About the privacy laws and NESA

Personal information is defined in Section 4 of the PPIP Act and is essentially any information or opinion about a person whose identity is apparent or can be reasonably ascertained from the information or opinion. Personal information can include a person’s name, address, family life, sexual preference, financial information, fingerprints and photos.

There are some kinds of information that are not personal information, for example information about:

• someone who has been dead for more than 30 years
• someone that is contained in a publicly available publication
• information or an opinion about a person’s suitability for employment as a public sector official.

Health information is generally excluded here as it is covered by the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act).

Information Protection Principles

Part 2, Division 1 of the PPIP Act contains 12 Information Protection Principles (IPPs) with which NESA must comply. Here is an overview as they apply to us.

Principle 1 – Lawful

Only collect personal information for a lawful purpose, which is directly related to NESA’s activities and necessary for that purpose.

Principle 2 – Direct

Only collect personal information directly from the person concerned, unless it is unreasonable or impracticable to do so.

Principle 3 – Open

Inform the person that you are collecting their personal information, why you are collecting it, what you will do with it and who else might see it. Tell the person how they can view and correct their personal information and any consequences that may apply if they decide not to provide their information to you.

Principle 4 – Relevant

Ensure that the personal information is relevant to the purpose for which it is collected and not excessive, that it is accurate and up-to-date and that the collection does not unreasonably intrude into the personal affairs of the person.

Principle 5 – Secure

Store personal information securely, in accordance with this privacy management plan and NESA information security policies. Keep it no longer than necessary and dispose of it appropriately. It should also be protected from unauthorised access, use or disclosure.

Principle 6 – Transparent

Explain to the person what personal information about them is being stored, why it is being used and any rights they have to access it.

Principle 7 – Accessible

Allow the person to access their health information without unreasonable delay or expense. See the application form to request access to personal or health information (PDF 99KB).

Principle 8 – Correct

Allow the person to update, correct or amend their health information where necessary. See the application form to request alteration of personal or health information (PDF 97.51KB).

Principle 9 – Accurate

Make sure that the personal information is relevant and accurate before using it.

Principle 10 – Limited

Only use personal information for a purpose other than that for which it was collected if the person has given their consent, the purpose is directly related to the purpose for which it was collected or if it is necessary to prevent or lessen a serious and imminent threat to any person’s life or health. Other specific situations where personal information may be used are outlined under Exemptions.

Principle 11 – Restricted

Only disclose personal information if disclosure is directly related to the purpose of collection, or the person is reasonably likely to be aware the information is usually disclosed or with the person’s consent. Personal information can be disclosed without a person’s consent if it is necessary to prevent or lessen a serious and imminent threat to any person’s life or health. Other specific situations where personal information may be used are outlined under Exemptions.

Principle 12 – Safeguarded

Only disclose sensitive personal information, for example information about a person’s ethnic or racial origin, political opinions, religious or philosophical beliefs, sexual activities or trade union membership if it is necessary to prevent a serious and imminent threat to any person’s life or health.

Only disclose personal information outside NSW if there are similar privacy laws in that jurisdiction, or the disclosure is allowed under legislation, such as the PPIP Act, HRIP Act or the education and teaching legislation (Education Standards Authority Act 2013; Education Act 1990; Teacher Accreditation Act 2004 and respective regulations). NESA may also disclose information outside NSW if the disclosure will benefit the person, it is impracticable to obtain the person’s consent, and if NESA could obtain their consent, it is likely they would give it. For further details refer to Transborder Disclosures.

Exemptions to the IPPs

Some of the exemptions in the PPIP Act are listed in Sections 22-28 and include:

• law enforcement and related matters (Section 23)
• investigative agencies (Section 24)
• where lawfully authorised or required (Section 25)
• when it would benefit the individual (Section 26)
• specific exemptions in relation to ICAC, NSW Police, Law Enforcement Conduct Commission (Section 27)
• exchanges between public sector agencies (Section 27A)
• research (Section 27B)
• other exemptions (Section 28).

Law enforcement and related matters

Section 23 of the PPIP Act provides exemptions relating to law enforcement and related matters. The term ‘law enforcement purposes’ refers only to criminal law enforcement, not breaches of professional standards or misconduct.

Investigative agencies

The exemption in Section 24 of the PPIP Act refers to investigative agencies, as defined in Section 3 of the Act, including the Ombudsman’s Office, ICAC and the HCCC, who are not required to comply with some of the IPPs if it would detrimentally affect those agencies’ complaint handling or investigative functions. The definition includes any NSW public sector agency with investigation functions, if those functions are exercisable under the authority of an Act or statutory rule and it may result in the agency taking or instituting disciplinary, criminal or other formal action or proceedings against a person or body under investigation.

Lawfully authorised

The term ‘lawfully authorised’ in Section 25 of the PPIP Act has been found by various tribunal matters to include a number of issues, such as:

• disclosure within the terms of a subpoena
• a statutory requirement to notify a person against whom a complaint has been made
• disclosures to the Medical Board, or other such registration bodies.

Although requirements under certain legislation enables the disclosure of personal information, staff must take care to only disclose the minimum amount of information required.

Benefit the individual

Where non-disclosure would prejudice the interests of the individual to whom the information relates or there has been express consent for another use or disclosure, Section 26 provides an exemption. Consent is only genuine if the person has the capacity to give or withhold consent. For consent to be valid it must be voluntary, informed, specific and current. Notifying the person of what NESA intends to do with their personal information is not express consent.

Exchanges of information between agencies

Section 27A of the PPIP Act provides an exemption relating to information exchanges between public sector agencies. Information can be provided to or by another public sector agency, if it is reasonably necessary:

• to allow the agencies concerned to deal with, or respond to, correspondence from a Minster or Member of Parliament, or
• to enable inquiries to be referred between the agencies concerned, or
• to enable the auditing of the accounts or performance of a public service agency or group of agencies (or a program administered by an agency or group of agencies).

This may arise in circumstances in which an application for a service has been submitted to one agency and action by another agency is needed to provide a response. Staff should if possible seek consent from the person involved, and/or ask for advice from the relevant agency’s Privacy Officer.

Research

The Privacy Commissioner has released statutory guidelines on research in relation to health information under HPP 11(1)(f) of the HRIP Act and in relation to personal information under Section 27B of the PPIP Act. If a research proposal will involve both health and non-health personal information, then both guidelines must be followed.

Both sets of guidelines require that in order to use or disclose information for research, the research must be in the public interest and that a properly constituted Human Research Ethics Committee (HREC) has determined that the public interest in the proposed research 'substantially outweighs' the public interest in privacy.

Five criteria must be met to collect, use or disclose personal information relying on the Section 27B exemption for personal information:

• the collection, use or disclosure of the information is reasonably necessary for the purpose of research, or the compilation or analysis of statistics, in the public interest
• in the case of collection of personal information, it is unreasonable or impracticable for the information to be collected directly from the individual to whom the information relates
• in the case of the use or disclosure of the information, you have taken reasonable steps to de-identify the information, or the purpose of the research cannot be served by using or disclosing de-identified information and it is impracticable to seek the consent of the person to the use or disclosure
• if the information could reasonably be expected to identify individuals, the information is not published in a publicly available publication
• the collection, use or disclosure of the information is in accordance with the Statutory Guidelines on Research, including that the research has been approved by a HREC, or a professional market or social research agency.

Other exemptions

• The other exemptions under Section 28 of the PPIP Act relate to certain agencies named in Section 28(1), Multicultural NSW in Section 28(2) and an exemption for any public sector agency if the disclosure is to inform the Minister or the Premier about any matter within their administration (Section 28(3) of the PPIP Act). These exemptions should only be relied on after seeking advice from the Access and Privacy Officer.

The HRIP Act and health information

The HRIP Act sets out how NESA must manage health information.

Health information is a more specific type of personal information and is defined in s6 of the HRIP Act. Health information can include information about a person’s physical or mental health such as a psychological report, blood tests or an X-ray, or information about a person’s medical appointment. It can also include personal information that is collected to provide a health service, such as a name and contact number on a medical record.

Health Privacy Principles

Schedule 1 to the HRIP Act contains 15 Health Privacy Principles (HPPs) that NESA must comply with. Here is an overview of them as they apply to us:

Principle 1 – Lawful

Only collect a person’s health information for a lawful purpose, which is directly related to NESA’s activities and necessary for that purpose.

Principle 2 – Relevant

Ensure that the health information collected is relevant, accurate, up-to-date and not excessive and that the collection does not unreasonably intrude into the personal affairs of the individual.

Principle 3 – Direct

Only collect health information directly from the person concerned, unless it is unreasonable or impracticable to do so.

Principle 4 – Open

Inform the person why you are collecting their health information, what will be done with it and who else might access it. Tell the person how they can access and correct their health information and any consequences that may apply if they decide not to provide it.

Principle 5 – Secure

Store health information securely. Keep it no longer than necessary and dispose of it appropriately. It should also be protected from unauthorised access, use or disclosure.

Principle 6 – Transparent

Explain to the person what health information about them is being stored, why it is being stored and any rights they have to access it.

Principle 7 – Accessible

Allow the person to access their health information without unreasonable delay or expense. See the application form to request access to personal or health information (PDF 99KB).

Principle 8 – Correct

Allow the person to update, correct or amend their health information where necessary. See the application form to request alteration of personal or health information (PDF 97.51KB).

Principle 9 – Accurate

Make sure that the health information is relevant and accurate before using it.

Principle 10 – Limited

Only use health information for the purpose for which it was collected, or for a directly related purpose that the person would expect. Otherwise you would generally need their consent to use the health information for a secondary purpose.

Principle 11 – Restricted

Only disclose health information for the purpose for which it was collected or a directly related purpose that a person would expect (unless one of the exemptions in HPP 11 applies). Otherwise you would generally need separate consent.

Principle 12 – Not identified

Only identify people by using unique identifiers if it is reasonably necessary to carry out your functions efficiently.

Principle 13 – Anonymous

Give the person the option to receive services from you anonymously, where this is lawful and practicable.

Principle 14 – Controlled

Only transfer health information outside NSW or to the Commonwealth in accordance with HPP 14, where

• it is a legal requirement and upholds the HPPs, or
• the person consents to the transfer, or
• the transfer is necessary to do something the person has requested, or
• the transfer is reasonably necessary to lessen or prevent a serious and imminent threat to the life, health or safety of a person, or
• NESA have taken reasonable steps to ensure the HPPs will be complied with, or
• the transfer is permitted or required by legislation, or
• all of the following apply:
  • the transfer is for the person’s benefit, and
  • it is impracticable to obtain the person’s consent, and
  • if it were practicable to obtain their consent, they would be likely to give it.

  Principle 15 – Authorised

  Only use health records linkage systems (to link health records across more than one agency or organisation) if the person has provided or expressed their consent. There are instances when NESA are lawfully authorised not to comply with HPP15, or where non-compliance is otherwise permitted under an Act or other law, or the use complies with HPP 10(1)(f) and the disclosure complies with HPP 11(1)(f), (reasonably necessary for research purposes).

  Exemptions to the HPPs

  Exemptions are located mainly in Schedule 1 to the HRIP Act and may allow NESA not to comply with the HPPs in certain situations.

  Some of these include:

  • where lawfully authorised or required
  • where non-compliance is otherwise permitted under an Act or any other law
  • there is a serious threat to health or welfare
  • the use for a secondary purpose, such as management of health services, training and/or research will only be done where it is not possible to carry out that purpose using de-identified information and it is not reasonably practicable to seek the person’s consent.
  • finding a missing person
  • suspected unlawful activity or conduct grounds for disciplinary action.

  A person may give us consent to not comply with any or some of the HPPs in particular circumstances.

  Offences

  It is a criminal offence, punishable by up to two years’ imprisonment for NESA staff to:

  • intentionally disclose or use personal or health information about another person to which the staff member has access in doing their job, for any purpose other than that which is authorised
  • offer to supply personal or health information that has been disclosed unlawfully
  • hinder the Privacy Commissioner or a member of her staff from doing their job.

  Part 8 of the PPIP Act and part 8 of the HRIP Act provide further details about offences regarding personal and health information.

  Section 308H of the Crimes Act 1900 provides that it is an offence to access or modify computer records for purposes that are not connected with the duties of the person.

  Other laws that influence compliance with the IPPs and HPPs

  Following are the main laws that affect how NESA complies with the IPPs and HPPs.

  • Education Standards Authority Act 2013 and regulations
  • Education Act 1990 and regulations
  • Teacher Accreditation Act 2004 and regulations
  • Government Information (Public Access) Act 2009
  • Data Sharing (Government Sector) Act 2015
  • Crimes Act 1900
  • ICAC Act 1988
  • Public Interest Disclosures Act 1994
  • State Records Act 1998 and regulations.

  The following policies and procedures support compliance with the Act:

  • Privacy Code of Practice for the NSW Public Sector Workforce Profile, Department of Premier and Cabinet.
  • State Archives and Records NSW - Standard on Records Management and Standard on the Physical Storage of State Records
  • NESA's Code of Ethics and Conduct which identifies mandatory requirements and best practice conduct for NESA employees, consistent with Part 2 of the Government Sector Employment Act 2013 (the Ethical framework for the government sector).
  • NESA Acceptable Use Policy which aims to ensure the appropriate use of NESA electronic systems and communication devices, including internet, email, record keeping and security
  • NESA Information Security Policy Statement which outlines measures to protect NESA from adverse impacts that could result from failures of confidentiality, integrity and availability.
  • NESA Physical and Environment Security Policy which aims to prevent unauthorised access to, damage to, interference with, and loss of, assets and information of NESA.

  Data breach policy to ensure compliance with obligations under Part 6A of the PPIP Act

  In addition to this privacy management plan, NESA has a data breach policy that sets out NESA’s approach to managing a data breach. The policy outlines procedures used by NESA to ensure compliance with the requirements of the Mandatory Notification of Data Breach (MNDB) Scheme under Part 6A of the PPIP Act, including those related to assessment and notification.

  The data breach policy provides guidance for NESA staff when responding to a breach of NESA-held data and contains five key steps:

  1. Initial report of data breach and triage
  2. Contain the breach
  3. Assess and mitigate
  4. Notify
  5. Review.

  All NESA staff members should notify their manager immediately and refer to the data breach policy if they suspect a data breach may have occurred.

  Exchange of information

  Under Section 16 of the Education Standards Authority Act 2013, NESA can enter into an information sharing arrangement with a relevant agency to share or exchange any information that is held by the Authority or the agency. Information is limited to that which assists in the exercise of the functions of NESA or the Minister under the education and teaching legislation or of the agency concerned, data relating to the teaching workforce, or research on issues relating to teacher quality. Relevant agencies include:

  • the Department of Education or any other Public Service agency
  • a teacher accreditation authority under the Teacher Accreditation Act 2004
  • a university or other tertiary institution
  • a government agency of the Commonwealth or of another State or Territory with functions similar or related to those of NESA and
  • the following bodies, prescribed by clause 5 of the Education Standards Authority Regulation 2013:
    • any person or body responsible for registering or accrediting teachers under the law of a jurisdiction outside Australia
    • the Australasian Teacher Regulatory Authorities
    • the Australian Institute for Teaching and School Leadership Limited
    • the Office of the Children’s Guardian
    • the Catholic Education Commission NSW
    • the Association of Independent Schools of NSW
    • Education Services Australia Limited.

    Data Analytics Centre and sharing information

    The Data Sharing (Government Sector) Act 2015 (DS Act) enables sharing of government sector data with the Data Analytics Centre (DAC) and between other government sector agencies, for certain purposes. These include allowing the government to carry out data analytics to identify issues and solutions to better develop policy, program management, and service planning and delivery. The DS Act includes privacy protection as a safeguard in sharing data between agencies and with the DAC, both when information is shared voluntarily or at the direction of the Minister.

    NESA is required to ensure that health and/or personal information contained in the data that is shared complies with privacy legislation. NESA are also obliged to ensure that any confidential and commercial-in confidence information contained in the data to be shared complies with any contractual or equitable obligations of the data provider concerning how it is dealt with.

    Before responding to a request from DAC to provide information, staff should consult internally with the Access and Privacy Officer to obtain relevant advice. NESA may also ask the NSW Privacy Commissioner to guide us on the best way to comply with the request for information whilst upholding the IPPs and HPPs.

    Requests for information from other agencies

    NESA may receive a request for personal or health information from another agency, such as NSW Police, the Ombudsman’s Office, ICAC or others. When such a request is made NESA ask for it in writing, either on letter-head or via email with sufficient details to identify the agency and requestor and for the request to nominate a contact person. Before releasing information to the other agency, NESA check the legislation relied upon to authorise the provision of information and usually contact the nominated officer by phone. If there is any doubt about the legitimacy of the request, staff should check with the Access and Privacy Officer, or contact the agency that made the request.

    Transborder disclosure of personal information

    Section 19(2) of the PPIP Act provides additional requirements to disclosure of information outside of New South Wales and the NSW Privacy Commissioner has provided Guidance on this Section (Office of the Privacy Commissioner NSW, “Guidance: Transborder Disclosure Principle – the new Section 19(2), 30 June 2016). Where information needs to be disclosed outside the NSW jurisdiction or to a Commonwealth agency, additional criteria must be met, including that the recipient is subject to a privacy law that upholds principles for dealing with information in similar terms to the information protection principles.

    Before any personal information is disclosed outside of NSW, staff should make enquiries with the recipient to ensure they have similar privacy laws. NESA may also draw up an agreement that meets the requirements of Section 19(2) of the PPIP Act or obtain legal advice.

    Privacy Impact Assessment

    A Privacy Impact Assessment (PIA) is a way of assessing the impacts on privacy of a project (including activities, products, policies, proposals or other initiatives) and, in consultation with stakeholders, of taking remedial actions to avoid or minimize negative impacts.

    It may not be possible to eliminate or mitigate every identified risk, but ultimately a judgement will be made about whether the risk posed to privacy will be outweighed by the public benefit derived from a project.

    Privacy risks can be avoided or mitigated by:

    • ensuring a project complies with the law,
    • ensuring a project meets community expectations,
    • making a project less privacy-invasive, such as by using de-identified data, and
    • making a project more privacy-enhancing.

    The greater the project’s complexity and privacy scope, the more likely it is that a PIA is required to identify and manage its privacy impacts. To know if a PIA is required, staff should talk to the Access and Privacy Officer for guidance about conducting a threshold assessment, which will determine if a PIA is necessary and can guide decisions about the scale and scope of a PIA if it is required. See Guide to Privacy Impact Assessments in NSW for more information.

    Privacy notices and seeking consent

    NESA is obliged to provide a notification or privacy statement when personal or health information is collected from individuals, which explains what information NESA are collecting and for what purpose. The PPIP Act mandates certain minimum requirements for privacy notices and staff are encouraged to contact the Privacy Officer.

    If an individual’s personal or health information is to be used or disclosed for a purpose not directly related to the primary purpose of collection, or a purpose not authorised by law or permitted under an exemption, their consent should be specifically sought.

    For further details refer to the Information and Privacy Commissioner’s Guidance on Consent.

    Contact us

    Privacy Officer
    Email: privacy@nesa.nsw.edu.au
    Post: GPO Box 5300, Sydney NSW 2001
    Phone: +61 2 9367 8111
    Address: Level 4, 117 Clarence Street, Sydney NSW 2000