should minimise the number of files kept on desks/in workstations and the length of time they are kept; and
- files should not leave the premises, apart from exceptional circumstances and then only if authorised by a senior manager. If possible, a photocopy of relevant documents should be taken to meetings offsite. The records administration area should be informed when files are removed from the premises.
8. Security and the workplace area
Privacy NSW is located in the Goodsell Building whose security arrangements are documented at Security Access to Goodsell Building
9. Security Checklist: Security starts with you
Got your identification pass on?
- Secured sensitive documents?
- Locked your desk drawers?
- Secured your computer access?
- Noticed any unusual visitors?
- Overheard any threats?
- Seen someone asking questions about buildings or staff routines?
- Seen any unattended packages?
- Reported lost keys?
- Know where the duress alarm is and how to activate it?
Sheriff's Operation Centre: 9287 7007
APPENDIX A
LEGISLATION AFFECTING PROCESSING OF INFORMATION
Legislation with General Application
Crimes Act 1900. Part 6 creates offences for unauthorised obtaining of access to or interference with data in computers. There are higher penalties for accessing certain categories of sensitive government information eg law enforcement information or for alteration or destruction of data.
Criminal Records Act 1991: restricts access to and disclosure of spent and quashed convictions. BOCSAR and the DPP are exempted from restrictions on disclosure.
Freedom of Information Act 1988: deals with applications for access to cost centre documents which may contain personal information and applications for amendment of operational records of information relating to the personal affairs of the applicant. The Act creates an alternative means of accessing personal information but the Department may use limitations and conditions affecting access under the FOI Act when responding to applications for access and correction made under the Privacy and Personal Information Protection Act.
Health Records and Information Privacy Act 2002: The Health Records and Information Privacy Act governs both the public and private sector in NSW. It enshrines a set of 15 Health Privacy Principles and sets up a complaints mechanism to ensure agencies abide by them.
Independent Commission against Corruption Act 1988: defines corrupt conduct in a way which has been found to relate to unauthorised disclosures of information for personal benefit.
Privacy and Personal Information Protection Act 1998: in addition to the requirements covered in this Plan the Act prohibits disclosures of personal information by public sector officers which are not done in accordance with the performance of their official duties. These provisions are primarily directed against corrupt or irregular disclosure of personal information staff may have access to at work and not to inadvertent failure to follow policies and guidelines.
Protected Disclosures Act 1994: the definition of personal information under the Privacy and Personal Information Protection Act excludes information contained in a protected disclosure. This means that a person cannot seek review of the use or disclosure of a protected disclosure or be prosecuted for unauthorised disclosure of protected disclosure information under the Privacy and Personal Information Protection Act. However, the Privacy Management Plan is still able to address strategies for the protection of personal information disclosed under the Protected Disclosures Act.
State Records Act 1998: defines the circumstances under which the Department can dispose of its records and authorises the State Records Authority to establish policies, standards and codes to ensure adequate records management by the Department.
|
|
