Check if the agency or health service provider has a form. This may be on their website, or you can call and ask for them to send you a copy.
You can make an informal application under both the Privacy and Personal Information Protection Act 1998 (PPIP Act) or Health Records and Information Privacy Act 2002 (HRIP Act), however, most agencies will require authorisation in writing and will ask for proof of identification.
We suggest that you make your request in writing to ensure there are records of correspondence. We have outlined some tips to assist you in making a request for your information:
- Make sure you have the correct agency and staff contact details
- Check costs in advance. You may be able to ask to waive or reduce the fee
- Include your full name, address and contact details to ensure you receive the information. You should also include any other information that may distinguish you (e.g. previous names and addresses).
- Include as much detail as you can to specify the information you are requesting, for example, results from a blood test at Sydney Hospital on 24 April 2012.
- If you are requesting the information in a letter, you should also include a reference to the appropriate Act, as well as the time frame for completing the request.
- Keep copies of your correspondence, forms and receipts proving that you have paid a fee.
Please note: You are not required to give a reason for seeking access to your personal information.
What happens next?
The agency may provide you with access to your information through the following methods:
- A copy of the information is given to you
- You can view the information and take notes but not photocopy it
- A written transcript is given to you.
The agency, health service provider or agency holding health information above a certain size can refuse access in some circumstances. There may be ‘exemptions’ in the Act such as Codes of Practice and Public Interest Directions which allow an agency to refuse access. Further information about these exemptions can be found under Applying the law.
If the agency, health service provider or agency holding health information above a certain size does not respond within the time frame, or you are not happy with the decision to refuse access, you can:
- Under the PPIP Act, ask for an internal review of the conduct of the agency
- Under the HRIP Act, ask for an internal review of conduct by the public agency, or in the case of a private health service provider or organisation holding health information above a certain size make a complaint to us.
What happens if my information is incorrect?
If you believe that your personal information is incorrect, under section 15 the PPIP Act a public sector agency that holds your personal information must make the appropriate amendments (e.g. corrections, deletions or additions).
The agency must:
- Ensure that your information is:
- Accurate and up to date
- relevant to the purpose it was collected or any purpose directly related to that purpose
What happens if I think my privacy rights have not been protected?
You can make a complaint about a public sector agency, a health service provider or organisation holding health information above a certain size if you think they have failed to protect your personal or health information, or if you have been refused access to your own personal information.
Who do I make a complaint to?
If the complaint is about a NSW public sector agency, you can seek an internal review with that agency before coming to us.
If the complaint is about a private health service provider or organisation holding health information, you can make a complaint to us or to the office of the Australian Privacy Commissioner.
Please note: The Information and Privacy Commission NSW (IPC) chiefly deals with NSW public sector agencies, private health service providers or organisations holding health information above a certain size. If you have a complaint against a bank or real estate agency for instance, you should contact the office of the Australian Privacy Commissioner.
See our fact sheet for more information: A guide to privacy laws in NSW.
How do I ask for an internal review?
If you have a complaint about a NSW public sector agency handling your personal information or you were refused access to your information by an agency, you can make an application for an internal review directly to the agency. You need to request the review within six months of noting the issue.
Ask the agency involved if they have a form. If not, you can use our generic form: Application for an internal review.
What happens next?
The agency has to undertake a review as soon as practical or within 60 days. You should be informed in writing of the outcomes of that review. The agency also needs to inform the NSW Privacy Commissioner of the review and the outcomes. Following the review, the agency may take the following actions:
- Make a formal apology
- Take remedial action (this can include compensation)
- Make assurances it won’t happen again
- Make changes to their policies and procedures
- Take no action.
If you are unhappy with the result of the review or it is not completed within 60 days, you have 28 days (Refer to Rule 24 of the Civil and Administrative Tribunal Rules 2014) to apply to the NSW Civil and Administrative Tribunal (NCAT) for a decision. There is a cost involved in going to NCAT and you may need to have legal representation. NCAT will deliver an enforceable decision and can award compensation if it sees fit.