Fact Sheet - Mandatory notification of unlawful disclosure of personal information by Revenue NSW under the Fines Act 1996
What is an unlawful disclosure of personal information?
An unlawful disclosure of personal information occurs if Revenue NSW discloses personal information to another person or entity and that disclosure is not exempted under the Privacy and Personal Information Protection Act 1998 (PPIP Act) and not authorised under the Fines Act 1996.
An unlawful disclosure[1] of personal information occurs when there is unauthorised release of personal information outside of an organisation to a person who did not previously know this information.
Although malware, hacking and data theft are usually the first examples of unlawful disclosure that come to mind, other examples of unauthorised disclosures include:
- simple human or technical errors without malicious intent
- the accidental loss of a paper record, laptop, or USB stick
- emails sent to the wrong recipients where they contained personal information.
What is personal information?
Personal information is defined by section 4 of the PPIP Act as:
“Information or an opinion (including information or an opinion forming part of a database and whether or not in a recorded form) about an individual whose identity is apparent or can be reasonably be ascertained from the information or opinion”.
The 12 Information Protection Principles (IPPs) are the key to the PPIP Act. They are legal duties that describe how your personal information must be collected, stored, used and disclosed by NSW agencies, as well as your rights to access your personal information.
Revenue NSW has published how they meet these principles in the Revenue NSW Privacy Management Plan, available on their website.
If you require more information on the 12 IPPs we encourage you to read our Fact sheet: Information Protection Principles (IPPs).
What happens if Revenue NSW unlawfully discloses personal information?
Unless the Privacy Commissioner advises it is not appropriate, Revenue NSW will directly notify all customers affected by an unlawful disclosure of personal information within 28 days of the breach being reported. This is consistent with the IPC’s Data Breach Guidance.
The Privacy Commissioner and Revenue NSW have agreed on a notification process under section 117C of the Fines Act 1996:
- Revenue NSW will report the unauthorised disclosure to the Privacy Commissioner.
- Where the Privacy Commissioner considers it appropriate to contact the affected person(s), Revenue NSW will attempt to do so by using all reliable contact information that is available.
- If Revenue NSW successfully contacts the affected person(s), they will confirm any conversation in writing.
- If Revenue NSW are unable to contact the affected person(s), the matter will be closed. Files notes are made to record the breach and attempts to notify the affected person.
- Where the Privacy Commissioner considers it inappropriate to contact the customer, Revenue NSW will follow the advice and actions of the Privacy Commissioner.
In determining if it is inappropriate to contact the affected customer, the Privacy Commissioner will assess the nature of the disclosure, the number of people affected, and Revenue NSW’s proposed response to the unlawful disclosure, including any remediation taken or planned.
If Revenue NSW does not receive specific advice from the Privacy Commissioner within 5 business days, Revenue NSW will follow the actions recommended to the Privacy Commissioner.
When would Revenue NSW not be required to notify an affected individual?
Revenue NSW does not need to notify an affected individual of an unlawful disclosure if the Privacy Commissioner advises that notification is not appropriate in the circumstances.
An example of when it would not be appropriate may include where Revenue NSW does not have a reliable means to contact the affected individual, or where the current contact details held are not accurate or current.
What will the IPC do when it receives a notification from Revenue NSW?
Unless there are reasons to notify sooner, Revenue NSW has agreed to notify the Privacy Commissioner of any unlawful disclosure of personal information each week.
That notification will include all unlawful disclosures which have occurred since the previous notification. All Privacy Notifications made by Revenue NSW in accordance with section 117C of the Fines Act will be included in the Privacy Commissioner’s quarterly report on data breaches on the IPC website.
The IPC will assess the nature of the disclosure, the number of people affected, and Revenue NSW’s proposed response to the unlawful disclosure and provide guidance to the Agency where required.
What can you do if your personal information has been unlawfully disclosed by Revenue NSW?
As part of the notification process, Revenue NSW will provide affected individuals with:
- information about the breach, including when it happened
- a description of what data has been disclosed
- assurances (as appropriate) about what data has not been disclosed
- what it is doing to control or reduce the harm
- what steps the person/organisation can take to further protect themselves and what the Privacy Comissioner will do to assist people with this
- contact details for questions or requests for information
- the right to lodge a privacy complaint with the Privacy Commissioner.
If an affected individual is not satisfied with Revenue NSW’s response to the unlawful disclsoure of personal information, the individual can seek an internal review of that decision by Revenue NSW. The Privacy Comissioner may make submissions on that internal review.
More information about the internal review process under the PPIP Act is avalable in the IPC Fact sheet: Privacy complaints: Your review rights.
For more information
Contact the Information and Privacy Commission NSW (IPC):
Freecall: 1800 472 679
Email: ipcinfo@ipc.nsw.gov.au
Website: www.ipc.nsw.gov.au
[1] Nakhl Nasr v State of New South Wales; George Nasr v State Of New South Wales [2007] NSWCA 101 at [127]).
