The Privacy and Personal Information Protection Act 1998 (PPIP Act) outlines how New South Wales (NSW) public sector agencies manage personal information and the functions of the NSW Privacy Commissioner.
Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) (external website)
Who does the PPIP Act include?
Agencies that are bound by the PPIP Act are NSW public sector agencies, statutory authorities, universities, NSW local councils, and other bodies whose accounts are subject to the Auditor General.
State-owned corporations such as RailCorp and Sydney Water are not included.
Please feel free to contact the agency or us if you are unsure if the NSW privacy laws apply.
What does the PPIP Act include?
The PPIP Act includes 12 Information Protection Principles (IPPs) and sets out the role of the NSW Privacy Commissioner. The PPIP Act sets up ways to protect personal information and to allow the investigation of complaints into breaches of privacy.
The IPPs mentioned above apply to how your personal information is handled. Put simply, the meaning of personal information is:
Personal information is information that identifies you. Personal information could be:
- a record which may include your name, address and other details about you
- photographs, images, video or audio footage
- fingerprints, blood or DNA samples.
There are some exemptions from the definition of personal information, for example, the definition doesn’t include personal information about a person who has been dead for more than 30 years.
The IPPs are the principles that underpin the PPIP Act and all NSW public sector agencies must abide by them.
The PPIP Act allows for some exceptions from the principles, which are called lawful exemptions. Some public sector agencies have these exemptions to be able to perform their duties, for example NSW Police for law enforcement.
The PPIP Act also gives powers to the NSW Privacy Commissioner to investigate and mediate complaints made against an agency. The Privacy Commissioner also has responsibilities to:
- promote the adoption of, and monitor compliance with, the information protection principles;
- prepare and publish guidelines relating to the protection of personal information and other privacy matters, and to promote the adoption of such guidelines;
- initiate and recommend the making of Privacy Codes of Practice;
- provide assistance to public sector agencies in adopting and complying with the Information Protection Principles and Privacy Codes of Practice;
- provide assistance to public sector agencies in preparing and implementing Privacy Management Plans in accordance with section 33;
- conduct research, and collect and collate information, about any matter relating to the protection of personal information and the privacy of individuals;
- provide advice on matters relating to the protection of personal information and the privacy of individuals;
- make public statements about any matter relating to the privacy of individuals generally;
- conduct education programs, and to disseminate information, for the purpose of promoting the protection of the privacy of individuals;
- prepare and publish reports and recommendations about any matter (including developments in technology) that concerns the need for, or the desirability of, legislative, administrative or other action in the interest of the privacy of individuals.
Information Protection Principles
The 12 Information Protection Principles (IPPs) are the key to the PPIP Act. They are legal duties that describe what NSW public sector agencies (including councils) must do when they handle your personal information. The 12 IPPs detail how your personal information must be collected, stored, used and disclosed as well as your rights to access your personal information.
Below is a simplified summary of the 12 IPPs, divided into headings: Collection, Storage, Access and Accuracy, Use and Disclosure. If you require more information on the 12 IPPs we encourage you to read our fact sheet: Information Protection Principles (IPPs).
An agency must:
|Lawful||1||Only collect your personal information for a lawful purpose. It must be needed for the agency’s activities.|
|Direct||2||Collect the information from only you, unless exemptions apply.|
|Open||3||Tell you that the information is being collected, why and who will be using it and storing it. You must be told how to access it and make sure it’s correct.|
|Relevant||4||Make sure that your personal information is relevant, accurate, current and non-excessive.|
|Secure||5||Store your personal information securely. It should not kept longer than needed, and disposed of properly.|
Access and Accuracy
|Transparent||6||Provide you with details about the personal information they are storing, reasons why they are storing it and how you can access it if you wish to make sure it's correct.|
|Accessible||7||Allow you to access your personal information in a reasonable time frame and without being costly.|
|Correct||8||Allow you to update, correct or amend your personal information when needed.|
|Accurate||9||Make sure that your personal information is correct and relevant before using it.|
|Limited||10||Only use your personal information for the reason they collected it.|
Only release your information if you consented. An agency, however, may also release your information if it's for a related reason and can be reasonably assumed that you would not object. Or your information is needed to deal with a serious and impending threat to someone's health and safety including your own.
Not disclose your sensitive information without your consent. Such information includes: racial, ethnic information, political, religious and philosophical beliefs, sexual activity and trade union membership. Your information may only be released without consent to deal with a serious and impending threat to someone’s health and safety.
You can find more detailed information about the PPIP Act and IPPs by reading:
Regulations made under the PPIP Act:
- Privacy and Personal Information Protection Regulation 2014 (PPIP Regulation
- Privacy and Personal Information Protection Regulation 2005 (PPIP Regulation)- repealed on 1 September 2014
- Privacy and Personal Information Protection (Transitional) Regulation 1999