How to handle an Internal Review

An internal review deals with complaints that are:

against a NSW public sector agency, and
about an agency's handling of personal information or health information.

An internal review is an internal investigation that the agency conducts into a complaint. The agency will assess whether or not it has complied with its privacy obligations, and then tell the applicant of its findings and what it will do as a result.

What are an agency's privacy obligations?

There are 12 Information Protection Principles (IPPs) which govern the collection, storage, access, use and disclosure of personal information. There are also special rules for personal information held in public registers.

There are also 15 Health Privacy Principles (HPPs), governing the collection, storage, access, use and disclosure of health information.

All public sector agencies must adhere to the IPPs (or the public register provisions) and HPPs unless they have a lawful exemption.

If a person just wants to access their own personal information or health information, do they need to request an internal review?

Not immediately. If the person is just asking to see, amend or correct their own personal information or health information held by a NSW public sector agency, they can just ask directly.

However, if the person applies under the Privacy and Personal Information Protection Act 1998 (PPIP Act) for their personal information, or under the Health Records and Information Privacy Act 2002 (HRIP Act) for their health information or to amend their information, and the request is refused, then they can apply for an internal review of the decision to refuse access or amend their information.

How does an internal review work?

There are rules set out in Part 5 of the PPIP Act which apply to internal reviews under the PPIP Act and the HRIP Act.

An internal review must be done by someone different to the person responsible for the conduct or decision complained about. The person who conducts the internal review must be a suitably qualified employee of the agency. The NSW Privacy Commissioner has a role in oversighting the internal review process and may make submissions on internal reviews.

The NSW Privacy Commissioner has developed a Checklist: Internal review to use when they are dealing with an internal review. It is not compulsory for agencies to follow the checklist, but we do recommend it.

In conducting internal reviews about personal or health information, agencies must:

notify the NSW Privacy Commissioner that they have received the application for internal review
keep the NSW Privacy Commissioner informed of the progress of the internal review
consider any relevant material submitted by the applicant or by the NSW Privacy Commissioner
complete the review as soon as possible
once the review is finished, notify the applicant and the NSW Privacy Commissioner of the findings of the review (and the reasons for those findings), and the action proposed to be taken
notify the applicant of their right to have those findings, and the agency's proposed action, reviewed by the NSW Civil and Administrative Tribunal (NCAT).

Once the review is finished, the agency may take no further action, or it may do one or more of the following:

Make a formal apology
Take remedial action (e.g. the payment of monetary compensation)
Provide undertakings that the conduct will not occur again
Implement administrative measures to ensure that the conduct will not occur again.

What happens if the applicant is still not satisfied after the internal review?

If the internal review is not completed within 60 days, or if the applicant is unhappy with the results of the internal review, they have 28 days (Refer to Rule 24 of the Civil and Administrative Tribunal Rules 2014) to ask the NSW Civil and Administrative Tribunal (NCAT) to review the conduct or decision complained about. NCAT will assess whether or not the agency complied with its privacy obligations.

NCAT may order the agency to change its practices, apologise, or take some steps to remedy any damage suffered.

Are there any limits on whether someone can lodge a request for an internal review?

An internal review is only available if:

the complaint is against a NSW public sector agency; and
the complaint is about an agency's handling of personal information or health information; and
the applicant has been aggrieved by the agency's conduct.

What does 'conduct' mean?

'Conduct' can include an action, a decision, or even inaction by an agency. For example, the conduct complained about could be:

a decision to refuse a person access to their personal information; or
the action of disclosing a person's personal information to another person; or
the inaction of a failure to protect a person's personal information from being inappropriately accessed by someone else.

Are there any time limits for requesting an internal review?

Yes. In general, a person must lodge their request for internal review within six months of first becoming aware of the conduct complained about. If they wait more than six months, the agency can decline the request, and they cannot appeal the agency's decision. Sometimes an agency will allow a person extra time because of special circumstances, this is provided under the legislation.

How can a person lodge a request for an internal review?

To lodge a request for an internal review the applicant must send their application to the agency in writing, and they must specify an address in Australia for writing back to them.