Comply with privacy legislation and principles

Minimum you need to do

Comply with privacy legislation and principles when dealing with personal or health information

What is personal or health information?

NSW privacy regulation focuses on the handling of personal and health information. Know how each type of information is described in the legislation to determine the kind of information you have:  

The legal definition of personal information includes information or opinion about an individual whose identity ‘can reasonably be ascertained’, even if it is not apparent. Use this fact sheet on reasonable ascertainable identity to work out if an individual’s identity can be reasonably ascertained. 

Understand the legislation

NSW Government agencies must: 

Only collect the data you need. Under legislation both personal and health information are subject to strict storage and access requirements. Speak to your agency’s privacy contact officer to know more. 

Familiarise yourself with your agency’s privacy management plan. It describes how your agency will comply with the privacy legislation. Every NSW Government agency must have one. 

Information and Privacy Commission of NSW resources 

How to comply

Here are some ways that you can comply with the main obligations in the legislation.

Inform users when collecting information  

You must inform users: 

  • when you’re collecting personal or health information 
  • why you’re collecting it 
  • what the information will be used for 
  • how they can view or amend this information
  • who the intended recipients of the information are
  • whether the supply of information is required by law or is voluntary, and any consequences to the user if the information (or any part of it) is not provided
  • the name and addresses of the agency that is collecting the information and the agency that is to hold the information. 

You must make them aware before, or soon after you are collecting that information. You can provide this notice in the way best suited to your audience. You could do this by linking to a privacy collection notice that describes what you intend to do with their information.  

If you’re recording video or audio, it’s good practice to inform the user of this in the collection notice. 

Privacy collection notice 

When to ask for consent 

You need to get specific consent from users when you collect their personal or health information. This is so they can provide full informed consent to the use of the information.

Avoid bundling multiple requests for an individual's consent to a range of collections, uses or disclosures. Instead, give the user the option to choose which collections, uses or disclosures they agree to. See Consent and Bundled Consent.

Also get consent if you want to use the personal or health information for a purpose other than for which it was collected. this includes sharing the information with other agencies, or across jurisdictions. Read the Transborder Disclosure Principle for guidance on the rules, exemptions and outsourcing to cloud relating to personal information.

Capacity to give consent

For consent to be valid, the user must have the capacity to give or withhold consent. A user has capacity if they can understand the general nature and effect of a proposed use or disclosure of their personal or health information, and can communicate their consent.

Issues that could affect an individual's capacity to consent include:

  • age
  • physical or mental disability
  • limited understanding of English.

You may be able to address such issues by providing the individual with support so they have capacity to consent. For example, it may be appropriate for a parent or guardian to consent on behalf of a young person.

Consent checklist
Use the consent checklist to assess whether consent is required for the use and disclosure of personal information. 

Keep information secure

Agencies should keep personal and health information protected against loss, unauthorised access, use, modification or disclosure and against all other misuse. To do this, take reasonable security safeguards. For example, you can:

  • restrict access to personal and health information in your agency to those with a strict need to know 
  • provide authorised staff with separate logins and ensure staff received appropriate training on privacy and data protection requirements 
  • consider the kind of physical storage if required, to protect personal or health information from loss or misuse 
  • separate your data sources so they’re not connected. Connecting data sources may identify additional data or create new information 
  • implement regular audits to verify that only authorised users are accessing information, for authorised purposes.  

Resources 

  • Data breach resources - guidance on responding to data breaches and notifying the Information and Privacy Commission of a data breach.  
  • NSW Government cloud policy and guidance – how to move services to cloud including preparation, contracting and management. 

Dispose of personal or health information 

Dispose of personal information securely as soon as you have completed the objective it was collected for. For personal information or health information that you no longer need, you must delete or dispose of it at a set frequency.  

Before you dispose of personal or health information, talk to your records expert to clarify the minimum retention periods for your situation. This will ensure you comply with the State Records Act 1998, and any other regulations that may apply. 

How to show you’ve met the privacy compliance requirement

You will have:

  • recorded whether you are collecting personal or health information

  • reviewed and complied with the Information Protection Principles, Health Privacy Principles, your agency’s Privacy Management Plan and its policy on disposing of personal and health information and information handling policies

  • given notice to individuals that you are collecting personal or health information, why you are collecting it, what the information will be used for, and how they can view or amend their information

  • obtained consent if required to use or disclose personal or health information if the information is not used for a purpose for which it was collected

  • controlled who has access to personal or health information by providing personal logins and recorded who has access.

Last updated