Protecting Your Privacy
Introduction
The Privacy and Personal Information Protection Act 1998 (or PPIP Act) deals with how, as a public sector agency, Council must manage personal information that it collects and holds as a result of its activities.
The PPIP Act includes 12 information protection principles (IPPs), establishes methods for enforcement of privacy, establishes a mechanism for complaints, if you think that your personal information has been mishandled, and sets out the role of the NSW Privacy Commissioner.
You can find out more about our responsibilities in managing personal information as a result of the PPIP Act here. The information has been adapted to our specific circumstances from information available from Privacy NSW.
The Privacy and Personal Information Protection Act 1998 can be accessed here
Privacy Code of Practice for Local Government
The Privacy and Personal Information Protection Act 1998 provides for the protection of personal information, and for the protection of privacy of individuals generally.
The Privacy Code of Practice for Local Government is made under Part 3 Division 1 of the PPIPA. The effect of this Code of Practice is to modify the Information Protection Principles contained in Part 2, Division 1 of the Act and the provisions of Part 6 of the Act as they relate to Local Government.
The Privacy Code of Practice for Local Government can be accessed here.
Definitions
What is privacy?
Privacy has sometimes been described as:
- the right to be left alone, or
- the right to exercise control over one's personal information, or
- a set of conditions necessary to protect our individual dignity and autonomy.
What is personal information?
Personal information is any information or opinion about an identifiable person. This includes records containing your name, address, sex, etc., or physical information like fingerprints, body samples or your DNA.
Information protection principles
Information Protection Principles are legal obligations which describe what we must do when we collect, store, use and disclose personal information.
Collection
1. Lawful - when we collect your personal information, the information must be collected for a lawful purpose. It must also be directlyrelated to the our activities and necessary for that purpose.
2. Direct - your information must be collected directly from you, unless you have given your consent otherwise. Parents and guardians must give consent for minors.
3. Open - you must be informed that the information is being collected, why it is being collected and who will be storing and using it. We should also tell you how you can see and correct this information.
4. Relevant - we must ensure that the information is relevant, accurate, up-to-date and not excessive. The collection should not unreasonably intrude into your personal affairs.
Storage
5. Secure - your information must be stored securely, not kept any longer than necessary, and disposed of appropriately. It should be protected from unauthorised access, use or disclosure.
Access
6. Transparent - we must provide you with enough details about what personal information we are storing, why we are storing it and what rights you have to access it.
7. Accessible - we must allow you to access your personal information without unreasonable delay and expense.
8. Correct - we must allow you to update, correct or amend your personal information where necessary.
Use
9. Accurate - we must make sure that your information is accurate before using it.
10. Limited - we can only use your information for the purpose for which it was collected, for a directly related purpose, or for a purpose to which you have given your consent. It can also be used without your consent in order to deal with a serious and imminent threat to any person's health or safety.
Disclosure
11. Restricted - we can only disclose your information with your consent or if you were told at the time it was collected that we would do so. We can also disclose your information if it is for a related purpose and we don't think that you would object. Your information can also be used without your consent in order to deal with a serious and imminent threat to any person's health or safety.
12. Safeguarded - we cannot disclose your sensitive personal information without your consent, for example information about your ethnic or racial origin, political opinions, religious or philosophical beliefs, health or sexual activities or trade union membership. We can only disclose sensitive information without your consent in order to deal with a serious and imminent threat to any person's health or safety.
Public Registers
In addition to the Information Protection Principles, there are special rules in Part 6 of the PPIP Act that contain specific provisions regulating when we can disclose personal information contained in a public register, and when an individual can ask for their personal information to be suppressed from a public register.
What is a public register?
Under the PPIP Act a public register means a register of personal information that is required by law to be, or is made, publicly available or open to public inspection, whether or not on payment of a fee. We have the following public registers:
- Land Register
- Register of Pecuniary Interests
- Part 4A certificates
- Notification of adjoining premises of development proposals
- Zoning certificates
- Register of Consents and Approvals
- Record of Building Certificates
- Record of Approvals
- Orders and notices issued under POEO Act
- Rates Record
When can personal information be disclosed?
Generally, before disclosing personal information contained in a public register we must first establish the reason why access is being sought. We can only disclose personal information kept in the register if we are satisfied that the information is to be used for a purpose relating to the purpose for which the register is kept or the law under which the register is kept. These provisions prevail over any provisions of the law under which the register is established.
The Privacy Code of Practice for Local Government, however, provides that we may allow any person to inspect a publicly available copy of a public register in council premises, and copy a single entry or a page of the register without requiring the person to provide a reason for accessing the register and without determining that the proposed use of the register is consistent with the purpose of the register or the Act under which the register is kept.
In particular we do not require any person to provide a reason for inspecting the council's pecuniary interest register.
When can personal information be suppressed?
In some circumstances, where the safety or wellbeing of any person would be affected an individual may request that his or her personal information should not be made available to the public.
The PPIP Act says that where personal information is contained, or is proposed to be contained, in a public register that we keep an individual can request that us to:
- remove or not place the information on the register; or
- not disclose the information from the register to the public.
If we are satisfied that the safety or well-being of any person would be affected by not suppressing the personal information as requested then we must suppress the information; unless we believe that the public interest in maintaining public access to the information outweighs any individual interest in suppressing the information.
If you wish to have your name suppressed from a public register that we keep you need to satisfy us that the safety or well-being of you or any other person would be affected if your personal information was made available in a public register.
Contact our Privacy Contact Officer on 02 9789 9300 for more information or complete the Suppression of Personal Information from a Public Register form (43KB).
How do I obtain information about myself?
You have a right to find out what information we hold about you and to inspect it. You can also ask for records to be amended or corrected if the information about you is inaccurate, irrelevant or out of date.
Contact our Privacy Contact Officer on 02 9789 9300 for more information or complete the Access to Applicant's Personal Information form (39KB).
Can I obtain information about my neighbours?
You may request to inspect and copy a single entry from a public register. You would not, however, be able to obtain a copy of the whole register, or that part of the register for everyone in your street.
Different rules apply to information not held in a public register. You could only be given the contact details for the owner of your neighbouring property in one of these circumstances:
- if the person has expressly consented, or
- if the person was informed at the time of the collection of their personal information that their contact details would be disclosed to neighbours in this way, or
- if we believe the disclosure is for a purpose that is related to the purposes for which we collected the information (eg. the purpose of levying and collecting rates), and we have no reason to think the person would object, or
- we believe the disclosure of the person's personal information is reasonably necessary to lessen or prevent a serious and imminent threat to the safety of any person.
In addition, we would need to be satisfied that the disclosure would not be contrary to the public interest.
Complaints
If you feel that your privacy has been breached, there are different rules for making a complaint, depending on:
- what your complaint is about;
- who your complaint is about; and
- when the conduct you are complaining about happened.
If your complaint is about council, you can request an internal review or make a complaint to Privacy NSW.
Generally you should request an internal review.
However in some special circumstances, you could choose instead to make a complaint to Privacy NSW. Contact Privacy NSW on 9228 8585 to find out if your case fits the definition of special circumstances.
Internal Reviews
What is an internal review?
An internal review is an internal investigation that is conducted into a complaint. Compliance with privacy obligations is assessed, and the applicant is informed of the findings and what will be done as a result.
How does an internal review work?
An internal review must be done by someone different to the person responsible for the conduct or decision complained about, and it will be overseen by Privacy NSW.
The Privacy Contact Officer undertakes internal reviews.
What we must do by law is:
- notify Privacy NSW that they have received the application for internal review;
- keep Privacy NSW informed of the progress of the internal review;
- consider any relevant material submitted by the applicant or by Privacy NSW;
- complete the review as soon as possible;
- once the review is finished, notify the applicant and Privacy NSW of the findings of the review (and the reasons for those findings), and the action proposed to be taken;
- notify the applicant of their right to have those findings, and the agency's proposed action, reviewed by the Administrative Decisions Tribunal.
Once the review is finished, we may take no further action, or we may do one or more of the following:
- make a formal apology;
- take remedial action (eg the payment of monetary compensation);
- provide undertakings that the conduct will not occur again;
- implement administrative measures to ensure that the conduct will not occur again.
What happens if I'm not satisfied after the internal review?
If the internal review is not completed within 60 days, or if the applicant is unhappy with the results of the internal review, they can ask the Administrative Decisions Tribunal to review the conduct or decision complained about. The Tribunal will assess whether or not the agency complied with its privacy obligations. The Tribunal may order the agency to change its practices, apologise, or take some steps to remedy any damage suffered.
Are there any limits on a request for an internal review?
Internal review is only available if:
- the complaint is against a NSW public sector agency, and
- the complaint is about an agency's handling of personal information or health information, and
- the applicant has been aggrieved by the agency's conduct.
A critical issue is when the conduct occurred. If the conduct complained about happened before 1 July 2000, the person cannot seek an internal review. If the conduct complained about happened on or after 1 July 2000, the person can seek an internal review, subject to other time limits (see more about time limits below).
What does 'conduct' mean?
'Conduct' can include an action, a decision, or even inaction by an agency. For example the conduct complained about could be:
- a decision to refuse a person access to their personal information, or
- the action of disclosing a person's personal information to another person, or
- the inaction of a failure to protect a person's personal information from being inappropriately accessed by someone else.
Are there any time limits for requesting an internal review?
Yes. In general, a person must lodge their request for internal review within 6 months of them first becoming aware of the conduct complained about. If they wait more than 6 months, the agency can decline the request, and they cannot appeal the agency's decision. Sometimes an agency will allow a person extra time because of special circumstances, but they don't have to.
How can a person lodge a request for an internal review?
To lodge a request for an internal review the applicant must send an application in writing, and they must specify an address in Australia for writing back to them. Obtain an internal review application form by phoning the Privacy Contact Officer on 02 9789 9300 or print the form from the link below, complete it and then send it to the address listed on the form.
Privacy Management Plan
The Privacy and Personal Information Protection Act 1998 ("PPIPA") provides for protection of personal information and for the protection of the privacy of individuals. You can find the Privacy Management Plan in our Policy Register.
