What is personal or health information?
NSW privacy regulation focuses on the handling of personal and health information. Know how each type of information is described in the legislation to determine the kind of information you have:
The legal definition of personal information includes information or opinion about an individual whose identity ‘can reasonably be ascertained’, even if it is not apparent. Use this fact sheet on reasonable ascertainable identity to work out if an individual’s identity can be reasonably ascertained.
Understand the legislation
NSW Government agencies must:
- manage all personal information in accordance with the Privacy and Personal Information Protection Act 1998 and the Information Protection Principles
- comply with the Health Records and Information Privacy Act 2002 and the Health Privacy Principles governing health information.
Only collect the data you need. Under legislation both personal and health information are subject to strict storage and access requirements. Speak to your agency’s privacy contact officer to know more.
Familiarise yourself with your agency’s privacy management plan. It describes how your agency will comply with the privacy legislation. Every NSW Government agency must have one.
Information and Privacy Commission of NSW resources
How to comply
Here are some ways that you can comply with the main obligations in the legislation.
Inform users when collecting information
You must inform users:
- when you’re collecting personal or health information
- why you’re collecting it
- what the information will be used for
- how they can view or amend this information
- who the intended recipients of the information are
- whether the supply of information is required by law or is voluntary, and any consequences to the user if the information (or any part of it) is not provided
- the name and addresses of the agency that is collecting the information and the agency that is to hold the information.
You must make them aware before, or soon after you are collecting that information. You can provide this notice in the way best suited to your audience. You could do this by linking to a privacy collection notice that describes what you intend to do with their information.
If you’re recording video or audio, it’s good practice to inform the user of this in the collection notice.
Privacy collection notice
- Consent and Bundled Consent - sets out what a privacy collection notice should contain.
- A privacy collection statement template - see appendix B of the Internet of Things (IoT) Policy Guidance
When to ask for consent
You need to get specific consent from users when you collect their personal or health information. This is so they can provide full informed consent to the use of the information.
Avoid bundling multiple requests for an individual's consent to a range of collections, uses or disclosures. Instead, give the user the option to choose which collections, uses or disclosures they agree to. See Consent and Bundled Consent.
Also get consent if you want to use the personal or health information for a purpose other than for which it was collected. this includes sharing the information with other agencies, or across jurisdictions. Read the Transborder Disclosure Principle for guidance on the rules, exemptions and outsourcing to cloud relating to personal information.
Capacity to give consent
For consent to be valid, the user must have the capacity to give or withhold consent. A user has capacity if they can understand the general nature and effect of a proposed use or disclosure of their personal or health information, and can communicate their consent.
Issues that could affect an individual's capacity to consent include:
- physical or mental disability
- limited understanding of English.
You may be able to address such issues by providing the individual with support so they have capacity to consent. For example, it may be appropriate for a parent or guardian to consent on behalf of a young person.
Use the consent checklist to assess whether consent is required for the use and disclosure of personal information.
Keep information secure
Agencies should keep personal and health information protected against loss, unauthorised access, use, modification or disclosure and against all other misuse. To do this, take reasonable security safeguards. For example, you can:
- restrict access to personal and health information in your agency to those with a strict need to know
- provide authorised staff with separate logins and ensure staff received appropriate training on privacy and data protection requirements
- consider the kind of physical storage if required, to protect personal or health information from loss or misuse
- separate your data sources so they’re not connected. Connecting data sources may identify additional data or create new information
- implement regular audits to verify that only authorised users are accessing information, for authorised purposes.
- Data breach resources - guidance on responding to data breaches and notifying the Information and Privacy Commission of a data breach.
- NSW Government cloud policy and guidance – how to move services to cloud including preparation, contracting and management.
Dispose of personal or health information
Dispose of personal information securely as soon as you have completed the objective it was collected for. For personal information or health information that you no longer need, you must delete or dispose of it at a set frequency.
Before you dispose of personal or health information, talk to your records expert to clarify the minimum retention periods for your situation. This will ensure you comply with the State Records Act 1998, and any other regulations that may apply.