Revenue NSW invests strongly in preventing, monitoring and responding to privacy and cybersecurity risks and threats. We have dedicated teams who work across the business and department to provide support in the privacy and information security space. We also take active steps to prevent fraud from compromised customer data from major data breaches.

Our customers and stakeholders expect data and information to be treated with the utmost care. Revenue NSW gives priority to protecting the privacy of your personal information. We do this by handling personal information in a responsible manner and in accordance with the NSW Privacy Laws.

Revenue NSW shows this strong commitment to privacy and cyber security by embedding Always Secure as a key pillar in our Aspire 2032 Strategy.

Safeguarding data and information is becoming more complex. There is an ever-growing need for all of us to be aware and help to prevent or respond to the threat. If you have any privacy or cyber security concerns or ideas for improvement, please email the Revenue NSW Privacy Officer.

This Privacy Policy sets out how Revenue NSW collects, stores, uses and discloses personal information.

Where required by law, we will provide you information (in the form of a Privacy Collection Notice or other privacy disclosure documentation) specific to the services you want to obtain from us or specific to your dealings with us.

Revenue NSW’s Privacy Policy applies to personal information and health information collected and/or held by Revenue NSW. To avoid confusion this Policy specifically refers to personal and health information as ‘personal information’ and not data.

For further information on how we collect your personal and health information, see the Revenue NSW Privacy Management Plan. This Privacy Management Plan sets out how Revenue NSW complies with the principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (HRIP Act).

Our privacy obligations

Revenue NSW is governed by the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (HRIP Act). Revenue NSW is also subject to special secrecy and disclosure provisions in legislation administered by Revenue NSW.

“Personal information” means information or an opinion about an individual (or an individual who could be reasonably identified) whether the information is true or not, and whether the information is recorded in a material form or not, as defined in section 4 of the Privacy and Personal Information Protection Act 1998 NSW.

As an example, personal information can be information that identifies you. Personal information could include:

• a record which may include your name, address and other details about you
• photographs, images, video or audio footage

For examples of what is personal information, see below under ‘What personal information we collect and hold’.

What is ‘health information’?

“Health information” is sensitive information under the HRIP Act. This means there are added restrictions on how health service providers can handle health information compared to other types of personal information.

What personal information we collect and hold

The personal information collected and maintained by Revenue NSW generally includes:

• your name
• date of birth
• gender
• address
• contact details, and
• information specific to your dealing or enquiry with us.

We collect and hold a broad range of personal information relating to:

• individuals and entities that may be liable for taxes, fines or fees, or claiming grants or unclaimed money
• complaints (including complaints relating to privacy)
• requests made to us under the Government Information Public Access Act 2009 (GIPA)
• legal advice provided by internal and external lawyers, and
• the performance of our legislative and administrative functions.

How we collect personal information

Revenue NSW may need to collect your personal information to assist you with your transactions and provide further information about related transactions or services from government or related partner agencies. We can collect personal information:

• directly from you
• from someone you authorise on your behalf, or
• in certain circumstances, from other Australian, state and territory government bodies or other organisations. The legislation we administer often authorises us to do so.

We may ask you to provide us with information over the telephone, through our website, by filling in a paper form, or meeting with us face-to-face. We will give you a Privacy Collection Notice at the time to explain how we will use the personal information we are asking for. The notice may be written or verbal.

You might also provide your personal information to us without us directly asking for it - for example, if you engage with us on social media.

Information that we generate ourselves

We maintain data relating to the interactions we have with customers, including the services we have provided to you.

We collect limited information about users of our websites, for diagnostic and analytic purposes. We use cookies and gather IP addresses to do so, but we do not trace these back to individual users. For more information about the information we collect when you use our website, refer to 2.4 What information we collect and hold.

Links to other sites

On our website, we may provide links to third party websites such as government or related partner agencies. These linked sites are not under our control, and we cannot accept responsibility for the conduct of these companies. Before providing your personal information via any other website, we advise you to examine the terms and conditions of using that website and its privacy policy.

How we use personal information

Most of the personal information Revenue NSW collects will be used to assist customer service transactions and administer the legislation for which Revenue NSW is responsible. This may involve another Government agency. Your personal information will be used for the purpose for which it was collected or a directly related secondary purpose. It may also be used in an emergency situation to help prevent a serious and imminent threat to life or health, for law enforcement purposes, or where we are authorised or required to do so by law.

We may use your personal information for the following purposes:

• administer taxes, fines, fees, grants or unclaimed money for which we are responsible,
• provide technical or other support to you,
• answer your enquiry, or to respond to your complaint,
• manage our employment or business relationship with you,
• promote our other programs or services which may be of interest to you (unless you have opted out from such communications),
• provide process improvement initiatives,
• comply with legal and regulatory obligations,
• for a purpose otherwise permitted or required by law, or
• for other purposes with your consent, unless you withdraw your consent.

The legislation that Revenue NSW administers may authorise us to use the information we have collected for one purpose to be used for another purpose. For example, we may use information collected for tax purposes to assist with other Revenue NSW functions such as fines, state debt, unclaimed money and grants, and vice versa.

We will only keep personal information about you to use for the above purposes and for retention periods determined by legislation and our partner agency obligations.

Protecting your information

Revenue NSW will take reasonable security measures to protect personal information from loss, unauthorised access, use, modification or disclosure, or other misuse. We will ensure personal information is stored securely, not kept longer than necessary, and disposed of appropriately. How we collect and handle your personal information is subject to the PPIP Act and HRIP Act.

What is a ‘data breach’?

A data breach happens when your personal information is accessed or disclosed without authorisation or is lost. The following analysis and examples provide some guidance on the meaning of these words.

• Unauthorised access of personal information happens when your personal information that is held by Revenue NSW is accessed by someone who is not permitted to have access. This can include access by an employee, an independent contractor, or an external third party (such as by hacking). Examples of unauthorised access include:
  • an employee browsing sensitive customer records without any legitimate purpose
  • a computer network attacked by a hacker accessing your personal information without authority.

• Unauthorised disclosure happens when Revenue NSW, whether intentionally or unintentionally, makes personal information accessible or visible to others outside of Revenue NSW. This includes an unauthorised disclosure by an employee of the Revenue NSW.
  For example, an employee accidentally publishes a confidential data file on the internet containing personal information
• Loss of personal information happens when your personal information that is held by Revenue NSW is lost and there is a risk it could cause unauthorised access or disclosure.
  For example, where an employee leaves personal information (including hard copy documents, unsecured laptop, or USB containing personal information) on public transport.
• Note: A loss of personal information will not be considered a data breach if the information is not likely to cause unauthorised access or disclosure. For example:
  • if the personal information is remotely deleted before an unauthorised person could access the information, or
  • if the information is encrypted to a high standard making unauthorised access or disclosure unlikely.

Reporting data breaches

Any reporting of privacy and data breaches by Revenue NSW will be consistent with guidelines produced by the NSW Information Privacy Commissioner (IPC) and the Office of the Australian Information Commissioner (OAIC).

We will also report on breach notifications to the IPC with analysis in a monthly report to the Revenue NSW Executive.  This report will include:

• Overall data breach statistics and internal reviews or complaints received as a direct response to the breach
• Analysis of those statistics, and
• IPC specific data including the number of breach notifications notified to the IPC, actions taken in response to advice suggested by the IPC (including where a decision is made to not adopt such advice, and the reasons for not doing so).

Responding to data breaches

Contact the Revenue NSW Privacy Officer at Revenue NSW if you believe there has been a data breach.

Individuals and organisations affected by a breach will be notified as soon as practicable. Where there are no extenuating circumstances, we will notify within five working days of the breach being reported. Circumstances where it may be appropriate to delay notification include where notification would compromise an investigation into the cause of the breach or reveal a software vulnerability.

Direct marketing and your privacy

From time to time, we may use your personal information to advise you about, or offer you other, services that may be relevant and of interest to you, or to seek your feedback about the service we have provided you. Personal information you or an associated party have provided us will be held on file for marketing purposes until you opt out of receiving such information. If you do not want to receive these offers from us, please email our Privacy Officer.

When we disclose personal information

We may disclose your personal information to third parties for the following purposes:

• if necessary, to provide the service you have requested
• if otherwise permitted or required by law,
• when you nominate someone else for a fine, they may be provided your name and no other details, or
• for other purposes with your consent.

The legislation that Revenue NSW administers often contains specific powers for us to share the information we have collected with certain other entities. This includes sharing:

• for the purposes of administering fines, fees, taxes and grants
• with certain Commonwealth agencies such as the Australian Taxation Office, Australian Securities and Investments Commission and the Australian Charities and Not-for-profits Commission
• with other State and Territory revenue offices, and
• with certain NSW government agencies or officeholders such as the NSW Ombudsman and State Insurance Regulatory Authority.

Our third-party service providers

The personal information of our customers, staff, suppliers and other contacts may be held on our behalf outside Australia, including ‘in the cloud’, by our third-party service providers. Our third-party service providers are bound by contract to use your personal information only on our behalf, under our instructions.

Our third-party service providers include (but not exclusively):

Other disclosures and transfers

Revenue NSW may collect, use and disclose more extensive information than stated in this Policy to deal with the following circumstances:

• unauthorised tampering or interference with files published on the Revenue NSW site
• attempts to intercept messages of other users of the Revenue NSW site
• communications that are defamatory, abusive, vilify individuals or groups, or which give rise to a suspicion that an offence is being committed, or
• attempts to otherwise compromise the security of any Revenue NSW computer system, breach the laws of the State of New South Wales or Commonwealth of Australia, or interfere with the enjoyment of the Revenue NSW site by other users.

Revenue NSW reserves the right to make disclosures to relevant authorities where the use of the Revenue NSW site raises a suspicion that an offence is being, or has been, committed. In the event of an investigation, Revenue NSW will provide access to data to any law enforcement agency that may execute a warrant to inspect our data or system activity.

Accessing or correcting your personal information

You have the right to request access to the personal information Revenue NSW holds about you and to request a correction. To find out more about your right to your information, visit the right to information page.

To contact our Privacy Officer

If you have an enquiry or a complaint about the way we handle your personal information, or to seek to exercise your privacy rights in relation to the personal information we hold about you, you may contact our Privacy Officer as follows:

By post:

Privacy Officer
Revenue NSW
GPO Box 4042
Sydney NSW 2001

By email: [email protected]

While we endeavour to resolve complaints quickly and informally, if you wish to proceed to a formal privacy complaint, we request that you make your complaint in writing to our Privacy Officer, by mail or email as above. We will acknowledge your formal complaint within 10 working days.

Your rights

Internal Review

If you believe your privacy has been breached through actions by Revenue NSW, you can apply for an internal review of the conduct that led to the breach. If you decide to lodge a request for a privacy internal review, please complete the IPC application for an internal review and lodge it with the Revenue NSW Privacy Officer (see above contact details). All internal reviews will be conducted by the Department of Customer Service’s Government Information (Public Access) Act 2009 (GIPA) and Privacy team.

Requests for internal review should be sent to [email protected] or [email protected] and needs to:

• be in writing
• be addressed to either Revenue NSW or the Department of Customer Service, and
• include a return address in Australia.

If the applicant is not literate in English and/or their first language and there is no organisation making the application on their behalf, the GIPA and Privacy team will use a professional interpreter where necessary.

What you can expect from us

Your application will be acknowledged in writing and the acknowledgement will include an expected completion date.

Either an officer in the Department of Customer Service Privacy Team (if they were not involved in the conduct which is the subject of the complaint), or another person not involved in the conduct which is the subject of the complaint, who is an employee or an officer of Department of Customer Service and is qualified to deal with the subject matter of the complaint, will conduct the review.

The internal review will be completed within 60 days of receiving your application and we will inform you of the outcome of the review within 14 days of completing it. If the review is not completed within this time, you have the right to seek external review at the NSW Civil and Administrative Tribunal (NCAT). More information on external reviews is provided below.

We will follow the Privacy Commissioner’s Internal Review Checklist (available at ipc.nsw.gov.au) and consider any relevant material submitted by you and/or the Privacy Commissioner.

You will be informed of the outcome within 14 days of the internal review being decided, including:

• the findings of the review
• the reasons for those findings
• the action Department of Customer Service proposes to take
• the reasons for the proposed action (or no action), and
• your entitlement to have the findings and the reasons for the findings reviewed by NCAT.

Making a complaint

If you believe that we have not met our privacy obligations in our handling of your personal information, you may lodge a complaint by contacting our Privacy Officer.

If we do not resolve your privacy complaint to your satisfaction, you may lodge a complaint with the IPC by calling 1800 472 679, making a complaint online at https://www.ipc.nsw.gov.au, or mailing to GPO Box 7011, Sydney NSW 2001.

Privacy Collection Notices

• Compliance Workflow Management Privacy Collection Notice
• Property Tax Privacy Collection Notice 
• Shared Equity Home Buyer Helper Privacy Collection Notice
• Unclaimed Money - Enterprise Privacy Collection Notice
• Work and Development Order Privacy Collection Notice