Open scrollable table of contents

Print entire document

SIRA privacy management plan

The State Insurance Regulatory Authority (SIRA) Privacy Management Plan explains how SIRA manages personal and health information in line with New South Wales (NSW) privacy laws.

Why we have a privacy management plan

Given the nature of our work, we handle the personal and/or health information of many people. We take seriously our responsibility to look after your personal and health information and we are bound by law in the way we collect, use, store and release it. To help you understand how we do this, section 33 of the Privacy and Personal Information Protection Act 1998 (PPIP Act) (PPIP Act) requires that we have this privacy management plan (the plan) available.

Within this plan you will find information about how to access and amend any personal and health information we hold about you, as well as what to do if you think we have breached the PPIP Act or the Health Records and Information Privacy Act 2002 (HRIP Act).

Internally, we use this plan to train our staff in dealing with personal and health information and devising policies and procedures to ensure our compliance with privacy laws.

While we’ve attempted to use plain English throughout the plan to keep it user-friendly, if you’re interested in further research on privacy, there’s plenty more information available on the Information and Privacy Commissioner (IPC) website at www.ipc.nsw.gov.au.

While we hope this plan will answer any of your questions about privacy, please feel free to contact us if you need further assistance.

Part one: About us

General

Who we are

The State Insurance Regulatory Authority, known as SIRA, is responsible for the regulation of NSW workers compensation insurance, motor accidents compulsory third party (CTP) insurance and home building compensation. We focus on ensuring key public policy outcomes are achieved in relation to service delivery to injured people, affordability, and the effective management and sustainability of these insurance schemes.

It was established in 2015 as part of the reforms to the NSW insurance schemes. Further information about the 2015 reforms is available online at www.insurancereforms.nsw.gov.au.

SIRA falls under the Better Regulation Division of the Department of Finance, Services and Innovation (DFSI), and reports to the Minister for Better Regulation and Innovation.

What we do

SIRA’s main statutory functions are to administer and ensure compliance with the following legislation:

We do this by:

  • administering the workers compensation and CTP legislative and regulatory frameworks
  • regulating the NSW workers compensation system including the Nominal Insurer and the workers compensation arrangements of NSW state government agencies), specialised insurers and self-insurers, by:
    • determining and administering self-insurer and specialised insurer workers compensation licenses and assessing and determining any new licences applications
    • managing fraud deterrence, detection and response activities across the system
    • regulating premium setting and market practices by insurers
    • investigating premium compliance – both insured and uninsured
    • determining premium appeals and worker status rulings
    • conducting merit reviews of work capacity decisions
    • regulating the conduct of third party service providers in the scheme, and
    • accreditation of rehabilitation providers
  • regulating the CTP scheme by:
    • determining and administering CTP insurer licences
    • monitoring and enforcing compliance with the CTP legislation, licence conditions and guidelines issued under the legislation
    • operating the Motor Accidents Medical Assessment Service and the Motor Accidents Claims Assessment and Resolution Service, and
    • monitoring the operation of the CTP scheme, including collecting statistics and information and conducting or organising research into levels of damages, insurers’ handling of claims and other matters relating to the scheme
  • advising the Minister about the administration, efficiency and effectiveness of the workers compensation and motor accidents schemes
  • providing an advisory service to assist claimants in connection with claims assessment procedures under the workers compensation and motor accidents schemes, and
  • contributing to the protection of consumers within the NSW residential building industry by making market practice and claims handling guidelines under the Home Building Act 1989, and approving premium methodologies relating to the provision of insurance under the Home Building Compensation Fund
  • DFSI provides human resources, finance, information technology, legal services, government and ministerial, customer service, strategy, communication and corporate services to SIRA

Workers compensation scheme agents and CTP insurers are private corporations and subject to the Privacy Act 1988 (Cth) and the HRIP Act. The Nominal Insurer requires workers compensation scheme agents to observe the PPIP and HRIP Acts when handling workers compensation claimants’ personal and health information. For more information on each specific insurers’ privacy obligations, please speak to the insurer in question.

As SIRA design forms which insurers use to collect information it must ensure that appropriate information about adherence to privacy laws is included.

Our stakeholders

We may collect personal or health information from, or disclose personal or health information to, some of our stakeholders to do our work. These stakeholders include:

  • persons conducting a business or undertaking
  • workers
  • members of the public
  • insurers
  • other regulators
  • other law enforcement agencies
  • other state and federal government agencies and authorities
  • private sector companies
  • academic and researchers
  • medical and allied health professionals
  • non-government organisations
  • solicitors and other legal representatives
  • courts and tribunals
  • ministers and Parliament

Contacting us

For further information about this plan, the personal and health information we hold, or if you have any concerns, please feel free to contact us.

Web: www.sira.nsw.gov.au

Email: contact@sira.nsw.gov.au

Phone:  13 10 50

Mail:     SIRA Locked Bag 2906, Lisarow NSW 2252

Visit:     Head office is located at 92-100 Donnison Street, Gosford NSW 2250

Staff

Responsibilities of the privacy officer

SIRA’s Privacy Officer is responsible for the ongoing training and education of SIRA staff members (including any third party service providers or consultants) about their obligations under the PPIP Act and HRIP Act, by:

  • ensuring this plan remains up to date
  • making a copy of this plan available to all current and incoming staff and contractors
  • informing staff and contractors of any changes to the plan
  • ensuring relevant privacy documents are consolidated and made available through the SIRA intranet
  • conducting or arranging staff training sessions on privacy matters as required
  • being available to answer any questions staff or contractors may have about their privacy obligations, and
  • ensuring the organisation meets its annual report obligations.

To meet our annual reporting obligations each year, our annual report includes a statement of the action we’ve undertaken to ensure we comply with the requirements of the PPIP Act and provides statistical details of any review we’ve conducted, or has been conducted on our behalf, under the PPIP Act.

The SIRA Privacy Officer can be contacted as follows:

Email: privacy@sira.nsw.gov.au

Phone:  13 10 50

Mail:     SIRA Privacy Officer Locked Bag 2906, Lisarow NSW 2252

Visit:     Head office is located at 92-100 Donnison Street, Gosford NSW 2250

Responsibilities of our staff

All employees, agents and contractors of SIRA are required to comply with the PPIP Act and HRIP Act. Both Acts contain criminal offence provisions applicable to staff and contractors who use or disclose personal information or health information without authority. It is an offence to:

  • intentionally disclose or use personal or health information accessed in doing our jobs for an unauthorised purpose
  • offer to supply personal or health information for an unauthorised purpose
  • attempt to persuade a person from making or pursuing a request for health information, a complaint to the Privacy Commissioner about health information, or an internal review under the HRIP Act, or
  • hinder the Privacy Commissioner or member of staff from doing their job.

It is a criminal offence, punishable by up to two years’ imprisonment, an $11,000 fine (or both), for any person employed or engaged by SIRA (including former employees and contractors) to intentionally use or disclose any personal information or health information about another person, to which the employee or contractor has or had access in the exercise of his or her official functions, except in connection with the lawful exercise of his or her official functions.

Types of personal and health information we hold

When we use the term “personal information” we mean it according to the definition in the PPIP Act.

Personal information is any information or opinion that identifies a person (or that would allow a person’s identity to be ascertained). Personal information can include:

  • person’s name, address, financial information and other details
  • photographs, images, video or audio footage, and
  • fingerprints, blood or DNA samples

There are some kinds of information that are not personal information e.g. information about a person that has been dead for more than 30 years, information about someone that is contained in a publicly available publication or information or opinion about a person’s suitability for employment as a public sector official.

When we use the term “health information” we mean it according to the definition in the HRIP Act.

Health information is a specific type of ‘personal information’. It includes:

  • information about a person’s physical or mental health, such as a psychological report, blood test or x-ray
  • personal information a person provides to any health organisation
  • information about a health service already provided to a person e.g. attendance at a medical appointment
  • information about a health service that is going to be provided to a person
  • a health service a person has requested, and
  • some genetic information

There are two main categories of personal and health information that SIRA holds or has access to:

Personal and health information held about members of the public and stakeholders

For the purpose of exercising our functions and activities, we hold personal or health information obtained from a person’s compensation claim file. When an injured person makes a compensation claim the following personal and health information is usually collected:

Information common to all claim types may include:

  • name and contact details
  • witness details and statements
  • medical certificates
  • surveillance footage/photos
  • insurance information
  • court proceedings
  • date of birth
  • correspondence
  • wages/income details
  • benefit payments
  • claims history
  • signatures
  • complaints
  • interpreter use
  • employment details
  • investigations

Workers compensation claim file information which may include:

  • nature of injury
  • capacity to work
  • medical such as diagnosis, treatment, history, doctor's visits, certificates and reports
  • Medicare number
  • return to work and injury management plans

CTP claim file information which may include:

  • nature of injury
  • car accident details
  • medical such as diagnosis, treatment, history, doctor's visits, certificates and reports
  • Medicare number
  • injury management plans
  • capacity to work
  • driver's licence information

Home building compensation fund claim file information which may include:

  • property address
  • mortality status
  • relationship status between home owner and owner builder
  • financial and bank accounts
  • house plans
  • property purchase contract
  • job specifications and status
  • reports
  • missing persons details

We also hold personal or health information given, for example, as part of applications to obtain information under right to information laws, workers compensation premium appeals, applications to the Workers Compensation Merits Review Service and applications to the Motor Accidents Medical Assessment Service and the Claims Assessment and Resolution Service.

Personal and health information held about employees

The majority of personal and health information about staff members is held by DFSI. Some information is maintained at a local level or accessed for management purposes.

Part two: How we manage personal and health information

This section explains how we handle personal and health information.

Addressing the principles

Limiting our collection of personal information (PPIP Act s8, HPP 1)

The principle in brief

We will only collection personal and health information if:

  • it is for a lawful purpose that is directly related to one of our functions, and
  • it is reasonably necessary for us to have the information

Key points

We won’t collect personal information unless we need it for one of our functions. As regulator of workers compensation insurance, motor accidents CTP insurance and home building compensation we may access the personal and health information collected by the relevant insurer in order to fulfil our functions under legislation.

How we collect personal information – the source (PPIP Act s9, HPP 3)

The principle in brief

We collect personal information direct from the person, unless they have authorised otherwise.

We collect health information direct from the person, unless it is unreasonable or impracticable to do so.

We obtain information relating to workers compensation, motor accident, and home building compensation fund claims from others (e.g. insurers and scheme agents) where we are lawfully authorised to do this.

Key points

We will sometimes obtain personal and health information from insurers, scheme agents and others for the purpose of exercising our functions and activities in relation to  workers compensation insurance, motor accidents CTP insurance and the Home Building Compensation Fund.

We are lawfully authorised to do this by:

Section 243A of the Workplace Injury Management and Workers Compensation Act 1998

  • This authorises us to collect information (including health information) relating to, for example, claims for compensation and work injury damages and to obtain that information from insurers and from any other source.

Section 120 of the Motor Accidents Compensation Act 1999

  • This authorises us to obtain claims information from insurers, exchange certain information with the Lifetime Care and Support Authority and obtain certain information from the NSW Self Insurance Corporation. It also authorises us to maintain a register comprising details of:
    • claims notified by insurers under this Act
    • claims made on the Nominal Defendant
    • workers compensation claims notified under this Act, and
    • additional details

Sections 35 and 127 of the Home Building Act 1989

  • Section 35 authorises the Secretary to require certain people to authorise third parties to provide certain information. Section 127 refers to powers to obtain relevant information about:
    • a possible offence against the Act or another Act if the offence relates to specialist work
    • a complaint under the Act
    • investigation into a matter that is or may be subject a disciplinary proceedings under the Act
    • contractor licence or supervisor or tradesperson certificate renewal or restoration applications, or
    • the financial solvency of an applicant for, or holder of, a contractor licence or of a supervisor or tradesperson certificate or a close associate of such an applicant or holder

Collection of this information from third parties is necessary for us to properly exercise our regulatory and other functions and ensure compliance with the Acts and with regulations and other instruments made under the Acts.

We will also, wherever practicable, seek the authorisation of claimants to do so e.g. in claim forms.

Where the person is under 16, we may collect their personal information from their parent or guardian. Where is person aged 16 or over lacks some capacity (e.g. because of illness or disability), we can ask their authorised representative for the information instead. However, we must still try to communicate with them directly too. The NSW Privacy Commissioner’s guide Privacy and People with Decision-making Disabilities explains how to collect personal information from or about a person who has limited or no capacity.

The NSW Privacy Commissioner’s Handbook to Health Privacy provides some other examples of when it might be “unreasonable or impractical” to collect health information directly from the person.

Notification when collecting personal information (PPIP Act s10, HPP 4)

The principle in brief

When collecting personal and health information from an individual we will take reasonable steps to tell the person:

  • who we are and how to contact us
  • what the information will be used for
  • what other organisations (if any) routinely receive this type of personal information from us
  • whether the collections is authorised by law
  • what the consequences will be for the person if they do not provide the information to us, and
  • how the person can access and correct their personal information held by us

When collecting health information about an individual from someone else we will take reasonable steps to tell them these things unless this would pose a serious health threat, or it is in accordance with Privacy Commissioner Guidelines.

Key points

We will continue to refine our claim forms to ensure they contain clear privacy statements indicating what the information being collected will be used for, who we are and how to contact us, what other organisations routinely receive this information, whether the collection is authorised by law, consequences of not providing it and how the person can access or amend it.

Clear privacy statements with this information will be provided on documents we use to collect personal and health information eg. claim forms, application forms, and telephone scripts.

How we collect personal information – the method and content (PPIP Act s11, HPP 2)

The principle in brief

When we collect personal and health information from an individual we will ensure the information we collect is:

  • relevant, accurate, up-to-date and, complete, and
  • not intrusive or excessive

Key points

We will ensure that when we design forms, communicate with members of the public (face to face, over the telephone and in writing), and collect information from individuals we do not seek personal or health information that is intrusive or excessive, and that the personal and health information we do collect is relevant, accurate, up-to-date and complete.

We will design compensation claim forms to ensure that only information required to process claims is required.

We will ensure these privacy principles are built into our customer call centre policies and practices.

How we store and secure personal and health information (PPIP Act s12, HPP 5)

The principle in brief

We will take reasonable security measures to protect personal and health information from loss, unauthorised access, modification, use or disclosure. We will ensure personal and health information is stored securely, not kept longer than necessary, and disposed of appropriately.

Key points

Security measures include technical, physical and administrative actions as well as assessment by independent audit.

SIRA information systems are designed to ensure that only authorised users can access them.

Information security is fundamental to information privacy. Our information technology systems and support is provided by the Information Services branch of DFSI. All our electronic information is stored on secure information systems. Information Services is compliant with ISO 27001 Information technology - Security techniques - Information security management systems - requirements and independently reviewed annually.

Our servers are backed up daily. Our networks are secure and require individual logins. Our staff members are not permitted to give out passwords to anyone or let anyone else use their computer login.

Our information is classified in line with the NSW State Records Keyword AAA Thesaurus and the NSW Government Information Classification Labelling and Handling Guidelines. Since July 2015 these Guidelines have included the category “Sensitive: Health Information. We comply with records management legislation and have retention and disposal rules in place for our general administration and functional information.

SIRA employees and contractors have access to a range of internal databases as appropriate for their work. Access to these databases is password protected and access limited to staff needing access to the information to do their work. Access is required to be reviewed regularly to ensure the security level allocated to individual staff is appropriate and to remove access for people who no longer require it as part of their role.

Daily operational work is recorded in the above databases, within the shared drive, email, databases and in hardcopy. However, hardcopy files are the minority. Local security arrangements exist for the safe storage of information on the shared drive with access to those files limited to the individuals within a specified work area.

Our hard copy information is mainly located in our office locations. We archive older physical files in a secure storage facility in compliance with the State Records Act 1998. Our staff members have key card access to our office. Our offices are locked outside of business hours.

We keep physical files securely stored when we are not using them. We do not leave sensitive information on the printer and use secure printing where appropriate. We use locked bins for sensitive documents that need to be destroyed.

Transparency (PPIP Act s13, HPP 6)

The principle in brief

Once we have confirmed their identity, we will enable individuals to know:

  • whether we are likely to hold their personal or health information
  • the purposes for which we used personal information, and
  • how they can access their information

Key points

We have broad obligation to the community to be open about how we handle personal and health information. This is different to collection notification, which is specific, and given at the time of collecting new personal or health information.

The Privacy Management Plan will be available through our website. It sets out the major categories of personal and health information that we hold and explains our privacy obligations. Part three of the Plan explains the process for accessing any of the personal and health information we hold about you.

If you want more information or explanation you can request it through the SIRA Privacy Officer.

Access to information we hold (PPIP Act s14, HPP 7)

The principle in brief

Once we have confirmed their identity, we will allow people to access their personal and health information without unreasonable delay or expense. We will only refuse access where authorised by law. If requested we will provide written reasons for any refusal.

Key points

Part three of this Plan explains the process for accessing any of the personal and health information we hold about you.

Correction of information we hold (PPIP Act s15, HPP 8)

The principle in brief

Once we have confirmed their identity, we will allow people to update or amend their personal information, to ensure it is accurate, relevant, up-to-date, complete and not misleading.

Key points

Part three of this Plan explains the process for correcting any of the personal and health information we hold about you.

Accuracy of information (PPIP Act s16, HPP 9)

The principle in brief

Before using personal or health information we will take appropriate steps to ensure that the information is relevant, accurate, up-to-date, complete and not misleading.

Key points

We ensure the accuracy of the information by collecting it directly from the individual wherever practicable. We take such steps as are reasonable in the circumstances to ensure that the information is relevant, accurate, up-to-date, complete and not misleading.

What might be considered ‘reasonable steps’ will depend upon all the circumstances, but some points to consider are:

  • the context in which the information was obtained
  • the purpose for which we collected the information
  • the purpose for which we now want to use the information
  • the sensitivity of the information
  • the number of people who will have access to the information
  • the potential effects for the person if the information is inaccurate or irrelevant
  • any opportunities we’ve already given the person to correct inaccuracies, and
  • the effort and cost in checking the information

How we use personal and health information (PPIP Act s17, HPP 10)

The principle in brief

We may use[1] personal and health information:

  • for the primary purpose for which it was collected
  • for a directly related secondary purpose
  • if we believe the use is necessary to prevent or lessen a serious and imminent threat to life or health, or
  • for another purpose if the person has consented.

[1] 'Use' is different to 'disclose'. We use information when we 'use' it internally.

Key points

As a general principle, we use the personal and health information we’ve collected only for the purpose for which it was collected. The relevant purpose should have been set out in a privacy notice at the time of collection.

We may also use personal and health information for a directly related secondary purpose. A directly related secondary purpose is a purpose that is very closely related to the purpose for collection and would be the type of purpose that people would quite reasonably expect their information to be used for. For example, information collected for a workers compensation claim may be accessed and used to investigate the complaint of an injured worker about the handling of their claim by a workers compensation scheme agent.

We may also use health information to lessen or prevent a serious threat to public health or safety; management of health services; training; research purposes; finding a missing person; for law enforcement purposes and in respect of suspected unlawful activity, unsatisfactory professional conduct or breach of discipline.

How we disclose personal and health information (PPIP Act s18, HPP 11 and PPIP Act s19, HPP 14)

The Principle in Brief

We may disclose[2] information if:

  • the person has consented
  • the information is not ‘health information’ or ‘sensitive information’, and the individual has been made aware that the information is likely to be disclosed to the recipient
  • the information is not ‘health information’ or ‘sensitive information’, and the disclosure is directly related to the purpose for which the information was collected, and we have no reason to believe the individual would object to the disclosure, or
  • the information is ‘health information’ and the disclosure is for the purpose for which the information was collected, or for a directly related secondary purpose within the person’s reasonable expectations.

[2] 'Disclose' is different to 'use'. We disclose information when disclose it to someone outside the agency.

Stricter rules apply to specific information

Disclosing sensitive information(e.g. a person’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities) is generally only allowed with the person’s consent.

We can generally only disclose personal or health information to someone outside NSW, or to a Commonwealth agency if one of the following applies:

  • they are subject to a law, scheme or contract that upholds principles substantially similar to the information privacy principles
  • the individual concerned has consented
  • if it is necessary for a contract with (or in the interests of) the individual concerned
  • if it will benefit the individual concerned and it is impracticable to obtain their consent but we believe the person would be likely to give their consent
  • the disclosure is reasonably believed by the public sector agency to be necessary to lessen or prevent a serious and imminent threat to the life, health or safety of the individual or another person
  • we have taken reasonable steps to ensure the information won’t be dealt with inconsistently with the information privacy principles e.g. we have bound the recipient by contract to privacy obligations equivalent to the principles
  • if it is permitted or required by legislation or any other law, or
  • if disclosure is exempted from the compliance with this principle for one of the reasons see ‘Sometimes the Privacy Principles do not apply’ below

Key Points

We may disclose information we are lawfully authorised to disclose. See 'Sometimes the privacy principles do not apply' for more information about this.

Most other disclosures we make will be appropriately related to the purpose for which the information was collected and/or we will have the consent of the individual.

When we are required to share information with other business areas within DFSI or other public sector agencies, we will do so in accordance with the privacy laws.

How we use unique identifiers and linkage of health records (HPP 12 & 13)

The Principle in Brief

We may only assign identifiers (e.g. a number) to an individual in relation their health information if it is reasonably necessary. We must not include health information in a health records linkage system without an individual’s consent.

Key Points

At this point we do not have any need to assign unique identifiers.

We will only use health records linkage systems when individuals have expressly consented to their information being included on such a system, or for research purposes which have been approved by an Ethics Committee and in accordance with the Statutory Guidelines on Research issued under the HRIP Act.

Sometimes the Privacy Principles do not apply

The Information Protection Principles (IPPs) and Health Privacy Principles (HPPs) in the PPIP Act and HRIP Act do not apply in certain situations or to certain information collected. Further details are provided in Appendix 2. Some of the key situations where collection, use or disclosure of information is exempted from the compliance with certain IPPs and HPPs include:

  • unsolicited information
  • personal information collected before 1 July 2000
  • health information collected before 1 September 2004
  • law enforcement and investigative and some complaints handling purposes
  • when authorised or required by a subpoena, warrant or statutory notice to produce
  • if another law authorises or requires us not to comply*
  • where non-compliance is otherwise permitted, implied or contemplated by another law*
  • in the case of health information, to lessen or prevent a serious threat to public health or public safety
  • some research purposes
  • in the case of health information, compassionate reasons, in certain limited circumstances
  • finding a missing person, and
  • information sent between public sector agencies to transfer enquiries or to manage correspondence from a Minister or member of Parliament.

* Example of laws which authorise or permit SIRA to not comply with certain IPPs and HPPs include:

Section 72 of the Workplace Injury Management and Workers Compensation Act 1998

  • This authorises us to allow insurers to inspect claims information we hold.

Sections 243 and 243A of the Workplace Injury Management and Workers Compensation Act 1998

  • Section 243 places some additional restrictions on when information obtained in connection with that Act can be disclosed. It also authorises us to disclose certain information to SafeWork NSW, the Chief Commissioner of State Revenue and the Insurance and Superannuation Commissioner (and by the Worker Compensation Regulation 2010 the Health Care Complaints Commission, a professional council or registration authority under the Health Practitioner Regulation National Law, and the Long Service Corporation).
  • Section s243A authorises us to collect, use and disclose information (including health information) relating to, for example, claims for compensation and work injury damages and to obtain that information from insurers and from any other source. It also places restrictions on the disclosure of health information.

Section 174 of the Workers Compensation Act 1987

  • This authorises us to obtain wages records from employers

Section 120 of the Motor Accidents Compensation Act 1999

  • This authorises us to obtain claims information from insurers, exchange certain information with the Lifetime Care and Support Authority, and obtain certain information from the NSW Self Insurance Corporation. It also authorises us to maintain a register comprising details of:
    • claims notified by insurers this Act
    • claim made on the Nominal Defendant
    • workers compensation claims notified under this Act, and
    • additional details

It also authorises licensed insurers and others we approve to inspect that register.

This authorises information sharing with the Self Insurance Corporation

Part three: How to access and amend personal and health information

In the majority of cases, you have the right to access and amend the personal and health information we hold about you, for example, if you need to update your contact details.

We must provide access to or amend personal or health information without excessive delay or expense. We do not charge any fees to access or amend personal or health information.

Informal request

Informal requests do not need to be in writing.

You can request access to or amendment of your personal or health information by contacting us by telephone on 13 10 50 or by email at privacy@sira.nsw.gov.au

You will need to verify your identity and in some circumstances, particularly if it is sensitive information, we may ask you to make a formal application.

We aim to respond to informal requests within 5 working days. We will tell you how long the request is likely to take, particularly if it may take longer than first expected. We will contact you to advise the outcome of the request. If you are unhappy with the outcome of an informal request, you can make a formal application to us.

Formal request

Formal requests need to be made in writing.

You do not need to ask informally before making a formal request, and you can make a formal request if you have already asked informally.

You can make a formal request to the SIRA Privacy Officer by email or post.

The formal request should:

  • include your name and contact details
  • include certified proof of identity
  • state whether you are making the request under the PPIP Act (personal information) or HRIP Act (health information)
  • explain what personal or health information you would like to access or amend, and
  • explain how you would like to access or amend it.

We aim to respond in writing to formal requests within 20 working days. We will contact you to advise how long the request is likely to take, particularly if it may take longer than expected.

If you think we are taking an unreasonable amount of time to respond or you disagree with the outcome, you have the right to seek an internal review. Before seeking an internal review, we encourage you to contact our Privacy Officer to ask for an update or timeframe for response. More information on internal reviews is provided in part 4 below.

Limits on accessing or amending other people’s information

We are usually restricted from giving you access to someone else’s personal and health information. While the PPIP Act and the HRIP Acts give you the right to access your own information, the Acts generally do not give you the right to access someone else’s information.

However both the PPIP Act and HRIP Acts allow you to give us permission to collect your personal and health information from, and disclose it to, someone else. For example, when contact with us worsens an anxiety condition or if you are mentally or physically unfit to represent yourself.

If you are under 16 we are allowed to collect information directly from your parents or guardian. If you do require someone to act on your behalf, you will need to give us your written consent.

The Acts enable us to disclose information in limited circumstances, such as to prevent a serious and imminent threat to the life, health and safety of an individual, or if withholding your information would prejudice you. In the case of health information, other reasons include finding a missing person or for compassionate reasons in certain limited circumstances.

The Information & Privacy Commission’s guide to Privacy and people with decision making disabilities explains how to seek consent for a secondary use or disclosure of personal information from a person who has limited or no capacity.

Part four: Review rights and complaints

Internal review

General principles

We encourage you to contact us directly to resolve any concerns you have about our handling of your personal and health information.

If you have a complaint about the way your personal or health information has been handled, or disagree with the outcome of your application to access and/or amend your personal and health information, we encourage you to discuss any concerns with the staff member or business unit dealing with your information, or contact us by telephone on 13 10 50 or by email at privacy@sira.nsw.gov.au

The following general principles are relevant to applications for internal review of privacy complaints:

  • you may apply to SIRA for an ‘internal review’ of the conduct you believe breaches an Information Protection Principle and/or a Health Privacy Principle, or you may make a privacy complaint directly to the NSW Privacy Commissioner. For explanation of how we apply the Information Protection and Health Privacy Principles, check out ‘Part two: How we manage personal and health information’
  • complaints to the NSW Privacy Commissioner can only result in a conciliated outcome, rather than a binding determination
  • you cannot seek an internal review for an alleged/potential breach of someone else’s privacy, unless you are an authorised representative of the other person, and
  • an application for an internal review must be made within six months from when you first become aware of the conduct you are concerned about (in limited circumstances SIRA may consider a late application for internal review).

How to apply for internal review

To help you apply for an internal review, you can use the application form in Appendix three or on our website at www.sira.nsw.gov.au. Although we encourage use of the form, it is not compulsory. You may submit any other relevant material along with your application.

Requests for internal review should be sent to the SIRA Privacy Officer by email, post or at our counter and needs to:

  • be in writing
  • be addressed to SIRA, and
  • include a return address in Australia

Applications in other languages will be accepted and translated, and all acknowledgments and correspondence from SIRA about the application will be translated into the applicant’s preferred language. If the applicant is not literate in English and/or their first language and there is no organisation making the application on their behalf, the Privacy Officer will help write the application, using a professional interpreter if necessary.

What you can expect from us

  • Your application will be acknowledged within 5 working days and will include an expected completion date
  • Either the SIRA Privacy Officer (if they were not involved in the conduct which is the subject of the complaint), or another person not involved in the conduct which is the subject of the complaint, who is an employee or an officer of SIRA and is qualified to deal with the subject matter of the complaint, will conduct the review
  • The internal review will be completed within 60 days of receiving your application. If we do not notify you of the outcome of the review within 60 days, you have the right to seek external review at the NSW Civil and Administrative Tribunal (NCAT). More information on external reviews is provided below
  • We will follow the NSW Privacy Commissioner’s Internal Review Checklist and give consideration to any relevant material submitted by you and/or the NSW Privacy Commissioner
  • In making a decision, we may decide to:
    • take no further action on the matter
    • make a formal apology to you
    • take appropriate remedial action, which may include payment to you of monetary compensation
    • undertake to you that the conduct will not occur again, and/or
    • implement administrative measures to ensure that the conduct will not occur again
  • You will be informed of the outcome within 14 days of the internal review being decided, including:
    • the findings of the review
    • the reasons for those findings
    • the action SIRA proposes to take
    • the reasons for the proposed action (or no action), and
    • your entitlement to have the findings and the reasons for the findings reviewed by NCAT.

Role of the Privacy Commissioner

The PPIP Act requires that the NSW Privacy Commissioner be informed of the receipt of an application for an internal review of conduct and receive regular progress reports of the investigation. In addition, the Commissioner is entitled to make submissions in relation to the application for internal review.

When we receive your application we will provide a copy to the Privacy Commissioner. We will then continue to keep the Privacy Commissioner informed of the progress of the internal review, the findings of the review and the proposed action to be taken by SIRA in relation to the internal review. Any submissions made by the Privacy Commissioner to the agency will be taken into consideration when making our decision.

The Privacy Commissioner’s contact details are:

Office: Information & Privacy Commission, Level 5, 47 Bridge Street, Sydney NSW 2000

Post: PO Box R232 Royal Exchange NSW 2001

Phone: 1800 472 679

Email: ipcinfo@ipc.nsw.gov.au

Web: www.ipc.nsw.gov.au

External Review

If you are unhappy with the outcome of the internal review, you can apply to NCAT to review the decision (an “external review”). Also, if we have not completed the internal review within 60 days, you can take the matter to NCAT for external review.

However, please note, before you have the right to seek an external review you must first seek an internal review by SIRA. Generally you have 28 days from the date of the internal review decision to seek the external review.

NCAT has the power to make binding decisions on an external review, including ordering SIRA to pay damages of up to $40,000.

For more information about seeking an external review including current forms and fees, please contact NCAT:

Post: NSW Civil & Administrative Tribunal, Administrative and Equal Opportunity Division, GPO Box 4005, Sydney NSW 2000

Phone: 1300 003 228 and select option three for all Administrative and Equal Opportunity Division enquiries

Website: www.ncat.nsw.gov.au

Part five: Continuous improvement

Reviewing the plan

Our plan will be reviewed at a minimum every two years, but more frequently when legislative, administrative or systemic changes occur that affect the way we manage the personal and health information we hold.

Promoting the Plan

Public awareness

This plan is a commitment of service to our stakeholders of how we manage personal information and health information. As it is central to how we do business, this plan is easy to access and easy to understand for people from all kinds of backgrounds.

Additionally, we are required to make this plan publicly available as open access information under the Government Information (Public Access) Act 2009.

We aim to promote public awareness of this plan by:

  • writing the plan in plain English
  • publishing the plan in a prominent place on our website
  • providing hard copies of the plan free of charge on request
  • telling people about the plan when we answer questions about how we manage personal information and health information.

SIRA Executive

The SIRA executive team is committed to transparency about how we comply with the PPIP Act and the HRIP Act, which is reinforced by:

SIRA Employees

We make sure our staff are aware of this planand how it applies to the work they do by:

  • training staff so they understand their privacy obligations and how they are to manage personal and health information
  • writing this plan in a practical way so our staff can understand what their privacy obligations are, how to manage personal and health information in their work and what to do if unsure about their privacy obligations
  • publishing the plan in a prominent place on our intranet, and
  • highlighting the plan at least once a year (for example, during Privacy Awareness Week).

Part six: Appendices

Appendix 1:  Other related laws

This section contains a summary of other laws that may impact the way we handle personal and health information.

Government Information (Public Access) Act 2009 (GIPA Act) and Government Information (Public Access) Regulation 2009.

Under this law people can apply for access to government information we hold. Sometimes this information may include personal or health information. The Act contains public interest considerations against disclosure of information that would reveal an individual’s personal information or contravene an information or health protection principle under the PPIP and HRIP Act.

If a person has applied for access to someone else’s personal or health information we will consult with the affected third parties. If we decide to release a third party’s personal information, we must not disclose the information until the third party has had the opportunity to seek a review of our decision.

When accessing government information of another NSW public sector agency in connection with a review, the Information Commissioner must not disclose this information if the agency claims that there is an overriding public interest against disclosure.

Government Information (Information Commissioner) Act 2009 (GIIC Act).

Under this law the Information Commissioner has the power to access government information held by other NSW public sector agencies for the purpose of conducting a review, investigation or dealing with a complaint under the GIPA Act and GIIC Act. The Information Commissioner also has the right to enter and inspect any premises of a NSW public sector agency and inspect any record.

This Act also allows the Information Commissioner to provide information to the NSW Ombudsman, the Director of Public Prosecutions, the Independent Commission Against Corruption or the Police Integrity Commission.

Data Sharing (Government Sector Act) 2015 in relation to the sharing of government data between government agencies and the government Data Analytics Centre, including the sharing of de-identified personal data. Enhanced privacy safeguards apply and this Act in no way alters how the current privacy legislation applies to the personal and health information we hold.

Crimes Act 1900 in relation to accessing or interfering with data in computers or other electronic devices.

Independent Commission Against Corruption Act 1988 in relation to the misuse information.

Public Interest Disclosures Act 1994 (PID Act) in relation to disclosing information that might identify or tend to identify a person who has made a PID.

State Records Act 1998 and State Records Regulation Act 2015 in relation to the management and destruction of records.

Appendix 2: Exemptions

The PPIP and HRIP Acts contain exemptions from compliance with certain IPPs and HPPs. The main exemptions to each principle are:

Limiting our collection of personal, health information – PPIP Act s8 & HPP 1

  • unsolicited information
  • personal information collected before 1 July 2000
  • health information collected before 1 September 2004
  • in the case of personal information, for certain Ministerial correspondence or referral of inquiries
  • in relation to personal information, certain research purposes

How we collect personal and health information – the source – PPIP Act s9 & HPP 3

  • unsolicited information
  • personal information collected before 1 July 2000
  • health information collected before 1 September 2004
  • personal information used for law enforcement or some investigative and complaints handling purposes
  • where another law authorises or requires us not to comply with this principle
  • where non-compliance is otherwise permitted, implied or contemplated by another law
  • in the case of personal information, where compliance would disadvantage the individual

Notification when collecting personal and health information – PPIP Act s10 & HPP 4

  • unsolicited information
  • personal information collected before 1 July 2000
  • health information collected before 1 September 2004
  • the individual concerned has expressly consented to the non-compliance
  • some law enforcement and investigative or complaints handling purposes
  • where another law authorises or requires us not to comply
  • where non-compliance is otherwise permitted, implied or contemplated by another law
  • where compliance would disadvantage the individual
  • where notification in relation to health information would be unreasonable or impracticable

How we collect personal and health information – the method and content – PPIP Act s11, HPP 2

  • unsolicited information
  • personal information collected before 1 July 2000
  • health information collected before 1 September 2004
  • law enforcement or some investigative and complaints handling purposes
  • where another law authorises or requires us not to comply
  • where non-compliance is otherwise permitted, implied or contemplated by another law
  • where compliance would disadvantage the individual

Retention and security – PPIP Act s12 & HPP 5

  • there are no direct exemptions to the operation of the principle

Transparency – PPIP Act  s13 & HPP 6

  • if another law authorises or requires us not to comply
  • where non-compliance is otherwise permitted, implied or contemplated by another law
  • where the provisions of GIPAA impose conditions or limitations (however expressed)

Access – PPIP Act s14 & HPP 7

  • some health information collected before 1 September 2004
  • where another law authorises or requires us not to comply
  • where non-compliance is otherwise permitted, implied or contemplated by another law
  • the provisions of GIPAA that impose conditions or limitations (however expressed)

Correction – PPIP Act s15 & HPP 8

  • some health information collected before 1 September 2004
  • some investigative or complaints handling purposes
  • if another law authorises or requires us not to comply
  • where non-compliance is otherwise permitted, implied or contemplated by another law
  • the provisions of GIPAA that impose conditions or limitations (however expressed)

Accuracy – PPIP Act s16 & HPP 9

  • there are no direct exemptions to the operation of this principle

Use – PPIP Act s17 & HPP 10

  • law enforcement and some investigative or complaints handling purposes
  • where another law authorises or requires us not to comply
  • where non-compliance is otherwise permitted, implied or contemplated by another law
  • in the case of health information, to lessen or prevent a serious threat to public health or public safety
  • in the case of health information, finding a missing person
  • information sent to other agencies under the administration of the same Minister or Premier for the purposes of informing the Minister or Premier

Disclosure – PPIP Act ss18 & 19 and HPPs 11 & 14

  • law enforcement or some and investigative and complaints handling purposes
  • when it is authorised or required by a subpoena, warrant or statutory notice to produce
  • if another law authorises or requires us not to comply
  • where non-compliance is otherwise permitted, implied or contemplated by another law
  • in the case of health information, to lessen or prevent a serious threat to public health or public safety
  • in the case of health information compassionate reasons in certain limited circumstances
  • finding a missing person
  • information sent to other agencies under the administration of the same Minister or Premier for the purposes of informing the Minister or Premier

Identifiers – HPP 12

  • there are no direct exemptions to the operation of this principle

Linkage of health records – HPP 15

  • health information collected before 1 September 2004
  • where another law authorises or requires us not to comply
  • where non-compliance is otherwise permitted, implied or contemplated by another law

Appendix 3: Forms

Privacy complaint internal review application form