Open scrollable table of contents

Print entire document

SIRA privacy management plan

The State Insurance Regulatory Authority (SIRA) Privacy Management Plan explains how SIRA manages personal and health information in line with New South Wales (NSW) privacy laws.

About this Privacy Management Plan

This Privacy Management Plan (Plan) explains how we manage personal and health information under NSW privacy laws.

We have obligations under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) and the Health Records and Information Privacy Act 2002 (NSW) (HRIPA) to protect the privacy rights of customers, clients, staff and members of the public. We take these responsibilities seriously.

This Plan:

  • illustrates our commitment to respecting the privacy rights of customers, clients, staff and members of the public, and enhances the transparency of our operations,
  • provides our employees and contractors with the necessary knowledge and skills to manage personal and health information appropriately, and
  • meets the requirement for us to have such a Plan under section 33 of PPIPA.

This Plan applies to our treatment of all personal and health information, whether it relates to a customer, an employee or another person (such as a contractor).

About us

State Insurance Regulatory Authority (SIRA) is a statutory body constituted under the State Insurance and Care Governance Act 2015 (NSW) and is governed by an independent Board. We are an independent agency located within the NSW Customer Service Cluster.

SIRA has three core divisions:

  • Motor Accidents Insurance Regulation - SIRA regulates the privately underwritten Compulsory Third Party (CTP) Insurance (Green Slip Scheme) for motor vehicles registered in NSW. It licences and regulates private insurers that underwrite the Scheme so premiums are affordable and competitive, and injured people receive fair benefits; early and appropriate treatment; and rehabilitation to achieve optimal recovery.
  • Workers and Home Building Compensation Insurance Regulation -  SIRA supervises the NSW workers compensation and home building compensation systems. The primary focus is to promote the financial viability of the optimal outcomes systems and fairness for claimants and policy holders.
  • Dispute Resolution Services Division - SIRA provides an independent statutory alternative to Court dispute resolution services by determining motor accident injury disputes between injured people and insurers. As a regulator, our purpose is to ensure that our insurance and support systems are easy to deal with and deliver protection, recovery and restoration entitlements and good outcomes at an affordable price and in a sustainable way.

We carry out functions as set out in the following legislation:

  • Workers Compensation Act 1987
  • Workplace Injury Management and Workers Compensation Act 1998
  • Workers Compensation (Bush Fire, Emergency and Rescue Services) Act 1987
  • Motor Accidents Act 1988
  • Motor Accidents Compensation Act 1999
  • Motor Accident Injuries Act 2017
  • Home Building Act 1989
  • State Insurance and Care Governance Act 2015
  • Associated amending legislation, regulations, statutory guidelines and Orders and codes of practice

Our responsibilities

Responsibilities of employees

All employees and contractors of SIRA are required to comply with the privacy principles set out in PPIPA and HRIPA.

If the privacy principles are breached, SIRA may face loss of customer trust and financial costs including compensation. Both Acts also contain criminal offence provisions applicable to employees and contractors who use or disclose personal information or health information without authority.

This Plan is intended to assist employees to understand and comply with their obligations under those Acts. If SIRA employees feel uncertain as to whether certain conduct may breach their privacy obligations, they should seek the advice of the SIRA Privacy Officer.

Employees who are suspected of conduct that would breach the privacy principles or the criminal provisions may be disciplined for a breach of the Code of Conduct. Suspected criminal conduct may result in dismissal of employment and/or referral to NSW Police.

Responsibilities of the SIRA Privacy Officer

The SIRA Privacy Officer is responsible for the ongoing education of SIRA employees (including any third-party service providers, consultants or contractors) about their obligations under the PPIPA and HRIPA, by:

  • ensuring this Plan remains up to date
  • making a copy of this Plan available to all current and incoming employees, and contractors
  • informing employees and contractors of any changes to the Plan
  • ensuring relevant privacy documents are consolidated and made available through the SIRA intranet
  • conducting or arranging employee training sessions on privacy matters as required, and
  • being available to answer any questions employees or contractors may have about their privacy obligations.

The Privacy Officer, in accordance with clause 6 of the Annual Reports (Departments) Regulation 2010, will ensure that the SIRA Annual Report includes:

  • a statement of the action taken by SIRA in complying with the requirements of the PPIPA and HRIPA Acts, and
  • statistical details of any internal reviews conducted by or on behalf of SIRA.

The SIRA Privacy Officer will review and update this Plan:

  • at least every two years, and no later than October 2020
  • if SIRA wishes to introduce a significant new collection, use or disclosure of personal or information
  • if a privacy code or a direction of the Privacy Commissioner, or the expiry of such a code or direction, significantly modifies the application of the IPPs to the operations of SIRA.

The Chief Executive of SIRA, on the advice of the Privacy Officer, may amend this Plan as necessary at any time. A revised copy of the Plan will be made available on the website as soon as practicable. Any amendments will be drawn to the attention of all relevant personnel, and the NSW Privacy Commissioner will be advised of any such amendment as soon as practicable.

The SIRA Privacy Officer is also responsible for answering questions from members of the public or SIRA employees about the content or operation of this Plan, and handling privacy related complaints.

The Information Protection and Health Privacy Principles

PPIPA and HRIPA contain principles about managing personal and health information which we must comply with. These principles are legal obligations that describe what we must do when we collect, store, use or disclose personal and health information.

PPIPA sets out how we must manage personal information, and requires us to comply with 12 Information Protection Principles (IPPs).

HRIPA sets out how we must manage health information, and requires us to comply with 15 Health Privacy Principles (HPPs).

There are exemptions that provide that we do not need to comply with certain IPPs and HPPs when handling personal and health information.

What is personal information?

Personal information is defined in section 4 of PPIPA as:

  • ‘information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion’.

Essentially, personal information is any information or an opinion that can identify an individual.

Common examples of personal information include a person’s name, contact information, bank account details, or claim numbers.

What is not personal information?

There are certain types of information that are not considered personal information and these are outlined at section 4(3) and 4A of PPIPA.

This means that the IPPs do not apply to our handling of certain types of information. These include;

  • information about an individual who has been dead for more than 30 years
  • information about an individual that is contained in a publicly available publication (for example, information provided in a newspaper or a court judgment available on the internet)
  • information or an opinion about an individual’s suitability for appointment or employment as a public sector official (for example, recruitment records, referee reports and performance appraisals).
  • health information (health information is not ‘personal information’ that is covered by PIPPA, it is covered by HRIPA instead).

What is health information?

Health information is a specific type of personal information that is defined in section 6 of HRIPA as:

  • personal information that is also information or an opinion about
    • an individual’s physical or mental health or disability
    • an individual’s express wishes about the future provision of health services to themselves
    • a health service provided, or to be provided, to an individual
  • other personal information collected to provide a health service
  • other personal information about an individual collected in connection with the donation of an individual’s body parts, organs or body substances
  • genetic information that is or could be predictive of the health of a person or their relatives or descendants
  • healthcare identifiers (for example a person’s Medicare card number).

Common examples of health information include a doctor’s report, an x-ray, or even information about a person’s medical appointment.

What is not health information?

As with personal information, there are certain types of information which are not considered health information. These are outlined in section 5(3) of HRIPA and include some of the types of information listed in What is not personal information.

For example, health information about a person who has been dead for more than 30 years and some employee-related health information, namely information or an opinion about an individual’s suitability for appointment or employment as a public sector official, is not considered health information.

Types of personal and health information held by us

We have a range of functions requiring or involving the collection and use of personal and health information from members of the public, such as claimants and policy holders. These are outlined in Appendix 2.

The majority of personal and health information about SIRA staff members is held by the Department of Customer Service (DCS) rather than SIRA itself. Some information, such as personal phone numbers and emergency contact details, is maintained at a local level or accessed for management purposes.

For further information about how DCS handles personal and health information, please visit the DCS website.

How we manage personal and health information

The Information Protection Principles (IPPs) and Health Privacy Principles (HPPs) set out how we must manage personal and health information.

This section provides an overview of how we comply with the IPPs and HPPs when we handle the personal and health information of our customers, clients, staff and members of the public.

Collection

We will only collect personal and health information if:

  • - it is for a lawful purpose that is directly related to one of our functions, and
  • - it is reasonably necessary for us to have the information.

We collect personal and health information in a variety of ways, including by forms, email, through our website, over the phone or in person.

We only ask for personal and health information that is reasonably necessary for the task at hand and is required for our regulatory functions and activities. For example, we will give you the opportunity to not identify yourself when seeking generic information from us. Other times it will be necessary for us to collect your personal and health information in order to fulfil our functions as a regulator of workers compensation, home building and motor accidents insurance.

We avoid collecting sensitive personal information if we don’t need it. Sensitive information is information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities.

Direct collection (IPP 2 & HPP 3)

Wherever possible, we seek to collect personal and health information directly from the person concerned.

We will only collect information from a third party where:

  • the person has authorised collection of the information from someone else
  • the person is under 16 years of age – in which case we may instead collect information from the person’s parent or guardian
  • in the case of health information, it would be unreasonable or impracticable to collect information from an individual
  • we are lawfully authorised to do this. For example, we indirectly collect personal and health information relating to workers compensation, motor accident and home building compensation claims from insurers. This is authorised under legislation (see Appendix 3 – Exemptions).

Requirements when collecting information (IPP 3 & HPP 4)

When collecting personal or health information from an individual, we take reasonable steps to tell them:
  • - the fact that the information is being collected
  • - what it will be used for
  • - what other parties (if any) that we intend will receive this type of information from us
  • - whether the collection is required by law or is voluntary
  • - what the consequences will be for the person if they do not provide the information to us
  • - that they have a right to access and/or correct their information held by us, and
  • - the name and contact details of the agency collecting the information and the agency that will hold the information.

When collecting health information about an individual from a third party, we take any reasonable steps to ensure the individual is generally aware of the notification matters above (except where doing so would threaten the life or health of any person).

Generally, we provide notification to an individual by way of a ‘privacy notice’ that is included on a form, web page, recorded message or in a verbal notice at the time the personal or health information is collected, or as soon as we can afterwards.

For example, individuals submitting an application for dispute resolution services are provided with a privacy notice on their application form that details why information is collected, how it will be used and to whom it will be disclosed.

Notification is not required if the information is not collected directly from the individual, except in the case of health information. In the case of health information, we are obliged to take reasonable steps to ensure the individual is generally aware of the notification matters except in certain circumstances.

For example, the application form for dispute resolution services notifies applicants that SIRA may collect personal and health information relevant to the claims from third parties.

For further information on privacy notices see Appendix 1 – Guide to drafting privacy notices.

Relevant (IPP 4 & HPP 2)

When collecting information from an individual, we will:
  • - not collect excessive personal or health information
  • - not collect personal or health information in an unreasonably intrusive manner, and
  • - ensure that personal and health information collected is relevant, accurate, up-to-date and complete

We take reasonable steps to ensure that information we collect from an individual is not unreasonably intrusive or excessive, and is relevant, accurate, up-to-date and complete.

To determine what might be reasonable steps, we consider:

  • the purpose for which the information was collected
  • the sensitivity of the information
  • how many people will have access to the information
  • the importance of accuracy to the proposed use
  • the potential effects for the individual concerned if the information is inaccurate, out-of-date or irrelevant
  • the opportunities to subsequently correct the information, and
  • the ease with which agencies can check the information.

Retention and security (IPP 5 & HPP 5)

We will take reasonable security safeguards to protect personal and health information from loss, unauthorised access, use, modification or disclosure, and against all other misuse. We will ensure personal and health information is stored securely, not kept longer than necessary, and disposed of appropriately.

Where it is necessary for personal or health information to be used by a person in connection with the provision of a service to us, we will take steps to prevent unauthorised use and disclosure of that information.

We hold a large amount of personal and health information and consider the security of that information fundamental to protecting privacy.

Information is stored in a variety of ways, including on our databases, cloud storage, by third parties and in various physical office locations.

We maintain reasonable security measures, including technical, physical and administrative actions, to protect information from unauthorised access and misuse.

Examples of such security measures include:

  • restricting access to IT systems and databases to ensure that only authorised users with a clear business need can access them
  • use of strong passwords for computer access and a mandatory requirement that all staff change computer access passwords on a regular basis
  • print on demand (secured printing)
  • implementing and maintaining information management security policies that are regularly reviewed and updated
  • maintaining logs and audit trails
  • providing staff with access to secure storage spaces near workstations to secure documents and devices
  • physically securing sensitive and confidential information in locked rooms
  • implementing and observing a clear desk policy
  • ensuring alignment with our obligations under the Digital Information Security Policy 2015 (NSW)
  • adopting best practice in electronic and paper records management and complying with our obligations under the State Records Act 1998 (NSW)
  • records management policies that require information to be destroyed when no longer required and in a secure manner as appropriate (for example, using secure recycling bins and shredders)
  • where it is necessary for information to be used by a third-party provider for the purposes of providing us with a service, we develop and execute contractual terms that would prevent them from unauthorised use or disclosure of information that we hold
  • assessing third party supplier compliance and their security standards, and
  • providing mandatory information security awareness training to SIRA staff.

Accuracy and access

Transparency (IPP 6 & HPP 6)

We enable any person to know:
  • - whether we hold their personal and health information
  • - the nature of the personal and health information
  • - the main purposes for which we use their personal and health information, and
  • - their entitlement to access their personal and health information.

We have an obligation to the community to be open about how we handle personal and health information.

Our Privacy Statement supports this Plan and sets out the types of personal and health information that we hold, the purpose for which the information is used and how individuals can access their personal and health information.

If you have any questions about the personal and health information we hold, please contact the staff member or business unit dealing with your information. If you are unsure about who to contact, please contact the SIRA Privacy Officer.

Access to personal and health information (IPP 7 & HPP 7)

We allow people to access their personal and health information without excessive delay or expense. We only refuse access where authorised by law, and we will provide written reasons, if requested.

Members of the public

If you are a claimant under one of the schemes administered by SIRA, you may be able to access your personal and health information by contacting the insurer who is managing your claim.

If you wish to access the information that SIRA holds about you, we encourage you to contact the staff member or business unit holding your information.

If you do not know which business unit to contact regarding your request, or your request has been denied, please contact the SIRA Privacy Officer.

Employees

Staff can request access to their personnel file through their Employee Self Service. From the homepage, click on the link to the GovConnect NSW portal then click to ‘Raise an Incident’. Fill in the required fields on this page using ‘HR’ as the Issue Type, ‘HR-HR Query’ as the Category and ‘Personnel File’ as the ‘Subcategory’.

Files about disciplinary matters and grievances are confidential and access is generally provided only to the staff member to whom the file relates. Generally, staff may inspect files under supervision and will also be able to take photocopies of material on their file.

Access to information under GIPA

Anyone can seek access to government information that is held by us under the Government Information (Public Access) Act 2009 (GIPA Act). There are certain considerations that are taken into account before any information is released and we may withhold the personal or health information of another person. For more information about GIPA Act or making an access application, please visit our website.

Alterations to personal and health information (IPP 8 & HPP 8)

We will allow people to update or amend their personal and health information, to ensure it is accurate, relevant, up-to-date, complete and not misleading. Where practicable, we will notify any other recipients of any changes.

We encourage you to help us keep any information we hold about you accurate, up-to-date and complete by contacting us with updated information.

If information we hold is accurate, relevant, up-to-date, complete and not misleading but a person still insists on an amendment, we can decline to do so, but must allow the person to add a statement about the requested changes to our records. For example, it may be appropriate to attach a statement, instead of amending the information, for a disputed medical diagnosis or a person with a criminal record maintaining their innocence.

Members of the public

If you do not know which business unit to contact regarding your request, or your request has been denied, please contact the SIRA Privacy Officer.

Employees

Staff can amend certain personal information using the Employee Self Service on the intranet. You will need to contact People and Culture to make amendments to other personal or health information.

We encourage you to keep your information up to date and accurate, particularly information about your personal contact details and next of kin contact details so that you (or they) can be contacted in an emergency. It is also your responsibility to inform us if you wish to change your bank account details or payment details.

Use

Accuracy (IPP 9 & HPP 9)

Before using personal or health information, we will take reasonable steps to ensure that the information is relevant, accurate, up-to-date, complete, and not misleading.

We will take reasonable steps to ensure that personal and health information is still relevant and accurate before we use it.

What might be considered “reasonable steps” will depend upon the circumstances, but some points to consider are:

  • the context in which the information was obtained
  • the purpose for which we collected the information
  • the purpose for which we now want to use the information
  • the sensitivity of the information
  • the number of people who will have access to the information
  • the potential effects for the person if the information is inaccurate or irrelevant
  • any opportunities we’ve already given the person to correct inaccuracies, and
  • the effort and cost involved in checking the information.

For example, if SIRA received information from a third party that your details had changed we would contact you to verify the information with you prior to amending your information.

Limited Use (IPP 10 & HPP 10)

We may use personal and health information for:
  • - the primary purpose for which it was collected
  • - a directly related secondary purpose
  • - another purpose where it is reasonably necessary to prevent or lessen a serious and imminent threat to life or health
  • - another purpose for which the person has consented, or
  • - another purpose where permitted by law.

When we use personal and health information, it means that we use it internally within SIRA. This includes the provision of information to contractors engaged by SIRA to manage information on our behalf, in these circumstances, SIRA retains control over the handling and use of the information.

Generally, we only use personal and health information for the purpose for which it was collected. That purpose is set out in the privacy notice that is provided when the information is collected

A directly related secondary purpose is a purpose that is very closely related to the purpose for collection and would be the type of purpose that people would quite reasonably expect their information to be used for.

Some examples of where the law permits us to use personal or health information for another (secondary) purpose may, depending on the circumstances, include:

  • quality assurance activities such as monitoring, evaluating and auditing
  • work health and safety laws require that we use information to ensure the safety of our employees
  • unsatisfactory professional conduct or breach of discipline
  • the information relates to a person’s suitability for appointment or employment as a public sector official
  • finding a missing person
  • preventing a serious threat to public health and safety
  • research or analysis of statistics
  • joint research and/or commissioned analytics with academics, the NSW Data Analytics Centre and the SafeWork NSW Centre for Work Health and Safety
  • managing and processing enquiries, complaints and disputes.

Disclosure

Disclosure (IPPs 11 & 12 and HPPs 11 & 14)

We may disclose personal information if:
  • - the disclosure is directly related to the purpose for which the information was collected, and we have no reason to believe that the individual concerned would object to the disclosure, or
  • - the individual has been made aware in the privacy notice that information of this kind is usually disclosed to the recipient, or
  • - we reasonably believe that the disclosure is necessary to prevent or lessen a serious and imminent threat to life or health, or
  • - where the disclosure is otherwise authorised by law.

Higher protections are afforded to sensitive personal information. We can generally only disclose sensitive personal information when the person has consented to the disclosure or when it is necessary to prevent a serious and imminent threat to life or health.

We can generally disclose health information when the person has consented to the disclosure; the disclosure is directly related to the purpose for which it was collected and the individual would reasonably expect us to disclose the information for that purpose; or the disclosure is necessary to prevent or lessen a serious and imminent threat to life, health or safety.

When we disclose information, it means that we give it to a third party outside of SIRA to use the information for their own purposes. We will only do this in the circumstances outlined above, or when you have provided consent for us to do so or it is permitted or required to by law.

For example, the results of the young drivers telematics trial will involve participants’ personal information being aggregated or de-identified before it is published. This prevents unlawful disclosure and the driving habits of participants being associated with their name and other personal identifiers. SIRA is unable to disclose participants’ personal information to parties outside the trial unless the participant has given consent, or where required or authorised by law. If you would like more information about the trial and how it uses participant’s data, please visit our website.

Generally, we do not disclose health information outside of NSW. However, if there is a good reason to do so, we only disclose the information in accordance with PPIPA and HRIPA.

Identifiers (HPP 12)

We will only identify individuals by using unique identifiers if it is reasonably necessary for us to carry out our functions.

Identifiers are used to uniquely identify an individual and their health records. An identifier does not need to use a person’s name as they are designed to be unique to a specific individual (for example, a customer number, unique patient number, tax file number, or driver licence number).

For example, SIRA has funded the ‘Factors influencing social and health outcomes after motor vehicle crash injury: an inception cohort study’ (FISH study) which has assigned identifiers to its participants. Identifiers are used to collect Medicare and Pharmaceutical Benefits Scheme data on the health service usage of participants. To protect the privacy of participants and to comply with research ethics requirements, SIRA cannot access the linked data or any individual-level data.

Anonymity (HPP 13)

Wherever it is lawful and practicable, individuals must be given the opportunity to not identify themselves when entering into transactions with or receiving health services from an organisation.

We will give you the opportunity to transact anonymously when possible. For example, if you call us to seek general advice. However, sometimes it will be necessary for you to identify yourself so that we can help. For example, where a customer makes an enquiry about their claim.

Linkage of Health Records (HPP 15)

We only use health records linkage systems if an individual has provided or expressed their consent, unless the linkage is for research purposes and has been approved in accordance with statutory guidelines.

We will only use health records linkage systems when individuals have expressly consented to their information being included on such a system, or for research purposes which have been approved by an Ethics Committee and in accordance with the Statutory Guidelines on Research.

For example, SIRA links data with Transport for NSW, NSW Health, icare and the NSW Police Force to identify the number of serious injuries from crashes on NSW public roads. This study brings together information that relates to the same individual, place or event. Transport for NSW uses this information to research and analyse road trauma and target road safety initiatives to reduce serious injuries. This linkage has been approved by the NSW Population & Health Services Research Ethics Committee, Aboriginal Health & Medical Research Council Ethics Committee and the ACT Health Human Research Ethics Committee.

Exemptions to how we manage personal and health information

Specific exemptions contained in PPIPA and HRIPA

PPIPA and HRIPA provide that we need not comply with some or all of the IPPs and HPPs in certain circumstances or if certain information is collected.

Some examples of exemptions most relevant to our functions and activities include:

  • personal information collected before 1 July 2000
  • health information collected before 1 September 2004
  • some law enforcement, investigative and complaints handling purposes
  • when authorised or required by a subpoena, warrant or statutory notice to produce
  • if another law authorises or requires us not to comply
  • where non-compliance is otherwise permitted, implied or reasonably contemplated by another law
  • in the case of health information, to lessen or prevent a serious threat to public health or public safety
  • some research purposes
  • in the case of health information, compassionate reasons, in certain limited circumstances
  • finding a missing person, and
  • information sent between public sector agencies to transfer enquiries or to manage correspondence from a Minister or Member of Parliament.

There are no privacy codes of practice or public interest directions that allow SIRA to modify its application of the IPPs and HPPs.

In addition, SIRA does not maintain any public registers that require us to make personal information publicly available under another law.

Examples of laws which provide SIRA with lawful authorisation to handle information without complying with certain IPPs and HPPs are provided in Appendix 3.

If an exemption applies to a particular situation, we will inform the individuals affected about the exemption and why it applies.

Strategies for compliance and best practice

We are committed to protecting the privacy rights of customers, clients, staff and members of the public.

We adopt several strategies to implement best practice principles and comply with our obligations under PPIPA and HRIPA that recognise that privacy is a shared responsibility within SIRA.

Policies and procedures

We have developed policies, standards and guidelines to inform and assist staff in protecting privacy. These policies provide best practice guidance and practical advice on matters relating to:

  • acceptable use of technology
  • dealing with confidential information
  • information security
  • records management
  • privacy breaches, and
  • use of social media.

Our Code of Conduct outlines the responsibilities of our staff in protecting privacy. All staff are provided with a copy of the Code and are regularly reminded of their obligations. The Code is available on our website and intranet.

We consistently review and update our policies and procedures. For example, we update our factsheets to reflect amendments to PPIPA or HRIPA so our staff and members of the public receive accurate information about our privacy practices.

Our policies and procedures will be further strengthened over time by programs addressing audit findings around Data Governance, user access management and security controls.

Any new policy or procedure, or any policy that is changed or updated, is developed in consultation with relevant business areas and receives the endorsement of senior management, Strategy & Governance and Legal.

Policies and procedures, including this Plan, are communicated to staff in a range of ways, including through our intranet, printed copies and targeted and on-the-job training. They are also made available on our website.

If you require a copy of a policy or procedure that is not found on our website, please contact the SIRA Privacy Officer.

Procedure for responding to a data breach

We have developed a Data Breach Response Plan that can be followed by staff in the event of a data breach or suspected data breach.

A data breach occurs when personal and/or health information that is held by SIRA is subject to unauthorised access or disclosure, or is lost. It supports the requirements under PPIPA and HRIPA to ensure that personal and health information is protected against all forms of misuse.

This procedure enables SIRA to respond quickly to a data breach, which can substantially decrease the impact of a breach on affected individuals.

Promoting privacy awareness

We undertake a range of initiatives to ensure our staff and members of the public are informed of our privacy practices and obligations under PPIPA and HRIPA. This also assists in identifying and mitigating risks associated with privacy and encourages best practice.

We promote privacy awareness and compliance by:

  • publishing and promoting this Plan on our intranet and website
  • including mandatory privacy training in our induction program (for example, Code of Conduct and Fraud and Corruption awareness modules)
  • publishing and promoting policies on our intranet
  • maintaining a dedicated privacy page on our intranet that centralises all privacy resources for staff and provides information about what to do if staff are unsure about a privacy issue
  • drafting and publishing privacy factsheets on our intranet to provide staff with practical guidance on privacy issues and considerations
  • participating annually in Privacy Awareness Week (which includes becoming a Privacy Awareness Week partner and conducting training seminars and campaigns for all staff during this period)
  • delivering periodic face to face training across different business areas
  • providing a dedicated privacy advisory service to staff
  • assessing privacy impacts of new projects or processes from the outset
  • endorsing a culture of good privacy practice
  • educating the public about their privacy rights and our obligations (for example, providing privacy information on forms that collect personal and health information).

Review and continuous improvement

We are committed to identifying opportunities for improvement and better practice in protecting the privacy of our customers, staff and members of the public.

We consistently evaluate the effectiveness and appropriateness of our privacy practices, policies and procedures to ensure they remain effective and identify, evaluate and mitigate risks of potential non-compliance.

We are committed to:

  • monitoring and reviewing our privacy processes regularly
  • further promoting and maintaining privacy awareness and compliance
  • encouraging feedback from our staff and customers on our privacy practices
  • actively participating in Privacy Awareness Week and other privacy initiatives
  • introducing initiatives that promote good privacy handling in our business practices (such as assessing privacy impacts of new projects or processes from the outset)
  • carrying out comprehensive assessments of the risk to digital information and digital information systems that are used to process personal and health information
  • actively promoting information security awareness to ensure all staff fully understand their responsibilities of information security compliance in their day-to-day activities.

If you think we have breached your privacy

We encourage you to contact us directly to resolve any concerns you have about our handling of your personal or health information.

If you think we have breached your privacy, you can discuss any concerns with the staff member or business unit dealing with your information, or contact the SIRA Privacy Officer.

Your right of internal review

You have the right to ask us for an internal review if you think we have breached your privacy.

An application for internal review must:

  • be in writing
  • be addressed to SIRA
  • specify an address in Australia where you can be contacted after the completion of the review.

To apply for an internal review, write to us at the contact details below. You may also contact us if you require assistance to request an internal review.

You are able to include any relevant information with your application.

Process

The internal review will be conducted by a person who:

  • was not involved in the conduct which is the subject of the complaint
  • is a staff member of SIRA, and
  • is qualified to deal with the subject matter of the complaint.

Internal review follows the process set out in the Information & Privacy Commission’s internal review checklist. When the internal review is completed, you will be notified in writing of:

  • the findings of the review
  • the reasons for those findings
  • the action we propose to take
  • the reasons for the proposed action (or no action), and
  • the applicant’s entitlement to have the findings and the reasons for the findings reviewed by the NSW Civil and Administrative Tribunal.

We are required to give a copy of your internal review request to the Privacy Commissioner. We will also send a copy of the draft internal review report to the Privacy Commissioner and we must take into account any submissions made by the Privacy Commissioner. We will keep the Privacy Commissioner informed of the progress of the internal review and will provide a copy of the finalised internal review report.

Timeframes

You must lodge your request for internal review within six months from the time you first became aware of the conduct that you think breached your privacy.

We may accept late applications in certain circumstances (such as if you have only become aware of your right to seek an internal review or for reasons relating to your capacity to lodge an application on time). If we do not accept your application, we will provide our reasons in writing.

We will acknowledge receipt of an internal review and will aim to:

  • complete the internal review within 60 calendar days, and
  • respond to you in writing within 14 calendar days of completing the internal review.

We will contact you to advise how long the review is likely to take, particularly if it may take longer than expected.

If the internal review is not completed within 60 days, you have a right to seek a review of the conduct by the NSW Civil and Administrative Tribunal (see below).

Your right to external review

You have the right to apply to the NSW Civil and Administrative Tribunal if you have sought an internal review and:

  • you are not satisfied with the outcome of the internal review
  • you are not satisfied with the action taken in relation to your application for internal review
  • you do not receive an outcome of the internal review within 60 days.

For more information about seeking an external review, contact the Tribunal on the details below:

Office NSW Civil and Administrative Tribunal (NCAT)

Administrative and Equal Opportunity Division

Level 10, John Maddison Tower

86-90 Goulburn Street

Sydney NSW 2000
Post PO Box K1026

Haymarket NSW 1240

DX 11539 Sydney Downtown
Phone 1300 006 228
Websitewww.ncat.nsw.gov.au

Complaints to the Privacy Commissioner

You have the option of complaining directly to the Privacy Commissioner if you believe that we have breached your privacy.

The Privacy Commissioner’s contact details are:

Office NSW Information & Privacy Commission
 
Level 17, 201 Elizabeth St
 
Sydney NSW 2000
Post GPO Box 7011
 
Sydney NSW 2001
Phone 1800 472 679
Websitewww.ipc.nsw.gov.au
Emailipcinfo@ipc.nsw.gov.au

Contact Us

For further information about this Plan or if you have questions about your privacy, please contact us on the details below.

Post The SIRA Privacy Officer

State Insurance Regulatory Authority
        
Level 6, McKell Building
        
2-24 Rawson Place

SYDNEY NSW 2000
Phone13 10 50
Websitehttps://www.sira.nsw.gov.au/privacy
Emailprivacy@sira.nsw.gov.au

Appendix 1 – Guide to drafting privacy notices

The following principles apply to the process for drafting privacy notices for customer transactions:

  • the SIRA Privacy Officer must approve the wording and location of all privacy notices
  • if the transaction can occur across more than one channel (ie paper form and digital), the privacy notice should be worded as closely as possible across each channel
  • wording should be concise and in plain language
  • the notice should clarify what SIRA will do with the information, and
  • the notice should be given / visible before any data collection begins.

At the end of the privacy notice developed for each specific type of collection, further information should be added, such as whether information may be used for a secondary purpose or disclosed by us, and how the information can be accessed or amended.

Following is a guide to drafting privacy notices that can be used by employees whenever personal and health information is collected and will be used or disclosed by us. A privacy notice must be written so that it suits the relevant purpose of collection. If you need help you can seek advice internally from the Privacy Officer.

If personal and health information is being collected verbally (eg over the telephone), see Verbal collection of information below.

Information to include in a Privacy Notice

When drafting a privacy notice, you must ensure that the person is made aware of the following:

  • That the information is being collected,
  • What it will be used for (the purpose of collection),
  • Who will hold and/or have access to the information,
  • Whether the collection is voluntary or required by law, and any consequences for the person if the information is not provided,
  • How the person can access and request amendment (if it is inaccurate) of their personal and health information held by us, and
  • Our contact details (including our address).

Verbal collection of information

When collecting personal information verbally (e.g. during telephone discussions), we can use less formal wording, so long as we explain how the person’s personal information will be used, and to whom else it will likely be disclosed. If the person asks further questions about whether the information is really needed, then we can go into more depth, and we can also mention their access and amendment rights or offer to let them speak to the SIRA’s Privacy Officer.

However, if we need to obtain the person’s verbal consent to a secondary use or disclosure, we must explain what it is we are asking, and we must ensure that they understand they are free to say ‘no’. We must also make a file-note of what was said.

Appendix 2 – Examples of personal and health information held by us

TypeDescriptionCategory of personal and health informationPurpose of collectionDisclosure
Policy holder dataInsurers report policy details to SIRA on a regular basis
  • Policy holder name and contact details
  • Policy number
Regulatory functionsAs required by law
Claims dataInsurers report details of clams to SIRA on regular basis
  • Claimant name and contact details
  • Date of birth
  • Details of incident
  • Nature of injury
  • Work capacity information
  • Status of claim
  • Pre-injury work information
  • Payment information
Regulatory functionsAs required by law
Service provider dataInsurers report details of services provided to SIRA on a regular basis
  • Service provider name and contact details
  • Service provider number
  • Service provision information
Regulatory functionsAs required by law
Application for personal injury benefitsOnline application to claim benefits for person injured in motor vehicle accident
  • Claimant name and contact details
  • Date of birth
  • Details of accident
  • Details of other parties to accidents (rego number, drivers name and contact details)
  • Nature of injury
  • Treatment details
  • Pre-existing injury or illness
  • Employment details
  • Medicare number
Process application for benefitsRelevant CTP insurer
CTP ConnectIntention to claim questionnaire
  • Date and time of accident
  • Contact details of person completing form
  • Contact details of injured person
  • Date of birth of injured person
  • Accident details
  • Identify the relevant CTP insurer
  • Allow SIRA to provide advice
  • Allow SIRA to contact intending claimants to follow up on their experience, and collect this data for research and quality purposes
Relevant CTP insurer
Regulatory ComplaintsComplaints made about the entities that SIRA regulates
  • Contact details of person complaining
  • Contact details of person to whom the claim relates
  • Details of complaint
  • Details of injury and other relevant health information
  • Complaint investigation and resolution
  • Referral to other regulators
Relevant insurer
Dispute Resolution ServicesIndependent dispute resolution services in relation to claims
  • Claimant name and contact details
  • Date of birth
  • Details of accident
  • Medical records of claimant
  • Medico-legal reports
  • Employment information
  • Claim details
To resolve claims disputesThe other party to the claim (ie insurer) and medical and claims assessors.

Appendix 3 - Exemptions

The following laws authorise or permit SIRA to not comply with certain IPPs and HPPs when handling personal and health information:

  • Part 7 of Chapter 2 of the Workplace Injury Management and Workers Compensation Act 1998
    • This authorises us to:
      • collect, use and disclose data related to policies, claims, complaints, the functions, activities and performance of insurers and the provision of health, legal and other services to injured persons
      • obtain relevant data from insurers, relevant insurance or compensation authorities, hospitals, government agencies and any other source
      • exchange data concerning policies, claims and other related matters under insurance or compensation schemes between different parts of the Authority, and
      • exchange data concerning policies, claims and other related matters with the Workers Compensation Independent Review Office (WIRO) and insurers.
    • It also requires insurers to disclose data to SIRA relating to policies of insurance, claims and other related matters under the workers compensation legislation.
  • Section 72 of the Workplace Injury Management and Workers Compensation Act 1998
    • This authorises us to allow insurers to inspect claims information we hold in relation to the workers compensation system.
  • Section 243 of the Workplace Injury Management and Workers Compensation Act 1998
    • Section 243 places some additional restrictions on when information obtained in connection with that Act can be disclosed. It also authorises us to disclose certain information to SafeWork NSW, the Chief Commissioner of State Revenue and the Australian Prudential Regulation Authority or the Australian Securities and Investments Commission (and by the Workers Compensation Regulation 2010 the Health Care Complaints Commission, a professional council or registration authority under the Health Practitioner Regulation National Law, and the Long Service Corporation).
  • Section 174 of the Workers Compensation Act 1987
    • This authorises us to obtain wages records from employers in relation to the workers compensation system.
  • Section 120 of the Motor Accidents Compensation Act 1999
    • This authorises us to obtain claims information from insurers, exchange certain information with the Lifetime Care and Support Authority, and obtain certain information from the NSW Self Insurance Corporation. It also authorises us to maintain a register comprising details of:
      • claims notified by insurers under this Act
      • claim made on the Nominal Defendant
      • workers compensation claims notified under this Act, and
      • additional details.
    • It also authorises licenced insurers and others we approve to inspect that register.
  • Section 10.23 and 10.24 of the Motor Accident Injuries Act 2017
    • This authorises us to:
      • collect, use and disclose data related to third party policies, claims for statutory benefits or damages, the functions, activities and performance of insurers and the provision of health, legal and other services to persons in motor accidents
      • obtain relevant data from insurers, relevant insurance or compensation authorities, hospitals, government agencies and any other source
      • exchange data concerning third party policies, claims and other related matters under insurance or compensation schemes between different parts of the Authority, and
      • exchange data concerning third party policies, claims and other related matters with icare and licensed insurers or with relevant insurance and compensation authorities.
    • It also requires insurers to disclose data to SIRA relating to third-party policies, claims and other related matters under the Motor Accident Injuries Act 2017.
  • Section 121B of the Home Building Act 1989
    • ­    This authorises information sharing with the Self Insurance Corporation or a licence holder under Part 6C of the Act or prescribed government sector agency.
  • Section 121C of the Home Building Act 1989
    • Under this provision, a licence holder may be required to disclose data to SIRA that is personal or health information.