Privacy Resources for Agencies

The IPC publishes useful resources to assist public sector agencies and citizens with information access laws in NSW. Click below to expand and view the resources. 

The PPIP Act: Agency systems, policies and practices
This guidance is provided to assist agencies in the performance of their responsibilities under the Privacy and Personal Information Protection Act 1998 (PPIP Act). It provides suggested actions to improve agency systems, policies and practices that relate to the handling and management of personal information under the PPIP Act.

UPDATED IPC Privacy Statement of Jurisdiction
This fact sheet has been developed to help citizens understand the IPC's privacy jurisdiction in NSW, how their privacy is protected, and what to do if they think their privacy has been breached.

Information Protection Principles (IPPs) for agencies
The 12 Information Protection Principles (IPPs) are your key to the Privacy and Personal Information Protection Act 1998 (PPIP Act).

UPDATED Health Privacy Principles (HPPs) for agencies
The 15 Health Privacy Principles (HPPs) are the key to the Health Records and Information Privacy Act 2002 (HRIP Act).

UPDATED Understanding your privacy obligations – for public sector staff
Under New South Wales privacy laws, public sector agencies and staff in New South Wales are responsible for protecting the privacy of personal information they collect.

Collection of COVID-19 vaccination information
A NSW public sector agency that collects, uses, stores, or discloses employee health information related to the COVID-19 vaccine must comply with the Health Privacy Principles (HPPs) under the Health Records and Information Privacy Act 2002 (HRIP Act).

Processing requests for personal information
How to process a request for information under the Privacy and Personal Information Protection Act 1998 or the Government Information (Public Access) Act 2009

Providing access to health information - guidance for health care providers
To assist Health Care Providers in understanding their obligations and responsibilities under NSW privacy laws

 Privacy-related complaints under the HRIP Act
This fact sheet is designed to assist individuals and organisations to understand how a privacy complaint relating to private sector organisations or persons will be managed when made to the NSW Privacy Commissioner.

Consent
This fact sheet has been designed to provide guidance to NSW public sector agencies and Health Care Providers in understanding the issue of consent in relation to Privacy laws in NSW.

De-identification of personal information
This fact sheet discusses the importance of de-identification and offers practical tips to agencies when de-identifying information.

Tips for reducing data breaches when sending emails
Many data breaches can easily be minimised using simple measures. This fact sheet provides useful tips on ways you can reduce the instances of inadvertent disclosures of information when sending emails.

Reasonably Ascertainable Identity 
This fact sheet offers interpretation and guidance on the meaning of 'reasonably ascertainable identity' as well as practical tips to help users determine if an individuals identity can be ‘reasonably ascertained’.

Digital projects
This fact sheet provides guidance to agencies on the information access and privacy issues they should consider where designing and implementing a digital project.

Privacy by design
Privacy by design ensures that good privacy practices are built into your organisation’s decision-making, as well as the design and structure of your information systems, business processes, products and services.

 Microsoft 365 platforms and agencies' compliance obligations
This fact sheet aims to provide guidance on the increasing use of Microsoft 365 platforms by public sector agencies, and the impact on agencies’ compliance obligations under the GIPA Act, PPIP Act, and HRIP Act.

The Role of the Privacy Commissioner: Consulting the IPC on Initiatives and Projects 
This fact sheet sets out the best practice approach to incorporating privacy and information governance into the design of an initiative or project. 

NSW Public Sector Agencies and data breaches involving tax file numbers
The Privacy Act 1988 (Cth) (the Privacy Act) established the Commonwealth Notifiable Data Breaches (NDB) scheme, which came into effect on 22 February 2018. Although the Commonwealth NDB scheme is aimed primarily at Commonwealth government agencies and private sector organisations regulated by the Australian Privacy Principles (APPs) under the Privacy Act, there are provisions that apply to NSW public sector agencies.

NSW Public Sector agencies and the GDPR 
To provide guidance to NSW public sector agencies in understanding the GDPR and in particular the effect for those NSW public sector agencies that offer goods or services to EU citizens

Privacy Commissioner’s right of appearance in the NSW Civil and Administrative Tribunal
This fact sheet has been prepared to provide citizens and agencies information about the Privacy Commissioner's right to appear and be heard in the NSW Civil and Administrative Tribunal in any administrative review of the conduct of a public sector agency under the PPIP Act and HRIP Act, as well as in related proceedings and appeals.

UPDATED Local councils' use of Closed Circuit TV (CCTV) cameras in public places
Local councils in New South Wales have an exemption from provisions under the Privacy and Personal Information Protection Act 1998 (PPIP Act) to use CCTV cameras in public places.

Developing mobile apps – know the risks
Privacy should be a top priority in the creative process. This checklist has been designed to provide agencies with information about the privacy implications of developing mobile apps.

NEW What is serious wrongdoing? Privacy Contravention
This fact sheet provides a framework for public officials to report serious wrongdoing and for those reports to be properly dealt with is vital for maintaining the integrity of the public service.

Offences under NSW privacy laws
This fact sheet provides information on the offences contained in both the PPIP Act and HRIP Act, as well as the offences which are exclusive to the PPIP Act and HRIP Act.

UPDATED Statutory guidelines HRIP Act
Statutory guidelines expand upon the Health Privacy Principles (HPPs) within the HRIP Act.

Statutory Guidelines on Research – section 27B

Guidance: Transborder Disclosure Principle – section 19(2)
These guidelines and the accompanying checklist are designed to be used by NSW public sector agencies that intend to disclose personal information to a recipient outside of NSW jurisdiction. 

NSW Genetic Health Guidelines
These guidelines accompany the amendments to the Health Records and Information Privacy Act 2002 (HRIP Act) made in early 2012.

Use or disclosure of health information for the management of health services 
Legally binding documents that define the scope of particular exemptions in the HPPs. 

Use or disclosure of health information for training purposes 
Legally binding documents that define the scope of particular exemptions in the HPPs. 

Use or disclosure of health information for research purposes 
See appendix C for HREC report form Word version
Legally binding documents that define the scope of particular exemptions in the HPPs. 

Collection of health information from a third party
Legally binding documents that define the scope of particular exemptions in the HPPs. 

The IPC has developed a toolkit titled, ‘The Essential Guidance Toolkit on information access and privacy fundamentals’ which includes fundamental regulatory guidance to ensure that agencies are able to meet their requirements under NSW information access and privacy legislation. It has been arranged on a functional basis that reflects agency, senior executive and decision-maker responsibilities.

The toolkit is available in different versions for public sector agencies and local government. Download the toolkit below:

Data Breach Prevention Checklist
This resource provides a useful list of internal checks where you can measure your current level of preparation under the headings of ‘People, Governance and Culture’, ‘Policy’, ‘Processes’, and ‘Technology’. Select the response that best reflects your agency to receive an overall summary. It also provides an action list for responding to a data breach.

UPDATED Consent
This Self-assessment checklist has been designed to assist agencies and their staff in the assessment of whether consent is required for the use and disclosure of personal information that the agency has collected and holds in the exercise of its functions.

UPDATED Preparing a public interest direction or code of practice
A checklist to assist agencies with the process of preparing a public interest direction or code of practice under the PPIP or HRIP Acts. This checklist outlines the preliminary steps an agency should undertake before seeking advice from the IPC.

Privacy for NSW public sector agencies
A comprehensive checklist to assist NSW public sector agency staff to comply with NSW privacy law and embed privacy practices into new procedures and services.

UPDATED Privacy Management Plan assessment checklist
A helpful tool public sector agencies can use to assess existing or draft privacy management plans.

Privacy Internal Review
Internal review checklist for respondent agency.

UPDATED Identifying privacy issues
During preparation of any proposal, a positive answer to any of the following questions will suggest early consultation with your Privacy Contact Officer.

UPDATED Checklist for public sector staff: responding to a request to access health information
Under Schedule 1 Health Privacy Principle 7 of the NSW Health Records and Information Privacy Act 2002 (HRIP Act), individuals have a right to access health information about themselves

NEW Checklist for reporting a PID alleging a privacy contravention
The checklist above ensures that sufficient information is submitted for the Privacy Commissioner (PC) to decide on action to take on a reported privacy contravention

Digital Restart Fund: assessing information access and privacy impacts
With the widespread increase in digital service delivery by government, the Information and Privacy Commission (IPC) has reviewed diverse digital projects from a range of agencies involving both government and non-government providers. These projects can contribute to better more effective outcomes through digital service delivery. They can also impact access information and privacy rights.

Transition to the cloud: Managing your agency's privacy risks
This guide has been designed to explain the key privacy risks that come with the use of cloud-based technologies by government, along with the potential impacts and maps out a framework for addressing these privacy risks across the entire cloud adoption lifecycle. 

Data Sharing and Privacy
This guidance includes key considerations that public sector agencies should address when considering to share data.

A Guide to Making Privacy Management Plans
Contains details on the requirements of a plan and helpful questions that public sector agencies can consider when writing one. 

Privacy and persons with reduced decision-making capacity
This guide is primarily intended to be used by NSW public sector agencies that handle personal information about adults with decision-making disabilities.

The Privacy Commissioner's Oversight role in internal reviews of privacy complaints
In this guidance document, the Privacy Commissioner's oversight role in internal reviews of privacy complaints is outlined.

Guide to Privacy Impact Assessments
This guidance document outlines the benefits of undertaking a Privacy Impact Assessment (PIA) and the basic steps of conducting a PIA.

NEW Guide to undertaking Privacy Impact Assessments on AI systems and projects
This guide is intended to support agencies in understanding, assessing and reducing privacy risks in relation to the use of AI systems and projects when undertaking Privacy Impact Assessments (PIAs).

Privacy Impact Assessment Questionnaire for Assessing Websites
This Privacy Impact Assessment (PIA) questionnaire (the Tool) is a collaboration between the IPC and elevenM, to support NSW public sector agencies in assessing their websites for privacy risks and identifying remediation actions. It has been developed to bring best-practice approaches and methodologies to NSW public sector agencies. This tool does not replace a complete PIA and should only be used to assist in identifying the privacy risks and areas for remedial action. Agencies should consider undertaking their own PIA after using the tool to identify any risks. The IPC acknowledges the materials published by elevenM in the production of this Tool: www.elevenM.com

Practice Guide: Redacting signatures on public facing documents
The purpose of this guidance is to provide public sector agencies with a framework to consider the redaction of signatures from information to be made publicly available and provide an overview of contemporary public interest considerations, including cybercrime and the risk of identity theft.

Seeking a Public Interest Direction under NSW privacy laws
This document provides a guide for seeking a Public Interest Direction (PID).

Guidance on Seeking a Public Interest Direction or Code of Practice for a linked data asset
This guidance provides agencies with information on the process for seeking a public interest direction or code of practice to authorise the use of personal or health information for the purpose of creating a linked data asset.

Guidance on the preparation and assessment of Privacy Codes of Practice under the PPIP Act and HRIP Act
Issued by the Commissioner

Data Breach Guidance for NSW Agencies
To provide guidance to NSW public sector agencies on Data Breaches

Privacy protocol for handling complaints
Issued by the Commissioner

Privacy complaint - internal review
Generic form for the use of agencies and the public to request and internal review in relation to a privacy complaint.

Animation - Privacy and Technology
Privacy risks can be mitigated when adopting new technologies by applying the core privacy principles for collecting, storing, securing, using, sharing and deleting personal information. Privacy Impact Assessments can help agencies understand the risks and how to mitigate them.

Form: Data Breach Notification to the Privacy Commissioner
This approved form sets out the information that agencies must supply to the Privacy Commissioner when making a notification of an eligible data breach, unless it is not reasonably practicable to provide that information.

Fact Sheet - Exemptions from notification to affected individuals
The MNDB Scheme requires that NSW public sector agencies (‘agencies’) notify affected individuals and the Privacy Commissioner when there has been an ‘eligible data breach’. This Fact Sheets outlines when an agency may not need to notify an individual. 

Guide - Guide to preparing a data breach policy
This Guide is designed to assist NSW public sector agencies to understand the type of information expected to be included in a Data Breach Policy (DBP) under the MNDB scheme. It sets out the Privacy Commissioner’s expectations in relation to what agencies should consider and document in their DBPs, to ensure compliance with section 59ZC of the PPIP Act.

Guide - Guide to managing data breaches in accordance with the PPIP Act
This Guide is intended to help NSW public sector agencies understand their roles and obligations under the MNDB Scheme. 

Guide - Guide to Regulatory Action under the MNDB Scheme
This Guide outlines the Privacy Commissioner’s regulatory approach to receiving and responding to mandatory notifications made under the MNDB Scheme and aims to provide clarity and transparency about the Privacy Commissioner’s regulatory approach and intent.

Guideline - Guidelines on the assessment of data breaches under Part 6A of the PPIP Act
This Guideline is intended to provide agencies with guidance on the process of undertaking an assessment to determine whether an eligible data breach has occurred, and the factors to consider when assessing where serious harm to affected individuals is likely to result from a data breach.

Guideline - Guidelines on the exemption for risk of serious harm to health or safety under section 59W
This Guideline is intended to provide agencies with guidance on the operation of the exemption under section 59W. This provision provides that the head of a public sector agency may decide to exempt the agency from notifying affected individuals if the head of the agency reasonably believes that notification would create a serious risk of harm to an individual’s health or safety.

Guideline - Guidelines on the exemption for compromised cyber security under section 59X
This Guideline is intended to provide agencies with guidance on the operation of the exemption under section 59X. This provision provides that the head of a public sector agency may decide to exempt the agency from notifying affected individuals if the head of the agency reasonably believes that notification would worsen the agency’s cyber security or lead to further data breaches.

Data Breach Self-assessment Tool for Mandatory Notification of Data Breach
This Self-assessment Tool is to assist NSW public sector agencies to determine whether a data breach is an eligible data breach under the MNDB Scheme.

Fact Sheet - Estimated cost of a data breach
This fact sheet will assist agencies to estimate the cost of a data breach for the purpose of notification under the MNDB Scheme.

Fact Sheet - Data breaches and contracted service providers
This fact sheet will assist agencies to determine whether a data breach involving a contracted service provider is an eligible data breach under the Mandatory Notification of Data Breach Scheme.

Glossary - Defining the causes of a data breach
This glossary will assist agencies to identity and define the cause of a data breach.