Privacy Reviews

The NSW Civil and Administrative Tribunal (NCAT), formerly known as the Administrative Decisions Tribunal, is where a complaint about handling of personal or health information can be heard.

What role does the Privacy Commissioner have in NCAT?

The NSW Privacy Commissioner is notified of applications to NCAT and has a right to appear and be heard in privacy matters before NCAT.

The Privacy Commissioner's role in NCAT is not about supporting or advocating for either party, but to assist in the legal interpretation of NSW privacy legislation.

How can a case be heard by NCAT?

There are two ways in which a privacy case can be heard by NCAT.

  1. A complaint about the handling of personal or health information by a NSW public sector agency after it has first been through an internal review or the timeframe has been exceeded
  2. A complaint about the handling of health information by a private sector person or organisation after it has been investigated and a report made by the Privacy Commissioner.

What can the NCAT do?

If you make an application for your privacy complaint to be heard by NCAT, NCAT will review whether or not the agency or organisation abided by its duties in protecting your privacy. It will look at the issues and judge according to the rules and standards that apply in that situation such as:

  • Information Protection Principles (IPPs) and Health Privacy Principles (HPPs) 
  • public register provisions
  • codes of practice and other exemptions
  • special rules for private sector organisations on keeping and giving access to health information.

NCAT can make binding decisions ordering the agency or organisation. For example, it can order the agency or organisation to change their codes of practice, apologise, or take action to address any damage.

When can compensation be ordered?

Compensation can only be ordered in limited circumstances. For example, if you have suffered loss or damage (financial, psychological, and physical) as a direct result of the breach of privacy.

There are maximum financial limits and time limits for lodging and receiving compensation. The following time limits for lodging a case are recommendations as the Privacy and Personal Information Protection Act 1998 (PPIP Act) does not define time limits, and NCAT has their own rules. We urge you to err on the side of caution and seek further advice if needed.

Public sector agency

Financial limit: Up to $40,000 for a breach of a privacy or health privacy principle, public register rules.
Time limit for lodging a case: From day 61 after lodging an internal review if the review has not been completed OR 28 days from the completion date of the review.
Time limit for ordering of compensation: For a breach of an IPP, the public register provisions or an HPP by a public sector agency, the conduct must have occurred after 1 July 2001.

Private sector organisation

Financial limit: Up to $40,000 for a breach of a health privacy principle or special rules.
Time limit for lodging a case: 28 days from the date the report from IPC was received.
Time limit for ordering of compensation: For a breach of an HPP by a private sector organisation, the conduct must have occurred after 1 September 2005.

Private sector person (e.g. a GP)

Financial limit: Up to $10,000 for a breach of a health privacy principle or special rules.
Time limit for lodging a case: 28 days from the date the report from IPC was received.
Time limit for ordering of compensation: For a breach of an HPP by a public sector person, the conduct must have occurred after 1 September 2005.

How do I prepare an application to NCAT?

A case in NCAT is like a hearing in court involving legal arguments. If you are considering lodging a case, you might want to arranging for legal representation or representing yourself.

There are forms and fees involved in applying for a NCAT hearing. More information can be found on the NCAT website: http://www.ncat.nsw.gov.au.

There are resources available to help you decide whether or not to apply to the NCAT and assist the community, agencies, and organisations in how to run their case. Resources include:

  • explanations of the relevant privacy standards
  • links to exemptions
  • cases previously heard by the Tribunal.

We also suggest that you contact LawAccess, which is a free legal advice service run by the Department of Justice.

Will my name be mentioned in the NCAT case?

Privacy cases heard by the NCAT may also be listed on the following websites:

NSW Caselaw – http://www.caselaw.nsw.gov.au

AustLii – http://www.austlii.edu.au/

Your name can be removed from the online version if you ask the NCAT to do so. If you do not want your name published at all (for example in the daily court lists) you should ask the NCAT staff about whether you can have your name withheld when you lodge your application.

Where can I get more information?

Please visit the NCAT website for more details: http://www.ncat.nsw.gov.au or contact them on 1300 006 228.

IPC logo.

© IPC

CC logo

Navigate

Useful links

IPC Social Media

   Linkedin

 

IPC Social Media Terms of Use