Minimum you need to do
Comply with privacy legislation and principles when dealing with personal or health information
What is personal or health information?
NSW privacy regulation focuses on the handling of personal and health information. Know how each type of information is described in the legislation to determine the kind of information you have:
The legal definition of personal information includes information or opinion about an individual whose identity ‘can reasonably be ascertained’, even if it is not apparent. Use this fact sheet on reasonable ascertainable identity to work out if an individual’s identity can be reasonably ascertained.
Understand the legislation
NSW Government agencies must:
- manage all personal information in accordance with the Privacy and Personal Information Protection Act 1998 and the Information Protection Principles
- comply with the Health Records and Information Privacy Act 2002 and the Health Privacy Principles governing health information.
Only collect the data you need. Under legislation both personal and health information are subject to strict storage and access requirements. Speak to your agency’s privacy contact officer to know more.
Familiarise yourself with your agency’s privacy management plan. It describes how your agency will comply with the privacy legislation. Every NSW Government agency must have one.
Information and Privacy Commission of NSW resources
How to comply
Here are some ways that you can comply with the main obligations in the legislation.
Inform users when collecting information
You must inform users:
- when you’re collecting personal or health information
- why you’re collecting it
- what the information will be used for
- how they can view or amend this information
- who the intended recipients of the information are
- whether the supply of information is required by law or is voluntary, and any consequences to the user if the information (or any part of it) is not provided
- the name and addresses of the agency that is collecting the information and the agency that is to hold the information.
You must make them aware before, or soon after you are collecting that information. You can provide this notice in the way best suited to your audience. You could do this by linking to a privacy collection notice that describes what you intend to do with their information.
If you’re recording video or audio, it’s good practice to inform the user of this in the collection notice.
Privacy collection notice
- Consent and Bundled Consent - sets out what a privacy collection notice should contain.
- A privacy collection statement template - see appendix B of the Internet of Things (IoT) Policy Guidance
When to ask for consent
You need to get specific consent from users when you collect their personal or health information. This is so they can provide full informed consent to the use of the information.
Avoid bundling multiple requests for an individual's consent to a range of collections, uses or disclosures. Instead, give the user the option to choose which collections, uses or disclosures they agree to. See Consent and Bundled Consent.
Also get consent if you want to use the personal or health information for a purpose other than for which it was collected. this includes sharing the information with other agencies, or across jurisdictions. Read the Transborder Disclosure Principle for guidance on the rules, exemptions and outsourcing to cloud relating to personal information.
Capacity to give consent
For consent to be valid, the user must have the capacity to give or withhold consent. A user has capacity if they can understand the general nature and effect of a proposed use or disclosure of their personal or health information, and can communicate their consent.
Issues that could affect an individual's capacity to consent include:
- physical or mental disability
- limited understanding of English.
You may be able to address such issues by providing the individual with support so they have capacity to consent. For example, it may be appropriate for a parent or guardian to consent on behalf of a young person.
Use the consent checklist to assess whether consent is required for the use and disclosure of personal information.
Keep information secure
Agencies should keep personal and health information protected against loss, unauthorised access, use, modification or disclosure and against all other misuse. To do this, take reasonable security safeguards. For example, you can:
- restrict access to personal and health information in your agency to those with a strict need to know
- provide authorised staff with separate logins and ensure staff received appropriate training on privacy and data protection requirements
- consider the kind of physical storage if required, to protect personal or health information from loss or misuse
- separate your data sources so they’re not connected. Connecting data sources may identify additional data or create new information
- implement regular audits to verify that only authorised users are accessing information, for authorised purposes.
- Data breach resources - guidance on responding to data breaches and notifying the Information and Privacy Commission of a data breach.
- NSW Government cloud policy and guidance – how to move services to cloud including preparation, contracting and management.
Dispose of personal or health information
Dispose of personal information securely as soon as you have completed the objective it was collected for. For personal information or health information that you no longer need, you must delete or dispose of it at a set frequency.
Before you dispose of personal or health information, talk to your records expert to clarify the minimum retention periods for your situation. This will ensure you comply with the State Records Act 1998, and any other regulations that may apply.
How to show you’ve met the privacy compliance requirement
You will have:
recorded whether you are collecting personal or health information
reviewed and complied with the Information Protection Principles, Health Privacy Principles, your agency’s Privacy Management Plan and its policy on disposing of personal and health information and information handling policies
given notice to individuals that you are collecting personal or health information, why you are collecting it, what the information will be used for, and how they can view or amend their information
obtained consent if required to use or disclose personal or health information if the information is not used for a purpose for which it was collected
controlled who has access to personal or health information by providing personal logins and recorded who has access.