As a senior executive, you can play a positive role in managing private personal and health information as an organisational asset. By doing so, you will encourage others to comply with NSW privacy legislation and contribute to your agency’s success and reputation. 

The following information should help you better understand privacy risks and opportunities, and address your role and responsibilities in relation to privacy management under the Privacy and Personal Information Act 1998 (PPIP Act) and Health Records and Information Privacy Act 2002 (HRIP Act). 

Implementing a ‘privacy by design’ approach

An effective privacy governance framework is a good resource to embed into your agency. It benefits everyone and begins with leadership by the head of your agency. The framework helps clarify each person’s role in managing privacy and ensures that everyone is held to account. Once appropriate and adequate policies, processes, systems and reporting tools are in place, privacy management will seamlessly integrate into your business-as-usual practices. This will help foster a culture where staff members view privacy as an asset, not as a liability.

Use the following checklist to ensure that your workplace is managing privacy for the benefit of your agency and the people of NSW.

  • Do roles in my agency have clearly articulated privacy management responsibilities? Are the people in these roles aware of their own individual accountabilities?  Remember that privacy is everybody’s business.
  • Do I have a forum where I can discuss privacy management issues and risks pertaining to my agency? You are ultimately responsible for ensuring that your agency is adequately managing privacy.
  • Does my agency have any mechanisms in place to detect privacy breaches? This may include an internal incident management framework that encourages staff members to report privacy breaches when they occur, allowing appropriate steps to be taken to remediate the breach.
  • Does my agency have any mechanisms in place to prevent a privacy breach from occurring? This may include IT security safeguards to prevent the inadvertent disclosure of information.
  • Are my agency’s privacy management plans, policy and procedures adequate and up to date?
  • Is privacy considered a part of my agency’s change management framework?


Other roles and responsibilities in your agency

While the mix of roles and responsibilities will vary depending on your agency’s size and circumstances, when privacy is being adequately and effectively managed:

  • Audit and Risk Committee and security experts identify and monitor privacy breaches, and agency learnings, and ensure risk frameworks adequately consider the impacts of privacy risks
  • your  agency's Privacy Contact Officer develops and administers privacy management plans, procedures, and internal reviews, and is sufficiently expert to inform agency staff and members of the public of privacy issues
  • managers consider privacy issues, implement privacy policies and procedures, and manage the handling of personal information across their business unit activities (projects, programs and services)
  • front line staff members comply with the policies and procedures set out by the agency
  • your Human Resources function inducts new staff members and trains them about the agency’s privacy policies and procedures
  • your Governance and Legal functions ensure and manage legal compliance, assist with reporting, and provide advice about the agency’s privacy obligations and needs for flexibility.

The PPIP Act and HRIP Act


NSW public sector agencies often need to collect, store and use personal and health information to provide services such as transport, health and education. Public sector agencies are legally required to abide by certain principles to ensure privacy is protected.

The Privacy and Personal Information Protection Act 1998 (PPIP Act) outlines how NSW public sector agencies must manage personal information and the functions of the NSW Privacy Commissioner.

The PPIP Act applies to all NSW public sector agencies, statutory authorities, universities, local councils and other bodies whose accounts are subject to the Auditor-General's inspection and audit.

What is personal information?

Section 4 of the PPIP Act defines ‘personal information’ as “Information or an opinion (including information or an opinion forming part of a database and whether or not in a recorded form) about an individual whose identity is apparent or can be reasonably be ascertained from the information or opinion”.

There are some exemptions from the definition of personal information; for example, personal information about someone who has been dead for more than 30 years.

Information Protection Principles

The PPIP Act includes 12 Information Protection Principles (IPPs). These are legal obligations that NSW government agencies, statutory bodies and local councils must abide by when they collect, store, use or disclose personal information.

Exemptions may apply. The Privacy Contact Officer in your agency or the Information and Privacy Commission (IPC) can provide further advice.


The 12 information protection principles  

1. Lawful

2. Direct

3. Open

4. Relevant

Storage 5. Secure
Access and accuracy

6. Transparent

7. Accessible

8. Correct


9. Accurate

10. Limited


11. Restricted

12. Safeguarded

For more information on the above principles, see the IPC fact sheet:Information protection principles (IPPs) for agencies.

The HRIP Act

The Health Records and Information Privacy Act 2002 (HRIP Act) outlines how NSW public sector agencies and health service providers manage the health information of members of the NSW public.

The HRIP Act applies to organisations (public sector agencies or a private sector person) that are health service providers or that collect, hold or use health information. This includes hospitals (public and private), doctors, other health service providers and any other organisations that handle health information - such as universities that undertake research,  gyms that record information about members' health, or  physiotherapists and so on. More specifically, the HRIP Act applies to:

  • public sector agencies
  • private sector organisations that provide a health service or that collect, hold or use health information
  • private sector organisations including some businesses that are related to another business, where that other business, has an annual turnover of more than $3 million and collects, stores or uses health information.

What is personal health information?

Personal health information is a specific type of personal information and may include details about physical or mental health, or disability. This could be personal information provided to any health organisation; health information maintained by an organisation that generally holds health information (including insurers, gyms and health services); organ donation information; or genetic information.

Section 6 of the HRIP Act sets out the legal definition of ‘health information’.

Health Privacy Principles

The HRIP Act sets out 15 Health Privacy Principles (HPPs) - legal obligations that NSW public sector agencies and private sector organisations must abide by when they collect, hold, use and disclose a person’s health information.
Exemptions may apply. The Privacy Contact Officer in your agency or the IPC can provide further advice.


The 15 health privacy principles  

1. Lawful

2. Relevant

3. Direct

4. Open

Storage 5. Secure
Access and accuracy

6. Transparent

7. Accessible

8. Correct

9. Accurate

Use 10. Limited
Disclosure 11. Limited
Identifiers and anonymity

12. Not identified

13. Anonymous

Transferrals and linkage

14. Controlled

15. Authorised

For more information on the above principles, see the IPC fact sheet: Health protection principles (HPPs) for agencies.

Other considerations

  • The IPPs and HPPs are complemented by other mechanisms, including codes of practice (where applicable), privacy management plans and complaints management protocols. Agencies must comply with these core requirements.
  • If your agency is bound by the PPIP Act, it should also have a  privacy management plan (PMP) that reflects the privacy governance framework, and explains:
    • your agency’s policies and practices for complying with the PPIP Act and HRIP Act
    • how your agency will make staff members aware of these policies and practices
    • your agency’s procedures for dealing with privacy internal reviews
    • other relevant matters relating to the protection of any personal and health information that your agency holds.

All PMPs must be submitted to the Privacy Commissioner for consideration and approval. As a senior executive, you can refer to the PMP when communicating how your agency uses and manages information.

  • Individuals have the right to see and correct their personal and health information. Individuals aggrieved by an agency’s conduct can also seek an internal review from that agency or make a complaint to the Privacy Commissioner. Agencies must notify the Privacy Commissioner of any internal reviews.
  • Under the PPIP Act and the HRIP Act, the Privacy Commissioner may investigate and conciliate a complaint, or initiate an ‘own motion’ investigation into privacy-related matters.
  • The Privacy Commissioner also monitors and reports on the PPIP Act’s operation as part of the Commissioner's oversight role.