Checklist for reporting a PID alleging a privacy contravention
Read the document below or download it here: Checklist - Checklist for reporting a PID alleging a privacy contravention October 2023
|
Who is this information for? |
This checklist is for NSW Agency staff to report a privacy contravention. |
|---|---|
|
Why is this information important to them? |
The checklist below ensures that sufficient information is submitted for the Privacy Commissioner (PC) to decide on action to take. |
The checklist below ensures that sufficient information is submitted for the Privacy Commissioner (PC) to decide on action to take.
|
|
Topic |
Detail |
|---|---|---|
|
1 |
Name and contact details (optional) |
Anyone is entitled to make an anonymous complaint, but this may affect the effectiveness of any actions. The Privacy Commissioner may need to verify matters or obtain further details which can be difficult without contact information. In addition, the Privacy Commissioner will not be able to advise the complainant of any decisions or action on the matter. |
|
2 |
Names of NSW agencies and public sector officials or other persons involved |
Provide the names and positions of the officials or other persons involved if known. |
|
3 |
How you became aware of the matter |
Include any relevant dates and the name and position of any person with whom you interacted or observed. |
|
4 |
A summary of the matter |
Include names, any relevant dates, locations and all other relevant information. |
|
5 |
Other people aware of the matter |
Include the names and contact details of other people who may be able to assist the Privacy Commissioner. |
|
6 |
Other organisations contacted |
Provide the names of any organisations or regulators the matter was reported to, the date of contact and their response. |
|
7 |
Documentary evidence |
Include details on any relevant documents or other information that may help the Privacy Commissioner in the assessment. This may also include the timing of any access applications made and outcomes and any previous informal requests for information and outcomes. The actual documentation does not need to be included in the report. |
|
8 |
Consent to disclose identity (optional) |
If the Privacy Commissioner considers it may be necessary to refer the complaint to another agency or decides to investigate, the complainant may need to be identified, or the complainant’s identity could reasonably be inferred from the nature of the complaint as the source of information. Please note that while the Privacy Commissioner will regard any wishes for the identity to be kept confidential, there may be a limit to what the Privacy Commissioner can consider or investigate whilst preserving confidentiality. |
You can make a disclosure to the Privacy Commissioner under the PID Act
The Public Interest Disclosures Act 2022 (PID Act) provides protection for a public official making a disclosure to the Privacy Commissioner that:
- is a failure, other than a trivial failure, by an agency or public official to exercise functions in accordance with the Privacy and Personal Information Protection Act 1998 or the Health Records and Information Privacy Act 2002;and
- is a disclosure of information that the person making the disclosure honestly believes, on reasonable grounds, shows or tends to show that a public authority or another public official has engaged, is engaged or proposes to engage in a privacy contravention.
What is a privacy contravention?
Examples of a privacy contravention include:
Personal information:
- a public official unlawfully accessing a person’s personal information, for their personal use or for another non-work-related matter, on a database that is used by an agency to retain customer information
- a public sector official unlawfully disclosing personal information from an agency’s systems in return for a corrupt payment from a third party.
- a public sector official offering to supply personal information that has been obtained unlawfully from an agency’s systems to a third party.
Health information:
- unlawfully accessing someone’s health information on an agency database and then disclosing this to a third party
- a public sector official threatening or using false information to require another person to give consent under the HRIP Act
- a public sector official threatening, intimidating or using false information to prevent another person from requesting access to their health information.
What is an offence under the PPIP and HRIP Act?
There are two offences under both the PPIP Act and HRIP Act relating to the corrupt disclosure and use of personal information by public sector officials:
- The first offence is the disclosure or use of personal information about another person by a public sector official.[1] The disclosure or use must be intentional and the public sector official must have or have had access to the personal information in the exercise of their official functions. However, disclosure or use in connection with the lawful exercise of the official functions of the official or in accordance with the Public Interest Disclosures Act 2022 is permitted.[2]
- The second offence is inducing a public sector official to disclose personal information to which the official has access in the exercise of their official functions.[3] The inducement may be by way of a bribe or other similar corrupt conduct. The offence includes attempts to induce.
There are also offences are about the behaviour or conduct of persons and public officials, either by way of deliberate conduct or taking action or, alternatively, deliberately or knowingly not taking action.
For further information see the IPC fact sheet on offences under the PPIP Act.
How does the IPC manage reports or complaints about privacy contraventions?
The Privacy Commissioner will apply the following principles in assessing a report or complaint made about privacy contraventions:
- Impartiality
- Procedural Fairness
- Confidentiality
- Communication
- Standard of proof
- Rules of evidence.
The IPC deals with all matters in a professional, objective, unbiased and fair manner.
Protection
Confidentiality is one of the main protections available under the PID Act. A complaint made to the Privacy Commissioner will be treated confidentially.
The Privacy Commissioner or her delegate will keep the identity of a person who makes a public interest disclosure confidential, where this is practical and appropriate. However, there may be circumstances where it may be necessary for information to be disclosed that may identify the person who has reported wrongdoing. In this situation, we will always discuss this with you prior to us taking any action.
Receiving a report or complaint
All complaints and reports received are carefully considered by the IPC and decisions are made about appropriate action. Following a report or complaint about privacy contraventions the IPC will:
- register the matter on a database
- acknowledge receipt of the matter
- ask the complainant for more information if necessary
- if the matter is within the IPC’s jurisdiction, conduct an assessment, and then determine the action on the report or complaint.
Action on a report or complaint
Following assessment, further action to address the issues may include:
- investigate, either agency systems policies and practices under the Privacy and Personal Information Protection Act 1998 or the Health Records and Information Privacy Act 2002
- develop advice for the agency concerned, or all agencies if the matter is about systemic problems and there is a gap in the guidance available to agencies on the systemic problems
- refer the matter to another agency if it is outside the authority of the IPC
- take no action because the matter complained about is a reviewable decision under the PPIP or HRIP Act.
Importantly, while not all complaints are investigated, all complaints are recorded so further action can be taken if a pattern of complaints or non-compliance emerges in the future in relation to the agency complained about.
Advising the complainant
The IPC aims to notify the individual who submitted the allegations of privacy contravention of the planned action and reasons as soon as possible. Wherever possible the person who has made the complaint will be kept informed about how the IPC is dealing with the matter.
Investigate
If an investigation is required under either the PPIP or HRIP Act the Privacy Commissioner is required to:
- give notice of the decision to investigate;
- give the complainant and the agency an opportunity to make submissions on the subject matter of the investigation;
- in the case where there may be adverse comments about a person or agency, that person or agency is informed and is also given an opportunity to make submissions;
- prepare a report on the investigation and may provide the report to the Minister responsible for the agency, the principal officer of the agency, and the complainant.
Outcomes
Outcomes of an investigation must be reported.
The IPC may refer the outcome of an investigation into a complaint about conduct that may constitute an offence to the Director of Public Prosecutions.
Public Interest Disclosures: Complaint procedures and processes
|
Receive complaint identified as made under the PID Act |
|
|
Assessment of complaint |
|
|
Dealing with complaint |
|
|
Conclude |
|
|
Reporting |
|
For more information
Contact the Information and Privacy Commission NSW (IPC):
Freecall: 1800 472 679
Email: ipcinfo@ipc.nsw.gov.au
Website: www.ipc.nsw.gov.au
NOTE: The information in this checklist is to be used as a guide only. Legal advice should be sought in relation to individual circumstances.
