SIRA Privacy Management Plan

1. Introduction

The State Insurance Regulatory Authority (SIRA) has obligations under the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (HRIP Act) to protect your privacy as a customer, staff member, or member of the public.

This Privacy Management Plan (Plan) explains how we manage personal or health information under NSW privacy laws. We also use this Plan to train our staff about how to handle the personal and health information we hold.

We are required by section 33 of the PPIP Act to have a Plan which explains:

• our policies and practices to comply with the PPIP Act and the HRIP Act
• how we make our staff aware of such policies and practices
• our procedures for dealing with privacy internal reviews
• relevant information about privacy and the protection of personal and health information.

2. Who does this Plan cover

This Plan applies to all employees, contractors and consultants working for, or on behalf of, SIRA. These people are referred to as 'our staff' in this Plan.

3. Key responsibilities

3.1 The SIRA Chief Executive

The Chief Executive is responsible for ensuring SIRA establishes and maintains systems and processes for privacy management which comply with the PPIP Act and HRIP Act.

3.2 Our staff

Our staff are required to comply with the PPIP Act and the HRIP Act. If our staff are uncertain about whether specific conduct meets our obligations, and they cannot resolve the question with their People Leader, they should contact the SIRA Privacy Officer in the first instance.

3.3 People leaders

People leaders are responsible for supervising or managing an individual or group of staff. People Leaders are responsible for:

• making our staff aware of this Plan and providing guidance on how to apply it
• ensuring our staff are provided with access to privacy training
• identifying privacy issues when implementing new systems
• assisting our staff to manage privacy issues.

3.4 The SIRA Privacy Officer

The Privacy Officer is responsible for:

• ensuring this Plan is publicly available
• advising and assisting our staff, and members of the public, in relation to privacy
• undertaking privacy internal reviews
• monitoring the effectiveness of this Plan
• ongoing training of our staff and awareness-raising in relation to privacy and privacy by design
• supporting privacy threshold assessments and privacy impact assessments
• coordinating and approving the wording and location of privacy notices
• reporting on privacy issues in SIRA’s annual report in accordance with annual report legislation, including a statement of compliance with requirements of the PPIP Act and HRIP Act and statistical details of any internal reviews conducted by or on behalf of SIRA
• updating this Plan:
  • as necessary, or
  • if a privacy code or direction of the Privacy Commissioner, or the expiry of such a code or direction, significantly modifies the application of the privacy principles to the operations of SIRA, or
  • if SIRA introduces a new collection, use or disclosure of personal or health information that is not covered by this Plan.

The Chief Executive, on the advice of the Privacy Officer, may amend this Plan as necessary, at any time. The revised Plan will be made available on the SIRA website as soon as practicable. Any amendments will be drawn to the attention of our staff, and the NSW Privacy Commissioner will be advised of any amendments as soon as practicable.

4. About SIRA

On 1 September 2015, SIRA was established as the independent regulator of the workers compensation, compulsory third party (CTP) and home building compensation insurance schemes under the State Insurance and Care Governance Act 2015 (SICG Act). SIRA also has some regulatory functions in other NSW insurance schemes including the lifetime care and support and dust diseases schemes.

Collectively, these schemes provide an important social safety net for the people of NSW who may one day experience injury or loss. At any one time, more than 10 million people are protected through a SIRA-regulated scheme. These schemes are funded by more than 6 million vehicle owners, employers and homeowners who together pay more than $7 billion in premiums each year.

4.1 Principal objectives

Our objectives and regulatory role are set out in section 23 of the SICG Act:

• to promote the efficiency and viability of the insurance and compensation schemes established under the workers compensation and motor accidents legislation and the other Acts under which SIRA exercises functions
• to minimise the cost to the community of workplace injuries and injuries arising from motor accidents and to minimise the risks associated with such injuries
• to promote workplace injury prevention, effective injury management and return to work measures and programs
• to ensure that persons injured in the workplace or in motor accidents have access to treatment that will assist with their recovery
• to provide for the effective supervision of claims handling and disputes under the workers compensation and motor accidents legislation
• to promote compliance with the workers compensation and motor accidents legislation.

4.2 Functions

Our functions are conferred or imposed by the SICG Act, Home Building Act 1989 and other legislation, including the workers compensation and motor accidents legislation. Section 24 of the SCIG Act describes that the functions of SIRA also include:

• the collection and analysis of information on prudential matters in relation to insurers under the workers compensation and motor accidents legislation and the Home Building Act 1989
• the encouragement and promotion of the carrying out of sound prudential practices by insurers under the workers compensation and motor accidents legislation and the Home Building Act 1989
• the evaluation of the effectiveness and carrying out of those practices.

5. Our structure

SIRA is a small independent agency within the NSW Customer Service Cluster. It is headed by a Chief Executive who manages and controls the affairs of SIRA in accordance with the general policies and strategic direction set by the SIRA Board. Anything done by the Chief Executive on behalf of SIRA is taken to have been done by SIRA (section 19(3) of the SICG Act).

While SIRA is not, in the exercise of its functions, subject to the control and direction of the Minister, the Minister may give SIRA a written direction with respect to its functions if the Minister is satisfied that it is necessary to do so in the public interest.

The structure of SIRA is as follows:

5.1 SIRA Board

The functions of the SIRA Board are set out in section 18(5) of the SICG Act and include:

• determining the general policies and strategic direction of SIRA
• overseeing the performance of SIRA
• giving the Minister any information relating to the activities of SIRA that the Minister requests
• keeping the Minister informed of the general conduct of SIRA’s activities and any significant development in activities.

The SIRA Board is comprised of seven members who have extensive professional experience both within Australia and internationally.

The SIRA Chief Executive is a member of the SIRA Board, along with the Secretary of the Department of Customer Service (DCS), or her nominated delegate. A further five independent members are appointed by the Minister for Customer Service and Digital Government.

The Chair and Deputy Chair are selected by the Minister from the five appointed members.

5.2  The SIRA teams

5.2.1 Motor Accidents Insurance Regulation (MAIR)

The MAIR team oversees the NSW CTP insurance scheme. Insurers licensed to operate in the scheme protect vehicle owners from liability if their vehicle causes injury or death to other road users. The team works hard to reduce injuries and deaths on the roads by having a forward-thinking, proactive, and collaborative approach with stakeholders. The team focuses on delivering better outcomes for policyholders and injured people, and encouraging innovation, quality performance and positive customer experiences. The teams within MAIR include:

Health Policy, Prevention and Supervision (HPPS)

The HPPS team promote optimal recovery and health outcomes in both the workers compensation and CTP schemes. They do this through a value-based healthcare approach, strategic initiatives focused on injury prevention, supervising and educating health providers, and supporting effective fees regulation.

Premiums and Markets

The Premiums and Markets team ensures that the premiums for SIRA’s insurance products are affordable, equitable and fair for NSW customers. At the same time, the team ensures that the insurance schemes are adequately funded for long-term viability.

Scheme Design, Policy and Performance

The Scheme Design, Policy and Performance team ensures the viability, affordability and sustainability of the CTP insurance schemes under the motor accidents legislation. They do this by shaping and refining policy design, supporting effective and fair legal access to justice, and enabling transparent external engagement.

Insurer Supervision

The Insurer Supervision team ensures the compliance and performance of insurers aligns with legislation, guidelines, and community expectations. This team engages with and holds insurers to account to ensure better outcomes and experiences for customers.

5.2.2 Workers and Home Building Compensations Regulation (WHBCR)

The WHBCR team oversees the workers compensation and home building compensation schemes in NSW. The team has some involvement in certain aspects of dust diseases, sporting injuries, coal mines, bush fire, and emergency and rescue services legislation. The team focuses on customers and delivering effective regulation that builds public trust and supports NSW in being a competitive, confident, and protected state. The teams within WHBCR include:

Employer Supervision and Return to Work

The Employer Supervision and Return to Work team supports employers to comply with their workers compensation obligations. They also promote, amongst stakeholders, the importance of injured people recovering through work in both the workers compensation and CTP schemes. They do this through strategic programs and resources, stakeholder education and regulatory action.

Enforcement and Prosecution

The mission of the Enforcement and Prosecution team is to ensure regulatory compliance by prosecuting breaches, enforcing the law, and undertaking punitive actions. The primary goal of their work is to contribute to higher levels of public trust in the workers compensation, CTP and home building insurance systems.

Performance and Compliance Reviews

This team conducts audit and review activities that enable SIRA to hold system participants accountable for their regulatory performance and compliance. This team addresses significant and systemic performance and compliance risks, pursues continuous improvement in regulatory practice and system outcomes, and undertakes specific rulings and reviews.

Scheme Design, Policy and Performance

This team helps SIRA and its stakeholders to better understand how the workers and home building compensation schemes operate. They provide advice on key risks, issues and opportunities, and develop policy options in collaboration with stakeholders to inform legislative change.

Home Building Compensation Regulation

This team brings together regulatory functions for the home building compensation scheme. The team is responsible for insurer supervision of icare HBCF’s compliance with its regulatory obligations as well as licensing functions for prospective insurers. They provide team is responsible for policy advice and implementation for scheme design and performance matters. The team also performs enforcement functions for the home building compensation scheme including liaison with DCS Better Regulation Division in respect of its parallel building industry regulation functions.

5.3 Customer, Data and Delivery (CDD)

The CDD team works across SIRA to connect, deliver and promote ideas and services that drive measurably better customer outcomes, underpin regulatory excellence, and accelerate progress on SIRA’s strategic goals. This team oversees the development and delivery of key corporate functions including customer experience, organisational health, intelligence and analytics, customer engagement and stakeholder communication. The teams within CDD include:

Customer Service and Operations

This team is responsible for designing and delivering the best possible services to customers and providing timely, evidence-based decisions and regulatory responses. The team’s primary goal is to deliver a positive customer experience.

Delivery and Insights

This team ensures that SIRA delivers ambitious, durable and meaningful changes for current and future customers by coordinating the voice of customer program and by providing targeted support to priority projects that deliver positive customer impact.

Regulatory Intelligence and Analytics

The Regulatory Intelligence and Analytics team support SIRA as a data-driven and intelligence-led organisation to achieve better regulatory outcomes. Their main focus is on providing valuable insights for evidence-based decision-making and transparent reporting to NSW citizens on scheme performance.

Digital

The Digital team is responsible for delivering, managing, enhancing, and supporting the platforms that enable SIRA to be an intelligence-driven, risk-based regulator, with a focus on simplifying, modernising, and consolidating the technology platforms used at SIRA.

External Communications

This team helps SIRA communicate and engage with its external audience. This team is focused on creating a culture of content that delivers against SIRA’s strategy - SIRA2025 - and builds brand equity through promoting SIRA and the work it does, increasing regulatory transparency and responding to the strategic environment and public scrutiny.

5.4 The Office of the Chief Executive

The Office of the Chief Executive oversees the development and delivery of key corporate functions, including finance, procurement, strategy, governance, risk, compliance, and staff engagement. In addition to the Office of the Chief Executive’s key executive functions, there are two directorates that support SIRA’s governance and the delivery of SIRA’s strategic priorities. The two directorates are:

Finance and Procurement

This team is SIRA’s point of reference for assistance and guidance on procurement, budgeting, and financial matters and SIRA’s delegations.

Strategy and Performance

This team is responsible for internal audit, risk, compliance, corporate planning and performance, capability, ministerial, parliamentary, privacy, information access, information and records management, and board and committee secretariat functions for SIRA.

6. Privacy legislation and exemptions

The PPIP Act and the HRIP Act contain principles that describe what we must do when we collect, store, use or disclose personal or health information. The PPIP Act sets out the 12 Information Protection Principles (IPPs) for agencies in sections 8-19 and the 15 Health Privacy Principles in Schedule 1.

These principles are legal obligations which we must comply with unless an exemption applies. Exemptions to the privacy principles can be found in the PPIP Act and HRIP Act themselves, and in Regulations, Privacy Codes and Public Interest Directions.

6.1 Exemptions contained in the PPIP Act and the HRIP Act

The PPIP Act and HRIP Act provide that SIRA does not need to comply with the IPPs and HPPs in certain situations. Specific exemptions are set out in Division 3 of the PPIP Act and Part 2 of the HRIP Act.

Some situations where the information we collect is exempt from compliance with specific IPPs and HPPs include:

• information sent between public sector agencies to transfer enquiries or to manage correspondence from a Minister or Member of Parliament
• if disclosure is authorised or required by a subpoena, warrant or statutory notice to produce
• if another law authorises or requires non-compliance (e.g., to carry out our regulatory activities)
• investigative purposes (e.g., if compliance would prevent the proper exercise of any of our investigative functions)
• law enforcement purposes
• research purposes.

6.2 Exemptions contained in another law

The most common exemption that applies to SIRA is where non-compliance is required or authorised by another law. Exemptions contained in another law are referred to in Appendix 1.

In these circumstances, section 25 of the PPIP Act provides that we do not have to comply with section 9 (IPP 2), 10 (IPP 3), 13 (IPP 6), 14 (IPP 7), 15 (IPP 8), 17 (IPP 10), 18 (IPP 11) or 19 (IPP 12), to the extent that the relevant IPP is concerned.

6.3 Exemptions contained in Privacy Codes of Practice or Public Interest Directions

There are no Privacy Codes of Practice or Public Interest Directions that allow SIRA to modify its application of the IPPs and HPPs.

7. Types of personal and health information

7.1 What is personal information?

‘Personal information’ is defined in section 4 of the PPIP Act as:

‘Information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion’.

Essentially, personal information is information or an opinion about you which reveals your identity. Personal information may or may not be recorded in a material form.

Section 4(2) of the PPIP Act states that personal information includes such things as fingerprints, retina prints, body samples and genetic characteristics.

Some examples of personal information recorded in a material form are a written application which shows your name and address, or your NSW Driver Licence which shows your photo and personal details. Personal information need not directly name a person to identify them. For example, a claim number, or unnamed survey answers which contain your opinions, may be considered personal information if they can reveal your identity.

7.2 What is not personal information?

Certain types of information are not considered personal information. They are outlined at sections 4(3) and 4A of the PPIP Act and include but are not limited to:

• information about an individual that is contained in publicly available publications (for example information provided in a newspaper or a court judgement available on the internet)
• information about a person who has been deceased for more than 30 years
• matters arising out of a Royal Commission or Special Commission of Inquiry
• matters contained in Cabinet documents
• information about a person’s suitability for public sector appointment or employment
• health information which is covered by the HRIP Act.

7.3 What is health information?

Section 6 of the HRIP Act defines ‘health information’ as covering one or more of the following categories:

• Personal information that is also information or an opinion about:
  • an individual’s physical or mental health or disability, or
  • an individual’s express wishes about the future provision of health services to themselves, or
  • a health service provided, or to be provided, to an individual.
• Personal information collected to provide a health service
• Personal information about an individual collected in connection with the donation of an individual’s body parts, organs or body substances
• Genetic information that is or could be predictive of the health of a person or their relatives or descendants
• Healthcare identifiers.

7.4 What is not health information?

There are certain types of information relating to someone’s health which are not classified as health information. This includes the information outlined at 7.2 of this Plan.

7.5 Personal and health information held by us

We have a range of functions requiring or involving the collection, use, storage and disclosure of personal and health information from members of the public, insurers, claimants, policy holders and others. The types of information we hold are outlined in Appendix 2.

We retain a small amount of information about our staff however most of this information is held by the Department of Customer Service (DCS) because it assigns DCS employees to work for SIRA.

7.6 Personal and health information held by the Department of Customer Service

SIRA staff are employed by DCS. While SIRA is an independent agency within the Customer Service cluster, it uses shared services support from DCS in the areas of communications, finance, information, and technology services including cyber security, investment, human resources, legal and procurement. These shared services support SIRA’s regulatory functions and operations.

Personal and health information that we share with the Department of Customer Service (DCS) is limited to what is lawful to exchange, necessary to carry out SIRA’s regulatory functions and activities, or necessary to discharge SIRA’s legal responsibilities. For example, we may need to provide your personal or health information to DCS Legal for the purpose of seeking legal advice.

The DCS Privacy page contains details about the personal and health information DCS holds and how it is managed.

8. How we manage personal and health information

This section explains how we apply the IPPs and HPPs when we collect, store, use or disclose your information.

8.1 Lawful collection (IPP 1 and HPP 1)

We only collect personal or health information that we need. If we need to collect it, we will keep it to a minimum. We collect personal or health information for a lawful purpose and only to perform a task connected to our regulatory functions and activities described in sections 4-5 of this Plan.

We will give you the opportunity to enquire anonymously when seeking generic information from us. At other times it will be necessary for us to collect your personal or health information to fulfil our functions as a regulator of workers compensation, home building and motor accidents insurance.

8.2 Direct collection (IPP 2 and HPP 3)

Wherever possible, we collect your personal or health information directly from you. We may collect your information from a third party where:

• you have authorised collection of the information from someone else, or
• you are under 16 years of age – in which case we may instead collect information from your parent or guardian, or
• in the case of health information, it would be unreasonable or impracticable to collect information from you, or
• we are lawfully authorised to do this. For example, we indirectly collect personal and health information relating to workers compensation, motor accident and home building compensation claims from insurers. This is authorised under legislation and outlined in Appendix 1.

We collect personal or health information from you in a variety of ways including by phone, online, in person and through application forms. We indirectly collect personal and health information from insurers, and other third parties, where it is permitted by law.

8.3 Open collection (IPP 3 and HPP 4)

Generally, we will tell you why we are collecting your personal or health information, and what we will do with it, before your personal or health information is collected and this is our preferred practice. If we have not informed you before the collection begins, we will give you this notification as soon as we can afterwards. We will tell you by way of a ‘privacy notice’ that is specific to each collection and included on a form, web page, recorded message or given verbally.

When we provide notice, we will inform you why we are collecting your personal or health information, what we will do with it and who else might see it. We tell you how you can view and correct your personal or health information, if the information is required by law or voluntary, and any consequences that may apply if you decide not to provide your information. We tell you the name and contact details of the agency who will collect the information and the agency who will hold the information (usually SIRA in both cases). For further information on how we provide Privacy Notices, please refer to Appendix 3.

If we collect your health information indirectly, we will generally take reasonable steps to let you know we have collected it and provide you with information about why we have collected it and what we will do with it. We would not take these steps if it posed a threat to your life, or the life of another person, or if the Privacy Commissioner provided us with contrary guidelines.

8.4 Relevant collection (IPP 4 and HPP 2)

When collecting information from you, we will be mindful of the purpose of collection and take reasonable steps to:

• not collect excessive personal or health information
• not collect personal or health information in an unreasonably intrusive manner
• ensure that personal and health information collected is relevant, accurate, up-to-date, and complete.

It is not our practice to collect personal or health information that is irrelevant or excessive for the task at hand. For example, we will not ask you to provide information about your experiences with health care providers to respond to your general enquiry about the regulation of health providers. If we do receive more information than we need for the task at hand, we will not keep the additional information.

We will not collect personal or health information in a way that intrudes into your private affairs unless it is essential and reasonable. For example, we will not ask for details about your medical history if you only want to know the steps involved in claiming workers compensation.

If we directly collect personal or health information from you, and we are unsure about whether the information we have is relevant, accurate, up-to-date, and complete, we will try to check it with you. For example, if we are unsure about the information you have provided as part of your regulatory complaint, we will contact you and ask questions.

To determine what might be reasonable steps, we consider:

• the purpose for which your information was collected
• the sensitivity of the information
• how many people will have access to your information
• the importance of accuracy to the proposed use
• the potential effects on you if the information is inaccurate, out-of-date or irrelevant
• the opportunities to subsequently correct the information
• the ease with which government agencies (including us) can check the information
• other relevant circumstances.

8.5 Retention and security (IPP 5 and HPP 5)

We hold a large amount of personal and health information and consider the security and appropriate disposal of that information fundamental to protecting privacy. Information is stored and secured in a variety of ways, including on our databases and on cloud storage.

We take reasonable steps to protect your personal and health information from loss, misuse, unauthorised access, use, modification, or disclosure. This involves implementing reasonable security measures, including technical, physical, and administrative actions, to protect information. We also take reasonable steps to ensure that personal and health information is stored securely, kept for no longer than necessary (if we need to collect and keep it) and disposed of appropriately.

Examples of security and disposal measures include:

• restricting access to authorised users who have a clear business need
• user access audits
• maintaining logs and audit trails
• multi-factor authentication
• use of strong passwords for computer access and a mandatory requirement that all staff change computer access passwords on a regular basis
• providing our staff with access to secure storage spaces near workstations to secure documents and devices
• disposing of information when it no longer needs to be kept in line with its retention policy
• contractual terms with third-party service providers that would prevent them from any unauthorised use or disclosure of information that we hold
• assessing third party supplier compliance and their security standards
• providing information management and information security training to our staff.

8.6 Transparency (IPP 6 and HPP 6)

We have an obligation to the public to be open about how we handle personal and health information. We enable you to know:

• whether we hold your personal or health information
• the nature of the personal or health information
• the main purposes for which we use your personal or health information
• how you can access your personal or health information.

A table of the information we hold is contained at Appendix 2.

Our Privacy Statement supports this Plan and broadly sets out the types of personal or health information that we hold, the purpose for which the information is used and how you can access your personal or health information.

If you have any questions about the personal or health information we hold, please contact the staff member or business unit dealing with your information. If you are unsure about who to contact, please contact the Privacy Officer.

8.7 Access (IPP 7 and HPP 7)

In most cases, you have the right to access the personal or health information we hold about you. We only refuse access if authorised by law. If requested, we will provide written reasons for any refusal.

We must process your access request without excessive delay. We do not charge any fees to access personal or health information unless you are lodging a formal application under the Government Information (Public Access) Act 2009 (GIPA Act).

If you are a claimant under one of the schemes administered by SIRA, you may be able to access your personal or health information by contacting the insurer who is managing your claim.

If you wish to access the personal or health information that SIRA holds about you, we encourage you to contact the staff member or business unit holding your information.  Please note that we need to confirm your identity before providing access.

If you do not know which business unit to contact regarding your request, or your request has been denied, please contact the Privacy Officer.

8.7.1 Formal requests to access personal or health information

Formal requests to access your personal or health information can be made under the PPIP Act, HRIP Act or the GIPA Act, depending on the circumstances and the sensitivity of the information involved. No fee is required if you are requesting information under the PPIP or HRIP Acts, however GIPA applications will require the application fee of $30 to be paid. Formal requests for your personal or health information should be sent to the Privacy Officer.

8.7.2 Access to personal or health information under the GIPA Act

Anyone can seek access to government information that is held by us by making an access application under the GIPA Act.

The GIPA Act may allow your personal information to be provided to others, but only if the public interest considerations in favour of disclosure outweigh the public interest considerations against disclosure. Each decision under the GIPA Act must take into account as public interest considerations against disclosure, whether personal information would be revealed, and any potential breach of the IPPs and HPPs.

8.73 Limits on accessing other people’s information

We are usually restricted from giving you access to someone else’s personal or health information. While the PPIP Act and the HRIP Act give you the right to access your own information, they generally do not give you the right to access someone else’s information.

However, both the PPIP Act and the HRIP Act allow you to give us permission to collect your personal or health information from, and disclose it to, someone else.

If you do require someone to act on your behalf, you will need to give us your consent. If you are under 16, we can collect information directly from your parents or guardian.

The PPIP Act and HRIP Act enable us to disclose personal or health information to another person in limited circumstances, such as to prevent a serious and imminent threat to the life or health and safety of an individual. In the case of health information, other reasons include finding a missing person or for compassionate reasons in certain limited circumstances.

The IPC’s Guide - Privacy and persons with decision-making disabilities explains how we seek consent for a secondary use or disclosure of personal or health information from a person who has limited or no capacity.

8.8 Correction (IPP 8 and HPP 8)

We allow any person to update or amend their personal or health information, to ensure it is accurate, relevant, up-to-date, complete, and not misleading. Where practicable, we will notify other recipients of any changes.

We encourage you to correct your personal or health information by contacting us. However, if you request changes and we think your information is correct, we can decline to make those changes. If we do this, we will allow you to add a statement to our records. For example, we may attach a statement to our records for a disputed medical diagnosis or a person with a criminal record maintaining their innocence.

If you do not know which business unit to contact regarding your request, or your request has been denied, please contact the Privacy Officer.

8.9 Accurate use (IPP 9 and HPP 9)

Before using your personal or health information, we will be mindful of the purpose for which we want to use the information and take reasonable steps to ensure that the information is still relevant, accurate, up-to-date, complete, and not misleading.

For example, if we are handling your regulatory complaint and receive information from an insurer that your email address has changed, we will contact you to verify this before using the new email address.

When determining reasonable steps, we consider:

• the context in which the information was obtained
• the purpose for which we collected the information
• the purpose for which we now want to use the information
• the sensitivity of the information
• the number of people who will have access to the information
• the potential effects for you if the information is inaccurate or irrelevant
• any opportunities we’ve already given you to correct inaccuracies
• the effort and cost involved in checking the information
• any other relevant circumstances.

8.10 Limited use (IPP 10 and HPP 10)

When we use your personal or health information, it means that we apply it to tasks connected with our functions and regulatory activities. This includes the provision of information to contractors in circumstances where SIRA retains control over the handling and use of the information.

We may use personal or health information for:

• the purpose for which it was collected, or
• a directly related purpose you would reasonably expect, or
• another purpose for which we have your consent, or
• another purpose if it is reasonably necessary to prevent or lessen a serious and imminent threat to your life or health, or of another person, or
• another purpose if permitted by law, such as an exemption or as described in clause 10 (HPP 10), schedule 1 of the HRIP Act.

Generally, we use personal or health information for the purpose of collection or a directly related purpose you would reasonably expect. The purpose of collection is set out in the privacy notice. For example, we may collect your personal information for the purpose of assisting you with your regulatory complaint and also use it for the directly related purpose of making quality improvements in how we respond to similar complaints.

An example of how we may use personal or health information with consent is:

• where you agree that we can use the information for a project and this use is not directly related to the purpose of collection we stated in our privacy notice.

An example of how we may use personal or health information without consent to prevent a serious or imminent threat to your life or health, or of another person, is:

• where we have received up-to-date information about a threat to your life, and we believe that it is urgent to call an ambulance, and provide your address, to save your life.

Other relevant exemptions are contained in Appendix 1.

8.11 Limited, Restricted Disclosure (IPP 11-12, HPP 11) and Controlled Cross-border Transfer (HPP 14)

If we disclose your personal or health information, it means that we give it to a third party outside of SIRA. We may disclose your personal or health information if:

• the disclosure is directly related to the purpose of collection and there is no reason to believe you would object, or
• you have been made aware in the privacy notice that the information to be disclosed is usually disclosed, or
• we believe it is reasonably necessary to prevent or lessen a serious and imminent threat to life or health, or
• we are permitted by an exemption, or other provision of the PPIP Act or HRIP Act, to disclose your personal or health information for another purpose.

Higher protections are afforded to the disclosure of sensitive personal information outside of SIRA. Sensitive personal information is personal information relating to your ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities.

Generally, we avoid collecting sensitive personal information. However, if we do collect such information, we will only disclose it if you provide consent, or it is necessary to protect you or someone else from a serious and immediate health and safety threat. For example, we might ask for consent to disclose your trade union membership to a workers compensation insurer if it is relevant to your complaint about how your claim is being handled.

We will not disclose or transfer your personal or health information outside of New South Wales, which includes Commonwealth government agencies, unless there is a good reason to do so and we are permitted by section 19 of the PPIP Act (IPP 12) or Clause 14, Schedule 1 of the HRIP Act (HPP 14). For example, we may decide to transfer your personal or health information outside of New South Wales if you consent or the organisation receiving the information is subject to a law, contract, agreement, or other binding scheme which upholds similar standards to the NSW Information Protection Principles (IPPs) or NSW Health Privacy Principles (HPPs).

Some of the steps we take to manage the risk of unauthorised disclosure are outlined as follows:

8.11.1 Deidentified information sharing

Although we are permitted to disclose personal or health information in certain circumstances, we take steps to de-identify information before we share it wherever possible.

8.11.2 De-identified information on our website

Before we publish open data, research or other information on our website, we take steps to ensure that you are not identified. We may identify you on our website if we have your consent or an exemption applies but this is not our standard practice.

For example, the results of SIRA’s young driver’s telematics trial involved participants’ personal information being aggregated and de-identified before it was published. This prevents unlawful disclosure and the driving habits of participants being associated with their name and other personal identifiers. SIRA cannot disclose participants’ personal information to parties outside the trial unless the participant has given consent, or where required or authorised by law.

8.11.3 Information sharing agreements and memorandums of understanding

If we are permitted to disclose personal or health information to other organisations on a regular basis, we generally have information sharing agreements or memorandums of understanding in place. This facilitates effective data governance and the protection of privacy. SIRA maintains several information sharing agreements and memorandums of understanding for this reason.

As an example, SIRA regularly exchanges personal or health information with the Independent Review Officer (IRO) in relation to complaints by customers, as authorised by the Personal Injury Commission Act 2020. To ensure that SIRA and the IRO can effectively exercise their respective statutory functions, and respond to customer complaints, SIRA has signed a Memorandum of Understanding (MOU) with the IRO. The MOU sets out a cooperative framework for exchanging information within their statutory functions.

8.12 Identifiers (HPP 12)

An identifier does not use a person’s name and is designed to be unique to a specific individual (e.g., a unique patient number). Wherever possible, we will avoid giving you an identifier when we handle your health information. If we do, we will only give you an identifier if it is reasonably necessary to carry out our functions efficiently.

For example, SIRA funded the ‘Factors influencing social and health outcomes after motor vehicle crash injury: an inception cohort study’ (FISH study) which assigned identifiers to its participants. The study was conducted by the John Walsh Centre for Rehabilitation Research. Identifiers were used to collect Medicare and Pharmaceutical Benefits Scheme data on the health service usage of participants. However, to protect the privacy of participants and to comply with research ethics requirements, SIRA could not access the identifiers, linked data or any individual-level data.

8.13 Anonymity (HPP 13)

Wherever possible, we will give you the opportunity to deal with us anonymously in relation to transactions involving your health information. For example, if you call us to seek general information about the case management guidelines relevant to your injury, we will be able to provide some basic information. However, sometimes it will be necessary for you to identify yourself so that we can help such as if you make an enquiry about your claim.

8.14 Linkage of health records (HPP 15)

‘Health records linkage’ means a computerised system that is designed to link your health records, held by different organisations, for the purpose of facilitating access to your health records.

We will generally not use health records linkage systems unless there is a compelling reason. If we do, we generally only do this if authorised by law, or if you have expressly consented to your information being included on such a system, or for research purposes which have been approved by an Ethics Committee and in accordance with the Statutory Guidelines on Research.

For example, SIRA links data with Transport for NSW, NSW Health, icare and the NSW Police Force to identify the number of serious injuries from crashes on NSW public roads. This brings together health information that relates to the same individual, place, or event. Transport for NSW uses this information to research and analyse road trauma and target road safety initiatives to reduce serious injuries. This linkage has been approved by the NSW Population and Health Services Research Ethics Committee, Aboriginal Health and Medical Research Council Ethics Committee, and the ACT Health Human Research Ethics Committee.

9. Public register – Home Building Compensation

SIRA maintains two public registers that can be publicly accessed online:

• The register of insurance, HBC Check makes information available about home building insurance coverage pursuant to section 102A of the Home Building Act 1989.
• The Home Building Compensation Insurance Exemption Register makes information available about persons and projects that SIRA has  exempted  from insurance requirements under section 97 of the Home Building Act 1989.

The information that we are authorised to make publicly available may meet the definition of personal information under the Privacy and Personal Information Protection Act 1998. For example, some information about individual sole traders may be classified as both personal and business information.

If you have any specific concerns about your personal information being in the register, you have the right to apply to us to have it suppressed. We will only consider suppressing public information if you can demonstrate to us that your safety or wellbeing will be affected if the information is made publicly available and there is no public interest in making the information available that outweighs your interest in suppressing the information.

10. Strategies for compliance and good privacy practice

We are committed to protecting your privacy and your privacy rights. We adopt several strategies to comply with our obligations under the PPIP Act and HRIP Act, some of which are covered in section 8 of this Plan. These strategies assist us to identify and mitigate privacy risks and recognise that privacy is both an individual and shared responsibility in our day-to-day and project activities.

10.1 Policies

We have various policies to inform and assist our staff in protecting privacy which we review and update. These policies include:

• This Plan
• Code of Ethics and Conduct
• SIRA Data Breach Response Plan
• Incident Security Management Policy
• ICT Acceptable Use Policy.

Policies are communicated to our staff in a range of ways, including through our intranet, on-the-job training and targeted training and awareness initiatives.

The Code of Ethics and Conduct outlines the responsibilities of our staff in protecting privacy. Our staff are provided with a copy of the Code and are reminded of their obligations as part of training and refresher training.

Data breaches

A breach of a person's privacy occurs when their personal and/or health information is compromised. A breach can occur:

• when there is unauthorised access to, or disclosure of, personal information held by SIRA, or
• where personal information held by SIRA is lost in circumstances where unauthorised access or disclosure of the information is likely to occur.

The SIRA Data Breach Response Procedure requires our staff to immediately notify their Director of any suspected data breach and if possible, contain it. A data breach is a failure which has caused, or has the potential to cause, unauthorised access to an agency’s data.

The Mandatory Notification of Data Breach (MNDB) Scheme commenced on 28 November 2023. SIRA is complying with the MNDB scheme when it is affected by an eligible data breach. SIRA has a Data Breach Response policy that outlines the response to a data breach, including how SIRA manages a breach. Please see the SIRA Data Breach Policy for more information.

If you believe your personal information has been handled incorrectly or affected, contact the business area you have been dealing with or email [email protected].

If you require access to a specific policy, please contact the Privacy Officer.

10.2 Privacy Threshold Assessments and Privacy Impact Assessments

Projects may create privacy risks and impacts for individuals. We are committed to managing those privacy risks and impacts.

We aim to perform a Privacy Threshold Assessment (PTA) as early as possible before we start a project that involves a change in how we collect or manage personal and health information. A PTA is a preliminary assessment of the privacy risks for individuals flowing from the project which would indicate the need for a Privacy Impact Assessment (PIA).

If the project creates any significant risks for individuals due to how we may collect, use, store, or disclose personal or health information, we will undertake a PIA. A PIA is automatically required before we commence a Major Project or develop a Memorandum of Understanding or Information Sharing Agreement.

A PIA is a systematic assessment that identifies the impact the project may have on the privacy of individuals and sets out recommendations for managing, minimising, or eliminating that impact.

Even if our PTA does not lead to a PIA, we aim to implement good privacy controls and an appropriate Privacy Notice.

10.3 Promoting privacy awareness and compliance

We undertake a range of initiatives to ensure our staff and members of the public are informed of our privacy practices and obligations under the PPIP Act and HRIP Act. This encourages privacy compliance and good privacy practice.

We promote privacy awareness and compliance through:

• fostering a culture of privacy and security by design as part of our SIRA2025 strategy
• providing a privacy advisory and support service for staff
• answering questions from members of the public
• educating our staff and the public about privacy rights and obligations
• mandatory privacy and cybersecurity training and refresher training for staff
• publishing and promoting policies and guidance for staff on privacy issues
• reviewing and updating knowledge articles
• maintaining and promoting this Plan on our website and using it to train our staff
• privacy awareness activities and participating annually in Privacy Awareness Week.

10.4 Review and continuous improvement

We are committed to identifying opportunities for improvement and better practice in protecting the privacy of our customers, staff, and members of the public.

We consistently evaluate the effectiveness and appropriateness of our privacy practices, policies, and procedures to ensure they remain effective and identify, evaluate, and mitigate risks and incidents.

We are committed to:

• monitoring and reviewing our privacy processes regularly
• promoting and maintaining privacy awareness and compliance
• encouraging feedback from you on our privacy practices
• introducing initiatives that promote good privacy handling in our business practices.

11. Offences

It is a criminal offence for our staff to:

• intentionally disclose or use personal or health information for an unauthorised purpose, or
• offer to supply personal or health information for an unauthorised purpose, or
• cause any unauthorised access to or modification of restricted data held in a computer, or
• hinder the Privacy Commissioner or a member of her staff from doing their job.

Outside of official functions and duties, it is a criminal offence, punishable by up to two years’ imprisonment, a fine of $11,000, or both, for any person employed or engaged by the NSW public service to intentionally use, disclose, or offer to supply any personal or health information they have had access to, or may access, about another person. It is also a criminal offence, punishable by up to two years' imprisonment, for any person to cause any unauthorised access to or modification of restricted data held in a computer.

Hindering the Privacy Commissioner or a member of staff from doing their job is punishable by up to $11,000 and dealt with summarily before a Local Court.

Suspected criminal conduct may result in dismissal and/or referral to the NSW Police.

12. Privacy questions, complaints and internal reviews

We welcome your questions about privacy. We also encourage you to contact us directly to resolve any concerns you have about our handling of personal or health information by informing the staff member or business unit dealing with your information.

You have the option to tell us that you want to resolve a privacy complaint informally instead of through a formal privacy internal review. However, it is your right to request a privacy internal review at any time by contacting us.

12.1 Your right of privacy internal review

You have the right to ask us for a privacy internal review if you think we have breached your privacy.

An application for privacy internal review must:

• be in writing and addressed to SIRA
• specify an address in Australia, or email address, which the applicant can be notified after the completion of the review
• be lodged with SIRA within six months from the time the applicant first became aware of the conduct they want reviewed.

To help you apply for a privacy internal review, you may use the application form available on the Information and Privacy Commission’s website. Although we encourage you to use the form, you do not have to. You should include all relevant information with your application including when the suspected breach occurred, what happened and the outcomes you are seeking.

12.2 The privacy internal review process

When we receive a privacy internal review application the Privacy Officer will:

• send an acknowledgment letter to you and advise that if the internal review is not completed within 60 days, you have a right to seek a review of the conduct by the NSW Civil and Administrative Tribunal
• send a letter to the NSW Privacy Commissioner with details of the application. A copy of the written complaint will also be provided to the Privacy Commissioner.

Privacy Internal reviews follow the process set out in the Information and Privacy Commission NSW's Internal Review Checklist. When the privacy internal review is completed, the Privacy Officer will notify you in writing of:

• the findings of the review
• the reasons for these findings
• any action SIRA proposes to take and the reasons for the proposed action (or no action)
• your entitlement to have the findings and the reasons for the findings reviewed by the NSW Civil and Administrative Tribunal.

We are required to give a copy of your privacy internal review request to the Privacy Commissioner, in addition to a copy of SIRA’s draft privacy internal review report. We must consider any submissions made by the Privacy Commissioner and we will keep the Commissioner informed of the progress of the privacy internal review. We will also provide the Commissioner with a copy of SIRA’s finalised privacy internal review report.

12.3 Privacy internal review timeframes

You must lodge your request for privacy internal review within six months from the time you first became aware of the conduct that you think breached your privacy. We may accept late applications in certain circumstances (such as if you have only become aware of your right to seek an internal privacy review or for reasons relating to your capacity to lodge an application on time). If we do not accept your application, we will provide our reasons in writing.

We will acknowledge receipt of a privacy internal review and will aim to:

• complete the privacy internal review within 60 calendar days
• respond to you in writing within 14 calendar days of completing the privacy internal review.

We will contact you to notify you about how long the review is likely to take, particularly if it may take longer than expected.

If the privacy internal review is not completed within 60 calendar days, you have a right to seek a review of the conduct by the NSW Civil and Administrative Tribunal.

12.4 External review by the NSW Civil and Administrative Tribunal

You have the right to apply to the NSW Civil and Administrative Tribunal (NCAT) if you have sought an internal review and you are not satisfied with the:

• outcome of the privacy internal review, or
• action taken in relation to your application for privacy internal review, or
• you do not receive an outcome of the privacy internal review within 60 calendar days.

For more information about seeking an external review, please contact NCAT:

Sydney Office:

NSW Civil and Administrative Tribunal (NCAT)
Administrative and Equal Opportunity Division
Level 10, John Maddison Tower
86-90 Goulburn Street, Sydney

Post:

PO Box K1026
Haymarket NSW 1240

Phone: 1300 006 228

Website: www.ncat.nsw.gov.au

12.5 Complaints to the Privacy Commissioner

You have the option of complaining directly to the Privacy Commissioner if you believe that we have breached your privacy. The Privacy Commissioner’s contact details are:

Office:

NSW Information and Privacy Commission  
Level 15, McKell Building
2-24 Rawson Place
Haymarket NSW 2000

Post:

GPO Box 7011 
Sydney NSW 2001

Phone: 1800 472 679

Website: www.ipc.nsw.gov.au

13. Contact us

For further information about privacy, or to obtain a copy of this Plan, please contact us on the details below or refer to our website:

Email: [email protected]

Post:

SIRA Privacy Officer  
State Insurance Regulatory Authority  
Locked Bag 2906
Lisarow NSW 2252

Phone: 13 10 50

Website: www.sira.nsw.gov.au/privacy

14. Document information

This document was last updated on 2 December 2022

Appendix 1 – Exemptions contained in another law

This table lists exemptions for SIRA where:

• the law requires or allows us to handle personal information in a way that does not comply with a relevant IPP (see section 25 of the PPIP Act). For example, although IPP 2 requires direct collection, we are authorised by law to collect certain information from insurers, or
• the law requires or allows us to handle health information, within the meaning of the HRIP Act, in a specific way.

Appendix 2 – Types of personal and health information held by us

Appendix 3 – Privacy notices

A privacy notice must be written, or given verbally, to suit the relevant purpose of collection.

Information we include in a privacy notice

When we collect information directly from you and provide a privacy notice, we take steps to inform you of the following:

• that the information is being collected
• what it will be used for (the purpose of collection)
• who will receive the information (including anyone outside of SIRA)
• whether the collection is voluntary or required by law, and any consequences for you if the information is not provided
• our contact details as the agency collecting and holding your information
• another agency’s contact details if they are collecting or holding your information
• an explanation as to how you can find out more about how we manage your information, including how to access and correct it. This involves providing a link to the SIRA privacy page.

When we collect personal or health information verbally (e.g., during a telephone conversation) we may use less formal wording when notifying you of the above matters.

Preparation of privacy notices

The following principles apply to privacy notices for customer transactions where personal or health information is collected by SIRA:

• the notice should cover the matters contained in the section above titled: ‘Information we include in a Privacy Notice’
• the SIRA Privacy Officer should approve the wording and location of all privacy notices
• if the transaction can occur across more than one channel (e.g., paper form and digital), the privacy notice should be worded as closely as possible across each channel and/or entity
• wording should be concise and in plain language
• the preferred practice is to ensure that the notice is given or visible before any data collection begins (and if not, provided as soon as possible afterwards).