|
Where am I now? Lawlink > privacynsw > NSW Privacy Laws > Internal Reviews
|
Print page
|
Internal Reviews
What is an internal review?
An internal review deals with complaints that are:
An internal review is an internal investigation that the agency conducts into a complaint. The agency will assess whether or not it has complied with its privacy obligations, and then tell the applicant of its findings and what it will do as a result.
What are an agency’s privacy obligations?
There are 12 information protection principles (IPPs) which govern the collection, storage, access, use and disclosure of personal information. There are also special rules for personal information held in public registers.
From July 2004, there will also be 15 health privacy principles (HPPs), just to cover health information.
All public sector agencies must adhere to the IPPs (or the public register provisions) and HPPs unless they have a lawful exemption.
Which set of privacy principles apply - the IPPs or the HPPs?
If the conduct at issue happened between 1 July 2000 and 1 September 2004, the complaint must be assessed against the IPPs (or the public register provisions).
If the conduct happened on or after 1 September 2004, the complaint will be:
If a person just wants to access their own personal information or health information, do they need to request an internal review?
Not immediately. If the person is asking to see, amend or correct their own personal information or health information held by a NSW public sector agency, they can just ask directly.
However if the person applies under the PPIP Act for their personal information, or under the HRIP Act for their health information, and the request is refused, then they can apply for an internal review of the decision to refuse access.
How does an internal review work?
An internal review must be done by someone different to the person responsible for the conduct or decision complained about, and it will be overseen by Privacy NSW. The person who conducts internal review must be a suitably qualified employee of the agency.
Privacy NSW has developed a checklist for agencies to use when they are dealing with an internal review. It is not compulsory for agencies to follow the checklist, but we do recommend it.
You can see a copy of the checklist [Word] [PDF].
What agencies must do by law is:
- notify Privacy NSW that they have received the application for internal review
- keep Privacy NSW informed of the progress of the internal review
- consider any relevant material submitted by the applicant or by Privacy NSW
- complete the review as soon as possible
- once the review is finished, notify the applicant and Privacy NSW of the findings of the review (and the reasons for those findings), and the action proposed to be taken
- notify the applicant of their right to have those findings, and the agency’s proposed action, reviewed by the Administrative Decisions Tribunal
Once the review is finished, the agency may take no further action, or it may do one or more of the following:
- make a formal apology
- take remedial action (eg the payment of monetary compensation)
- provide undertakings that the conduct will not occur again
- implement administrative measures to ensure that the conduct will not occur again
What happens if the applicant is still not satisfied after the internal review?
If the internal review is not completed within 60 days, or if the applicant is unhappy with the results of the internal review, they can ask the Administrative Decisions Tribunal (the Tribunal) to review the conduct or decision complained about. The Tribunal will assess whether or not the agency complied with its privacy obligations.
The Tribunal may order the agency to change its practices, apologise, or take some steps to remedy any damage suffered.
(More information on privacy cases in the Tribunal).
Are there any limits on whether someone can lodge a request for an internal review?
Internal review is only available if:
- the complaint is against a NSW public sector agency, and
- the complaint is about an agency's handling of personal information or health information, and
- the applicant has been aggrieved by the agency’s conduct.
A critical issue is when the conduct occurred. If the conduct complained about happened before 1 July 2000, the person cannot seek an internal review. If the conduct complained about happened on or after 1 July 2000, the person can seek an internal review, subject to other time limits (see more about time limits below).
What does ‘conduct’ mean?
'Conduct' can include an action, a decision, or even inaction by an agency. For example the conduct complained about could be:
- a decision to refuse a person access to their personal information, or
- the action of disclosing a person's personal information to another person, or
- the inaction of a failure to protect a person's personal information from being inappropriately accessed by someone else.
Are there any time limits for requesting an internal review?
Yes. In general, a person must lodge their request for internal review within 6 months of them first becoming aware of the conduct complained about.
If they wait more than 6 months, the agency can decline the request, and they cannot appeal the agency's decision.
Sometimes an agency will allow a person extra time because of special circumstances, but they don’t have to.
How can a person lodge a request for an internal review?
To lodge a request for an internal review the applicant must send their application to the agency in writing, and they must specify an address in Australia for writing back to them.
We recommend that applicants use an internal review application form. You can print the internal review application form below.
Note it is not an online application form. Once you have completed the internal review application form, it should be sent to the public sector agency (not to Privacy NSW).
To find the mailing address for the relevant agency try the following sites:
|
|
