Privacy Management Plan

This section sets out our Privacy Management Plan. Our plan shows what measures the department takes to comply with the NSW Privacy and Personal Information Protection Act 1998 (PPIPA) and the NSW Health Records and Information Privacy Act 2002 (HRIPA) to protect personal and health information.

What are the IPPs and HPPs?

The 12 Information Protection Principles (IPPs) in the PPIPA and the 15 Health Privacy Principles (HPPs) in the HRIPA provides details on how to collect, store, use, disclose, provide you with access to, and/or amendment of, your personal information as well as when to destroy the information when it’s no longer needed.

The objectives of the plan are to

  • detail our commitment to protecting the privacy of our clients, staff and others about whom we hold personal or health information
  • inform our employees about how to manage and protect personal and health information
  • describe how to request access to and/or amendment of personal or health information about yourself, held by us
  • integrate the IPPs and HPPs into existing and future policies, guidelines and procedures that address information issues
  • set complaint handling and internal review procedures
  • inform you on how to request an internal review
  • explain the right for you to apply to the NSW Civil and Administrative Tribunal, in cases where you remain dissatisfied with internal review findings.

How is information collected?

The collection of information is covered by IPPs 1-4 and HPPs 1-4. Personal information is collected directly from you, where possible. We limit what we collect. For example, we’ll only ask for your email address if we need to contact you via email.

When we collect information from you, we’ll explain why it’s being collected, what we will use it for, who is likely to receive it, and that you have a right to access, modify and suppress.

Staff members (including managing contractors and consultants) are responsible for meeting these requirements by including a collection notice. This could be on forms, surveys or questionnaires, in web-based transactions or other instruments.

Seeking consent/collection notice

We’re obliged to provide a collection notice or a privacy statement when personal information is collected from you. If your information is to be used for another purpose than what it was collected for, your consent is required to be specifically sought. This consent will be in addition to any privacy statement or collection notice.

Two generic templates of a collection notice is provided here for use by staff. The first is where information is voluntary, the second where the information must be provided.

Sample collection notice – voluntary to provide personal information

When you contact the NSW Department of Industry, any personal information (such as your name, email or telephone number) that you provide will be used for the purpose of responding to you.

The supply of the information is voluntary. If you do not provide the information, we may not be able to properly respond to you.

We will not disclose information about you to any person except where required to fulfil the purpose for which you are providing the information, or where permitted by law.

If you want to gain access to, or amendment of your personal information, or want more details about privacy please contact us

Sample collection notice – Mandatory to provide personal information

In completing this form/application/online request, you will be prompted to provide personal information (such as your name, email or telephone number).

You must provide this information, otherwise we are unable to transact with you.

We will not disclose information about you to any person except where required to fulfil the purpose for which you are providing the information, or where permitted by law.

If you want to gain access to, or amendment of your personal information, or want more details about privacy please contact us

How information is securely stored?

IPP 5 and HPP 5 refers to the safe storage (security) of personal information. Each business units applies appropriate security to protect personal information. We have an ICT policy, use passwords and, where possible, encrypt information to ensure it is protected and kept secure. All staff must also comply with the Code of Ethics and Conduct and are provided with training on privacy.

Personal information is only kept for as long as it is needed.

How do I access and/or amend the personal information you hold about me?

IPPs 6-8 and HPPs 6-8 provides for access and amendment.

If you wish to know whether we hold personal information about you, you can contact us directly to enquire. If you believe that your personal information held by us is inaccurate, irrelevant, not up to date, incomplete and/or misleading, you can request that it be amended.

To make an access or amendment request, you should contact the business area holding the information (if known) or contact us on

What is personal information used for?

Before use, we ensure that personal information is accurate, up-to-date, relevant, complete and not misleading (IPPs 6-8 and HPPs 6-8).

We only use personal information for the purposes for which it was collected. If there is a need to use the information for another purpose, we are required to ask for consent. One exception to this, is where the information is used to prevent danger to someone or in other specific situations set out in the PPIPA.

Will personal information be disclosed?

We only disclose (IPPs 11-12 and HPPs 11 and 14) information to other parties if:

  • you agree to the disclosure; or
  • you are aware that this sort of information is usually disclosed; or
  • we need to disclose the information to fulfil the purpose for which it was first collected; or
  • information is supplied by us to prevent danger to someone.

Information relating to ethnic or racial origin, political opinions, religious or philosophical beliefs or trade union membership, except to prevent death or injury, is never disclosed without consent.

Personal information is not given to anyone outside NSW unless there are similar privacy laws in that person's state or country or the disclosure is allowed under a privacy code of practice, or under legislation (such as HRIPA and PPIPA).

What about health information?

Any health information we may collect will be handled in line with personal information. There are additional HPPs to comply with as well. HPP 12 provides that an identifier can be assigned to you, if it is reasonably necessary to carry out our functions efficiently.

HPP 13 means that where it is lawful and practicable, you will be given an opportunity to retain your anonymity when transacting with us. We can only link your health information if you agree (HPP 15).

When may the IPPs and HPPs not be complied with?

It is worth noting that both the PPIPA and the HRIPA provide some specific exemptions from the IPPs and the HPPs. Some of these are listed in sections 22-28 of the PPIPA:

  • law enforcement and related matters (section 23)
  • investigative agencies (section 24)
  • where lawfully authorised or required (section 25)
  • when it would benefit the individual concerned (section 26)
  • specific exemptions in relation to ICAC, NSW Police Force, PIC and the NSW Crime Commission (section 27)
  • exchanges between public sector agencies (section 27A)
  • research (section 27B)
  • credit information (section 27C)
  • other exemptions (section 28).

Privacy complaints and internal reviews

If you believe that we may have breached your privacy, or have not complied with a request for access or amendment, you can:

  • raise an informal complaint, or
  • submit an application for internal review of conduct with us.

If you want to resolve an issue informally, please contact the relevant area, if known, to discuss your issue. Informal complaints may be referred for an internal review to be carried out, if it is considered that a serious breach of privacy has occurred, or that it is more appropriate to deal with your complaint on a formal basis.

Under the HRIPA and PPIPA, complaints or applications for internal review to us:

  • should be lodged within six months of becoming aware of the legal implications/ significance of the alleged conduct
  • should be in writing
  • must have a return address in Australia.

Under the formal process you can have the decision reviewed by the Administrative and Equal Opportunity Division of the NSW Civil and Administrative Tribunal. By contrast, informal complaints are dealt with by our officers and there are no formal review rights.

An internal review is conducted by a senior officer who was not substantially involved in the matter. This officer is responsible for reviewing the action or decision and deciding if it is correct. The senior officer can seek advice from the Information Requests and Privacy team ( . There is no cost to lodge a complaint or request an internal review. Reviews must be completed within 60 days.

A complaint can also be lodged with the Information and Privacy Commission.

When should a Privacy Impact Assessment (PIA) be done?

A PIA may be required to assess any actual or potential effects that an activity, project or proposal may have on personal information. A PIA can also outline ways in which any identified risks can be mitigated and any positive impacts enhanced. Public consultation and measuring community expectations is an important part of any thorough PIA.

It may not be possible to eliminate or mitigate every risk, but ultimately a judgement will be made as to whether the public benefit to be derived from the project will outweigh the risk posed to privacy.

To know if a PIA is required, staff should answer the following questions.

Will the project involve:

  1. The collection of personal information, compulsorily or otherwise?
  2. A new use of personal information that is already held?
  3. A new or changed system of regular disclosure of personal information, whether to another agency, another State, the private sector, or to the public at large?
  4. Restricting access by individuals to their own personal information?
  5. New or changed confidentiality provisions relating to personal information?
  6. A new or amended requirement to store, secure or retain particular personal information?
  7. A new requirement to sight, collect or use existing ID, such as an individual’s driver’s licence?
  8. The creation of a new identification system, e.g. using a number, or a biometric?
  9. Linking or matching personal information across or within agencies?
  10. Exchanging or transferring personal information outside NSW?
  11. Handling personal information for research or statistics, de-identified or otherwise?
  12. Powers of entry, search or seize, or other reasons to touch another individual (e.g. taking a blood or saliva sample)?
  13. Surveillance, tracking or monitoring of individuals’ movements, behaviour or communications?
  14. Moving or altering premises which include private spaces?
  15. Any other measures that may affect privacy?

If the answer to one of more of the above questions is “yes”, then advice should be sought from the privacy expert in the agency and a PIA should be seriously considered.

Breach of privacy/data breach notification

If a data breach is identified, whether serious or not, affected individuals will be notified, unless the breach is in relation to information that is not sensitive, poses little to no risk of harm, or if it is decided that notification is not required.

A serious data breach is defined as unauthorised access to, unauthorised disclosure of, or loss of, personal information, and as a result, there is a real risk of serious harm to any of the individuals to whom the information relates.

The NSW Privacy Commissioner should be notified of any privacy/data breach.

Promoting the plan

The following broad strategies are used to ensure ongoing compliance with the privacy legislation:

  • As part of our induction program, new staff are provided with information to raise their awareness and appreciation of the privacy legislation requirements
  • Refresher and on-the-job training is provided to specialist staff
  • The plan is promoted during Privacy Awareness Week/Month
  • Specialist privacy advice is provided internally to staff
  • The plan is published on our website and reviewed/updated every two years
  • Every five years we formally review/ audit our compliance with the privacy legislation.


Contact the Department of Industry Information Requests and Privacy Unit on 9934 0660 or email

You can seek privacy advice from the Information and Privacy Commission (IPC):

Phone: 1800 472 679

You can lodge an appeal with the Administrative and Equal Opportunity Division of the New South Wales Civil and Administrative Tribunal (NCAT).

Phone: 1300 006 228