Offences under NSW privacy laws

Read the document below or download it here: Fact Sheet - Offences under NSW privacy laws October 2023

Who is this information for?	This information is for NSW public sector agency staff.
Why is this information important to them?	This fact sheet provides information on the offences contained in both the PPIP Act and HRIP Act, as well as the offences which are exclusive to the PPIP Act and HRIP Act.

The Privacy and Personal Information Protection Act 1998 (PPIP Act) and Health Records and Information Privacy Act 2002 (HRIP Act) prescribe offences for corrupt and improper misuse of personal information or health information. This fact sheet provides information on the offences contained in both the PPIP Act and HRIP Act, as well as the offences which are exclusive to the PPIP Act and HRIP Act. 

In addition to setting out obligations to protect personal information agencies collect about individuals and creating responsibilities for the management and handling of personal information, the PPIP Act sets out offences relating to the corrupt and improper misuse of personal information. Similarly, the HRIP Act sets out offences relating to the corrupt and improper misuse of health information, in addition to the obligations to protect health information and responsibilities for the management and handling of health information.

Offences under the PPIP Act and HRIP Act

There are two offences under both the PPIP Act and HRIP Act relating to the corrupt disclosure and use of personal information by public sector officials:

• The first offence is the disclosure or use of personal information about another person by a public sector official.[1] The disclosure or use must be intentional, and the public sector official must have or have had access to the personal information in the exercise of their official functions. However, disclosure or use in connection with the lawful exercise of the official functions of the official or in accordance with the Public Interest Disclosures Act 2022 is permitted.[2]
• The second offence is inducing a public sector official to disclose personal information to which the official has access in the exercise of their official functions.[3] The inducement may be by way of a bribe or other similar corrupt conduct. The offence includes attempts to induce.

A reference to a public sector official here includes a person who was formerly a public sector official.^[4]

Offering to supply personal information that has been disclosed unlawfully

It is an offence under the PPIP Act and HRIP Act to supply personal information that has been disclosed unlawfully.[5] This offence requires that a person offers to supply or holds themself out as being able to supply personal information that the person knows, or ought reasonably to know, has been or is proposed to be corruptly disclosed by a public sector official.

Where a person is convicted of this offence or the previous offence, the court may order the confiscation of any money or other benefit alleged to have been obtained by the person in connection with the offence and for that money or other benefit to be forfeited to the Crown.[6]

Offences under the PPIP Act

Disclosure by Privacy Commissioner or staff member

It is an offence under the PPIP Act for the Privacy Commissioner or a member of the staff of the Privacy Commissioner to disclose any information obtained in the course of their office, unless the disclosure is made with the consent of the person the subject of the information or for the purpose of discharging functions of the Privacy Commissioner or member of staff under the PPIP Act or any other Act.

Offences relating to dealings with Privacy Commissioner

The PPIP Act sets out a number of offences in relation to dealing with the Privacy Commissioner or a member of staff of the Privacy Commissioner. It is an offence for a person to:

1. without lawful excuse, willfully obstruct, hinder, or resist the Privacy Commissioner or a member of staff of the Privacy Commissioner in the exercise of functions under the PPIP Act or any other Act, or
2. without lawful excuse, refuse or willfully fail to comply with any lawful requirement of the Privacy Commissioner or a member of the staff of the Privacy Commissioner under the PPIP Act or any other Act, or
3. willfully make any false statement to or mislead, or attempt to mislead, the Privacy Commissioner or a member of staff of the Privacy Commissioner in the exercise of functions under the PPIP Act or any other Act.[7]

It is also an offence under the PPIP Act if a person:

1. is not the Privacy Commissioner—represents that they are the Privacy Commissioner, or
2. has not been appointed under the PPIP Act as acting Privacy Commissioner—represents that they have been so appointed, or
3. is not a person to whom a delegation has been made under the PPIP Act or the HRIP Act—represents that they are such a person, or
4. is not a member of the staff of the Privacy Commissioner—represents that they are a member of that staff.[8]

Offences under the HRIP Act

Intimidation, threats or misrepresentation

The HRIP Act contains two offences involving intimidation, threats or misrepresentation:

• It is an offence for a person to persuade or attempt to persuade a person by threat, intimidation or misrepresentation, to not make or pursue a request for access to health information, a complaint to the Privacy Commissioner or the Tribunal or an application under the PPIP Act with respect to the alleged contravention of a HPP or a health privacy code of practice or to withdraw such a request complaint or application.[9]
• It is also an offence for a person by threat, intimidation or false representation, to require another person to give a consent under the HRIP Act or to do an act without consent for which consent is required.[10]

What powers does the Privacy Commissioner have to investigate alleged offences?

The Privacy Commissioner has the power to investigate suspected privacy offences where the investigation is connected to a complaint and:

1. the Commissioner decides to deal with the complaint;[11] or
2. the Commissioner declines to deal with the complaint;[12] or
3. the Commissioner decides to refer the complaint to a relevant authority.[13]

An investigation or inquiry by the Privacy Commissioner into a complaint cannot be conducted after a successful conciliation of the complaint. The Privacy Commissioner also does not have the power to conduct an inquiry or investigation in respect of a complaint that has been withdrawn prior to the Commissioner declining to deal with the complaint or referring it to a relevant authority.[14]

In conducting an inquiry or investigation into an alleged offence under the PPIP Act or HRIP Act, the Privacy Commissioner can issue to any person a written notice requiring that person to attend before the Commissioner at a specified time and place to give evidence, produce documents or other things in the person’s custody or control, and the person cannot refuse to do so.[15]

Who makes the decision to prosecute an alleged offence?

The PPIP Act, HRIP Act and the regulations made under those Acts do not identify a prosecuting authority. Where an Act does not expressly identify who has the right to commence prosecutions or proceedings, proceedings with respect to offences under that Act may be commenced by any person.[16

The Privacy Commissioner can commence proceedings in respect of an alleged offence under the PPIP Act and HRIP Act. The Privacy Commissioner may also decide to refer the complaint or provide other information to a law enforcement agency.[17]

The decision to commence proceedings is discretionary and will be made in accordance with the Prosecution Guidelines of the Office of the Director of Public Prosecutions of New South Wales.[18]

Where is an alleged offence prosecuted?

Offences under the PPIP Act and HRIP Act are dealt with summarily by the Local Court.[19] Proceedings are commenced by the issuing of a court attendance notice.[20]

Proceedings for a summary offence must be commenced no later than six months from when the offence was alleged to have been committed.[21]

Contact the Information and Privacy Commission NSW (IPC):

Freecall:           1800 472 679
Email:              ipcinfo@ipc.nsw.gov.au
Website:           www.ipc.nsw.gov.au

NOTE: The information in this Fact Sheet is to be used as a guide only. Legal advice should be sought in relation to individual circumstances.