Privacy and Personal Information Protection Act 1998
Introduction to the Act
The Privacy and Personal Information Protection Act 1998 (or PPIP Act) deals with how all NSW public sector agencies manage personal information. The Act includes 12 information protection principles (IPPs), establishes methods for enforcement of privacy, establishes a mechanism for complaints if you think that your personal information has been mishandled, and sets out the role of the NSW Privacy Commissioner.
The public sector agencies that are bound by the PPIP Act are state government departments, statutory or declared authorities, the police service, local councils, and bodies whose accounts are subject to the Auditor General. The information protection principles apply to how personal information is handled. Personal information refers to any information that relates to an identifiable person.
The 12 information protection principles form the backbone of the Act and must be adhered to by all NSW public sector agencies. They can be grouped under five main headings - collection, storage, access and accuracy, use, and disclosure.
The Act also contains lawful exemptions from these principles, as well as the power to investigate and conciliate complaints concerning breaches. Remedies can be enforced against public sector agencies by the Administrative Decisions Tribunal.
The PPIP Act allows the NSW Privacy Commissioner to investigate and conciliate privacy complaints made against any person or organisation. These investigations are not limited to complaints about mishandling of personal information. Privacy NSW deals with many types of privacy issues, including:
- information privacy
- privacy of communications
- physical and bodily privacy
- privacy of personal behaviour.
Definitions
What is privacy?
Privacy has sometimes been described as:
- the right to be left alone, or
- the right to exercise control over one’s personal information, or
- a set of conditions necessary to protect our individual dignity and autonomy.
We often think about privacy in different ways, for example:
- physical privacy - such as bag searching, use of our DNA
- information privacy – the way in which governments or organisations handle our personal information such as our age, address, sexual preference and so on.
- freedom from excessive surveillance – our right to go about our daily lives without being surveilled or have all our actions caught on camera. More>>
What is personal information?
Personal information is any information or opinion about an identifiable person. This includes records containing your name, address, sex, etc., or physical information like fingerprints, body samples or your DNA. More>>
What is a public sector agency?
The term ‘public sector agency’ includes most State government departments and statutory authorities, and all local and county councils in NSW. State-owned corporations (such as RailCorp and Sydney Water) are not public sector agencies. If you are not sure whether the organisation that you are complaining about is a 'public sector agency', contact Privacy NSW or the organisation itself.
Information protection principles at a glance
The 12 Information Protection Principles (IPPs) are your key to the Privacy and Personal Information Protection Act (and can be found in sections 8 to 19). They are legal obligations which describe what a NSW government agency must do when it collects, stores, uses and discloses your personal information.
However, in some cases, government agencies do not have to follow one or more of the IPPs, for example when information is being used for law enforcement. For more information about exemptions, contact the Privacy Contact Officer in the agency or Privacy NSW.
Collection
1. Lawful – when an agency collects your personal information, the information must be collected for a lawful purpose. It must also be directly related to the agency’s activities and necessary for that purpose.
2. Direct – your information must be collected directly from you, unless you have given your consent otherwise. Parents and guardians can give consent for minors.
3. Open – you must be informed that the information is being collected, why it is being collected and who will be storing and using it. The agency should also tell you how you can see and correct this information.
4. Relevant – the agency must ensure that the information is relevant, accurate, up-to-date and not excessive. The collection should not unreasonably intrude into your personal affairs.
Storage
5. Secure – your information must be stored securely, not kept any longer than necessary, and disposed of appropriately. It should be protected from unauthorised access, use or disclosure.
Access
6. Transparent – the agency must provide you with enough details about what personal information they are storing, why they are storing it and what rights you have to access it.
7. Accessible – the agency must allow you to access your personal information without unreasonable delay and expense.
8. Correct – the agency must allow you to update, correct or amend your personal information where necessary.
Use
9. Accurate – agencies must make sure that your information is accurate before using it.
10. Limited – agencies can only use your information for the purpose for which it was collected, for a directly related purpose, or for a purpose to which you have given your consent. It can also be used without your consent in order to deal with a serious and imminent threat to any person’s health or safety.
Disclosure
11. Restricted – the agency can only disclose your information with your consent or if you were told at the time they collected it from you that they would do so. The agency can also disclose your information if it is for a related purpose and they don’t think that you would object. Your information can also be used without your consent in order to deal with a serious and imminent threat to any person’s health or safety.
12. Safeguarded – the agency cannot disclose your sensitive personal information without your consent, for example information about your ethnic or racial origin, political opinions, religious or philosophical beliefs, health or sexual activities or trade union membership. It can only disclose sensitive information without your consent in order to deal with a serious and imminent threat to any person’s health or safety.
Enforcement (complaints and internal reviews)
If a person feels that their privacy has been breached (for example, a misuse of personal information), they will have one of two choices: request an internal review or complain to Privacy NSW.
If the complaint is:
they should request an internal review.
In some special circumstances, they could choose instead to make a complaint to Privacy NSW. See the definition of special circumstances.
If the complaint is:
- about physical privacy, or
- against an organisation that is not a NSW or Australian Government public sector agency
the person can make a complaint to Privacy NSW.
History of the Act
The Privacy and Personal Information Protection Bill 1998 was introduced in the Legislative Council by the Attorney General, the Honourable J W Shaw on 17 September 1998.
Significant alterations were made to the Bill in Committee of the Legislative Council on 28 October. The Legislative Assembly made two further amendments to the Bill on 18 November. These were accepted by the Legislative Council on 25 November. You can link from this page to the Parliamentary Hansard Site to view the Parliamentary Debates. Search by Bill Name for relevant dates.
The Bill was assented to on 30 November 1998. The Act was commenced in stages to enable public sector agencies to meet their compliance requirements.
On 1 July 2000 the final sections of the Act were commenced. These are:
- The information protection principles in Part 2 of the Act,
- The rights to internal and external review under Part 5 of the Act,
- The public register provisions in Part 6 of the Act.
|
|
