A NSW Government website

NSW Government
Digital NSW

Privacy by design

Design services that protect people’s personal and health information. 

Privacy is a legal requirement. It is also part of good service design. It helps build trust, reduce risk and support people to use services with confidence. 

Privacy is everyone’s responsibility. Your agency’s privacy officer can give advice, but project teams should consider privacy in design, content, data, technology, procurement and operations.

Understand your obligations

NSW Government agencies must protect personal and health information under:

Personal information is information or an opinion that identifies a person, or could reasonably identify them. This can include a name, contact details, a photograph, an ID number, or information that can be linked with other information. 

Health information includes information about a person’s health, disability or health services. 

These laws cover how agencies collect, use, store, disclose and dispose of information. Collection must be lawful, necessary and directly related to the agency’s functions or activities.

Get privacy advice early

Work with your agency’s privacy contact officer for advice on your privacy obligations. They can help you understand your agency’s privacy management plan and when to contact the Information and Privacy Commission (IPC).

Use these steps to build privacy into your service from planning through to delivery, operation and disposal.

Embed privacy from the outset

Consider privacy early in planning. Work with privacy, legal, records, cyber security and procurement teams to identify risks, obligations and controls. Before you collect information, ask:

  • What information do you need?
  • Why do you need it?
  • Are you allowed to collect it?
  • How will you use, share, store and dispose of it?
  • Who will have access to it?
  • Will a supplier or another agency handle it?
  • How might users feel about providing it?

Only collect what you need to deliver the service or meet a legal requirement. 

Use privacy-friendly defaults where you can. For example, do not make optional data collection opt-out if it does not need to be. 

Map how information moves through the service. This helps you find risks early and avoid costly changes later.

Use a privacy impact assessment

A privacy impact assessment (PIA) helps you find and manage privacy risks.

Consider a PIA when you are:

  • creating a new service, system or process
  • collecting new types of information
  • changing how information is used or shared
  • sharing information with another agency, supplier or partner
  • using new technology that may affect privacy
  • using information in a way users may not expect.

Treat the PIA as a living document. Update it when the service changes, when risks change, or when you make major design or technology decisions.

Be transparent with users

Make privacy information easy to find and understand.

Explain to users:

  • what information you collect
  • why you collect it
  • how you will use it
  • who you may share it with
  • how it will be stored and protected
  • how long it will be kept
  • how they can access or correct their information
  • how they can make a privacy complaint

Provide this information before, or at the time, you collect information.

Use plain language. Put the notice where users need it, not only in a general privacy policy.

Get valid consent where required

Where consent is required, make sure it is clear, informed, voluntary and specific. 

Avoid bundling several consent requests together. Give users a real choice about what they agree to.
 

Do not rely on consent if the user has no real choice, or if another legal authority is more appropriate. 

Work with your privacy or legal team to decide the right approach. 

If you want to use information for a new purpose, check whether you need new consent or another legal authority.

Protect and manage information securely

Protect information for the whole life of the service. This includes:

  • limiting access to people who need it
  • using secure systems and storage
  • applying cyber security controls
  • checking suppliers have suitable privacy and security controls
  • training staff in privacy and safe data handling
  • reviewing controls regularly.

Work with your cyber security team to align with the NSW Cyber Security Policy and your agency’s security requirements.

Plan how you will respond to a privacy breach. NSW public sector agencies may need to notify the Privacy Commissioner and affected people under the Mandatory Notification of Data Breach Scheme.

De-identify data where possible

De-identification can reduce privacy risk while still allowing data to be used, analysed or shared.

Where appropriate:

  • remove direct identifiers, such as names and contact details
  • use grouped or aggregated data instead of identifiable records
  • check whether a person could be re-identified
  • consider whether linking datasets could identify someone.

De-identification is not a one-off task. Re-identification risk can change over time, especially when data is linked with other information.

Dispose of information appropriately

Do not keep information longer than you need. 

Follow your agency’s retention and disposal rules, including obligations under the State Records Act 1998 (NSW)

Securely dispose of information when it is no longer required. 

Check with your records or information management team before disposal. 

Keep a record of key privacy decisions, including what you collect, why you collect it, who can access it, how long you keep it and when it should be reviewed.

Related resources

Information and Privacy Commission (IPC)  
Privacy Impact Assessment guidance   
Mandatory Notification of Data Breach Scheme   
De-identification Decision-Making Framework (OAIC)  
NSW Cyber Security Policy 
State Records NSW 
Records retention and disposal authorities