This Privacy Management Plan is intended to be read online, links to websites have been provided.
This Privacy Management Plan (PMP) explains how Revenue NSW manages personal and health information in accordance with NSW privacy laws. This includes:
We use this PMP to train our staff in handling personal and health information through mandatory training rolled out to all staff. We also use it for developing policies and procedures to ensure our compliance with privacy laws
Section 33 of the PIPP Act requires agencies to have a privacy management plan (PMP). Our PMP sets out Revenue NSW’s commitment to respecting the privacy rights of clients, employees and members of the public. The
This PMP is aligned with the Department of Customer Service (DCS) Privacy Management Plan and associated Privacy Framework. All these plans take guidance from the Information Privacy Commissioner and the Privacy Governance Framework.
Revenue NSW is exempt from some IPPs and HPPs, primarily for the purpose of revenue protection.
The following terms are used in this PMP:
Agency – a ‘public sector agency’, as defined in section 3 of the PPIP Act.
Business unit – a work unit performing a discrete business function. Multiple business units make up divisions.
Collection (of personal information) - the way in which Revenue NSW acquires personal or health information, which can include a written or online form, a verbal conversation, a voice recording, or a photograph.
Disclosure (of personal information) - occurs when Revenue NSW makes known to an individual or entity personal or health information not previously known to them.
Division – a broad business area within DCS, often comprised of multiple business units. There are five divisions in DCS: Service NSW, Customer, Delivery and Transformation, Better Regulation, Digital and ICT, and Corporate Services.
Functions – as defined in section 3 of the PPIP Act, a function includes a power, authority or duty of a public sector agency.
Exemptions from compliance with Information Protection Principles (IPPs) - (general, specific and other exemptions) are provided both within the principles (and under Division 2 and Division 3 of Part 2 of the PPIP Act).
Health information – section 6 of the HRIP Act:
Investigative agencies – any of the following: the NSW Ombudsman’s office, the Independent Commission against Corruption (ICAC) or the ICAC inspector, the Law Enforcement Conduct Commission (LECC) or the LECC Inspector and any staff of the Inspector , the Health Care Complaints Commission, the Office of the Legal Services Commissioner, and Inspector of Custodial Services.
Law enforcement agencies – any of the following: the NSW Police Force or the police force of another State or Territory, the NSW Crime Commission, the Australian Federal Police, the Australian Crime Commission, the Director of Public Prosecutions of NSW or another State or Territory or of the Commonwealth, Department of Justice, Office of the Sherriff of NSW.
Personal information – information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
Personal information includes such things as an individual’s fingerprints, retina prints, body samples or genetic characteristics (section 4(2)) of the PPIP Act).
Personal information can be information that identifies you, and may include:
Exclusions to the definition of personal information are contained in s4 (3) of the PPIP Act and include health information (see the definition at s4 PPIP Act and s4(3) PIPP Act and s5 of the HRIP Act).
Privacy principles – the Information Protection Principles set out in Division 1 of Part 2 of the PIPP Act and Health Principles set out in Schedule 1 of the HRIP Act. The privacy principles set out the minimum standards for all NSW public sector agencies when handling personal and health information. Within these principles lawful exemptions are provided.
Public register – a register of personal information that is required by law to be, or is made, publicly available or open to public inspection, whether or not upon payment of a fee.
Note: public register exemptions are provided for in clause 7 of the Privacy and Personal Information Protection Regulation 2014.
Privacy obligations – the information privacy principles and any exemptions to those principles that apply to Revenue NSW, which is a public sector agency.
Staff – any person working in a casual, temporary, or permanent capacity in Revenue NSW, including consultants and contractors.
The following abbreviations are used in this PMP:
DCS – the Department of Customer Service.
IPC – Information and Privacy Commission.
PMP – privacy management plan.
PPIPAct – the Privacy and Personal Information Protection Act 1998.
HRIP Act – the Health Records and Information Privacy Act 2002.
GIPA Act – the Government Information (Public Access) Act 2009.
As NSW’s principal revenue management agency, Revenue NSW fairly administers state taxation and revenue for, and on behalf of, the people of NSW. Revenue NSW manages fines and administer grants and subsidies to provide valuable assistance to the community and businesses across NSW. Revenue NSW also recovers debt to provide an equitable outcome for the community and helps to deliver government priorities for a fair, safe and prosperous NSW.
We may collect personal or health information from, or disclose personal or health information to, our stakeholders to do our work. These stakeholders include:
Revenue NSW forms part of the DCS cluster where a strong focus is on improving services and better regulation. The sharing of information between divisions and with other agencies can be vital to this goal. We take privacy seriously and manage your personal and health information with this goal in mind.
We collect and hold personal or health information that allows us to carry out our daily operations. This may include information required to process fine and tax disputes, resolve state tax or fine debt, tax calculations or requests under access to information laws.
The information collected for any DCS function may be used by DCS for a primary or directly related secondary purpose as allowed under legislation. A primary purpose is the clear purpose for which we collect the information from you - for example, when reviewing your application to review a fine. Directly related secondary purposes might include investigations, improvements in customer service, policy and programs, or responding to ministerial enquiries.
We are guided by the DCS Privacy Management Framework to ensure that the disclosure of information by one DCS division to another adheres to the information protection and health privacy principles.
Your personal and health information is always handled in accordance with the privacy laws and principles.
Revenue NSW promotes the principles of the PMP through our executive team, staff and public awareness.
Our Revenue NSW Executive team is committed to transparency and accountability in our compliance with the PPIP Act and the HRIP Act. The Executive team reinforces transparency and compliance with these Acts by:
Revenue NSW ensures its staff is aware of and understands this PMP, particularly how it applies to the work they do. This plan is written in a practical way, so that staff members understand what their privacy obligations are, how to manage personal and health information in their work and what to do if they are unsure. Revenue NSW makes its staff members aware of their privacy obligations by:
The PMP is a guarantee of service to stakeholders on how the Revenue NSW manages personal and health information. This plan is easy to access on the Revenue NSW website and easy to understand.
Revenue NSW promotes public awareness of its PMP by:
This plan also sets out how policies and practices are developed to ensure compliance by Revenue NSW with the requirements of privacy legislation. This plan sets out specific elements of our privacy protection framework. Revenue NSW policies and practices are developed by:
Revenue NSW is part of the Department of Customer Service (DCS) cluster and must comply with relevant policies written by the DCS.
The Taxation Administration Act 1996 (TAA) is administered by Revenue NSW and empowers the Chief Commissioner of State Revenue to:
Personal information is protected by PPIPA and HRIPA and by tax legislation containing secrecy provisions. These provisions make any unauthorised disclosure of information obtained in connection with the administration of that legislation an offence. Division 3 of Part 9 of the TAA prohibits the disclosure of personal information obtained under, or in relation to, the administration of a tax law, except in the circumstances and to the third parties named in that division.
Other legislation governs Revenue NSW’s non-taxation functions including Fines, State Debt, the First Home Owner Grant Scheme and Unclaimed Money. Section 117B of the Fines Act 1996 creates an offence for staff of Revenue NSW to disclose personal information other than as provided by the Act.
Revenue NSW engages with key stakeholders when developing new privacy management policies or procedures or amending them in a way that would change how personal and health information is managed, to ensure compliance with the PPIP Act and HRIP Act.
Revenue NSW applies the following policy and framework to ensure compliance with our privacy obligations:
Revenue NSW and Department of Customer Services (DCS) publishes information for staff and customers so they are aware of the obligations and rights:
Customers have the right to:
All employees, agents and contractors of Revenue NSW and our DCS cluster are required to comply with the PPIP Act and HRIP Act. Both Acts contain criminal offence provisions applicable to staff, agents and contractors who use or disclose personal information or health information without authority. It is an offence to:
3.2.1 Privacy Officer
Please contact the Revenue NSW Privacy Officer for further information about this plan, the personal and health information the Revenue NSW holds, or any other concerns. The Privacy Officer, the Principal, Assurance and Review, is responsible for:
You may contact the Privacy Officer for information about:
Contact details are:
GPO Box 4042
Sydney NSW 2001
By email: RNSWprivacy@revenue.nsw.gov.au
As noted above, all employees, agents and contractors of DCS are required to comply with the privacy principles set out in the PPIP Act and HRIP Act, with criminal offence provisions applicable to staff who use or disclose personal information or health information other than in accordance with their lawful functions.
Employees who are suspected of conduct that would breach the privacy principles or the criminal provisions may be disciplined for a breach of the Code of Ethics and Conduct. Suspected criminal conduct may result in dismissal of employment and/or referral to NSW Police.
It is an offence to:
Under the PIPP Act it is a criminal offence, punishable by up to two years’ imprisonment or an $11,000 fine, or both, for any person employed or engaged by DCS (including former employees and contractors) to intentionally use, disclose or offer to supply any personal information or health information about another person, to which the employee or contractor has or had access in the exercise of his or her official functions, except in connection with the lawful exercise of his or her official functions.
Further, it is a criminal offence for a person engaged in administering or executing the following Acts to disclose any personal information obtained by them:
unless the disclosure falls within a permitted exception. A breach of any of these provisions has a maximum penalty of $11,000.
Due to our diverse nature, the type of personal and health information held by Revenue NSW is equally diverse. There are two main categories of personal and health information that we hold or have access to:
To exercise our various functions and activities, we hold personal or health information obtained through a person’s activities within a business unit. The following personal and health information may be collected, depending on the specific needs of Revenue NSW:
The above list is not exhaustive, and we may also hold other personal or health information. We may collect information electronically, via email or over the phone.
Some information is maintained at a local business unit level, or is accessed by business units, for management purposes. This includes storing and using employees’ personal and health information on internal databases for management purposes, case review and training.
Revenue NSW administers state tax legislation, fines legislation, state debt legislation as well as grant and benefits legislation. To ensure we meet our responsibilities to fairly administer this legislation, we use various methods to collect personal and health information. The methods we use to collect information include:
This section explains how we handle personal and health information. The PPIP Act and HRIP Act outline principles for managing personal and health information. These principles apply to all NSW government agencies and regulate the collection, storage, use and disclosure of personal and health information.
There are 12 Information Protection Principles (IPPs) set out in Part 2, Division 1 of the PPIP Act and 15 Health Privacy Principles (HPPs) set out in Schedule 1 of the HRIP Act. The Information and Privacy Commission has issued fact sheets setting out the principles in summary.
We will only collect personal and health information if:
We won’t collect personal information unless we need it for one of our functions. Some of our business units may also liaise with external stakeholders in order to fulfil our functions under legislation. In those instances, we will also seek to access the personal and health information collected by those stakeholders only if it is reasonably necessary for those functions.
Similarly, some Business Units within DCS may obtain personal or health information from other Business Units within the agency where it is necessary to carry out our functions or for directly related secondary purposes authorised by law.
A substantial amount of personal and health information is collected from our staff for the purpose of personnel management. Such information is stored securely by the People and Culture unit and GovConnect, which have a centralised human resources management role. Personal and health information may also be collected directly from the staff member within a division, when it is lawfully authorised and necessary for staff management. For example, minimal health information may be collected by your direct manager for the purpose of making necessary adjustment to allow you to work, or for creation of a return-to-work plan.
These principles state that personal information must only be collected directly from the person the information is about or someone authorised by that person.
The various Business Units within Revenue collect a wide range of information. We collect personal information direct from the person, unless they have authorised otherwise. We collect health information direct from the person, unless it is unreasonable or impracticable to do so. We will obtain some information from others where we are lawfully authorised to do this.
We collect your personal and health information directly from you, unless you have authorised us to do otherwise. However, there are circumstances when information may have been gathered from other sources, including other government agencies, where we are lawfully authorised to do this under a legislative provision or a Privacy Code of Practice.
Different parts of Revenue NSW are required to gather certain personal information to carry out our functions. For example, drivers licence information may be obtained from Roads and Maritime Services, or health information relating to worker’s compensation may be obtained from others, such as insurers and scheme agents. Human resources personnel may need to liaise with an injured staff member’s doctor. We will take what steps are necessary to ensure that collection of such information is done lawfully, such as getting consent from a staff member to contact their treating doctor.
We only obtain personal or health information from another source where it is lawfully authorised. Lawful authorisation may be provided by a specific legislative provision or through a legal instrument such as a Privacy Code of Practice. Provisions authorising collection from another source generally set out the limited circumstances in which the information can be gathered. For example, section 72 of the Taxation Administration Act 1996 allows a person delegated under that Act to serve a notice on any person requiring the production of information, documents or evidence where it is relevant to a possible breach determining a tax liability.
Revenue NSW occasionally participates in community events to support our customers to meet their obligations. During these events, Revenue NSW may collect general information such as the number of visitors to a stall, questions visitors asked, what resources were provided and general demographic information such as gender. Depending on the event, Revenue NSW will collect health information or sensitive personal information about someone. In those cases, the strict collection processes are followed when capturing information from customers face to face.
When collecting personal and health information from you, we will take reasonable steps to tell you:
When collecting health information about you from someone else, we take reasonable steps to tell you these things unless this would pose a serious health threat, or it is in accordance with NSW Privacy Commissioner Guidelines.
We endeavour to ensure all forms across Revenue that collect personal or health information, such as application forms, etc., include clear privacy statements with the above information. We will continue to review and refine the various forms across Revenue NSW to ensure they meet this requirement.
Sometimes information may be collected over the phone or face to face. Staff are trained to ensure they understand the privacy principles. Where appropriate, phone scripts include a privacy statement to ensure staff provide information on the above points to you when they are collecting personal or health information from you.
When we collect personal and health information, we will take reasonable steps to ensure the information we collect is:
We will take reasonable steps to ensure that when we design forms, communicate with members of the public and staff (face to face, over the phone and in writing), or otherwise collect information from you, we do not seek personal or health information that is intrusive or excessive. We will ensure that the personal and health information we do collect is relevant, accurate, up-to-date and complete.
When collecting health information from a third party, we follow the IPC statutory guidelines.
We will also make sure that, should you request it, you can see what information we hold about you and we will correct it as necessary.
We design forms to ensure that only information required to carry out our functions is requested or required from you. We will ensure these privacy principles are built into our contact centres’ policies and practices through staff training and through phone scripts.
We take reasonable security measures to protect personal and health information from loss, unauthorised access, modification, use or disclosure. We ensure personal and health information is stored securely, not kept longer than necessary, and disposed of appropriately.
We consider the security of information to be an important issue and have systems in place to ensure that only authorised people can access information. All employees, including contractors, are required to comply with the DCS Code of Ethics and Conduct. In addition, the PPIP Act has provisions for prosecuting individuals for unlawful disclosure of personal information. Section 308H of the Crimes Act 1900 also makes it an offence to access computerised records for a purpose other than official duties. Unlawful access to information by our employees, agents or contractors will result in disciplinary action, and in some serious cases, in criminal prosecution.
We use technical, physical and administrative actions as well as assessment by independent audit, as security measures to ensure personal and health information is stored securely. Some examples of retention and security measures that we have in place include:
Revenue NSW considers and applies privacy compliance advice when considering and implementing new information management systems and software to ensure any new system complies with the PPIP Act and HRIP Act and will take reasonable steps to address any issues identified and managed.
Access to electronic records keeping systems is restricted to the appropriate team, branch or business unit, depending on the content, so that only those who need to access your data in order to carry out their functions, can do so. Generally, once the data is entered into the secure system, any paper documents are sent for secure destruction to ensure that they cannot be accessed inappropriately.
Some areas maintain paper records, and these are stored either in a secure storage system onsite, such as lockable compactus or filing cabinet, or are sent to the Government Records Repository (GRR). GRR stores information in accordance with the provisions of the State Records Act 1998.
In Business Units that deal with substantial amounts of private or sensitive information, such as human resource units or investigation teams, access to:
We maintain most employees’ personnel files centrally. Case management of injured staff and investigations of workplace incidents are dealt with by the DCS business unit known as People and Culture. Day to day operations of most staff, such as leave requests and payroll, are administered by an outsourced company called GovConnect. An Outsourcing Agreement was developed under the outsourcing program when GovConnect was engaged. It includes contractual arrangements providing that contractors must comply with the Privacy Act 1988 (Cth), the PPIP and HRIP Acts, as well as any other privacy codes and policies in force, to ensure employees’ personal information is protected. Certain employee details are disclosed to GovConnect in order for them to provide the payroll service.
The information held by People and Culture and GovConnect can include salary and payroll tax information, medical information, grievances and investigations, and employment history including disciplinary actions.
Some information is maintained at a local division or business unit level, or is accessed by divisions or business units, for management purposes. This includes storing and using employees’ personal and health information on internal databases for management purposes, case review and training.
Human resource practices and procedures are governed by several pieces of legislation as well as various policies, procedures and guidelines for the public service:
Revenue NSW may use private sector companies, contractors, or other government agencies for services. If these organisations or individuals have or are likely to have access to personal information, Revenue NSW ensures that personal and health information is managed in line with the PPIP Act, HRIP Act and information security policies.
Revenue NSW does this by:
An external entity that may manage or collect personal information on behalf of Revenue NSW includes:
The responsibility for face to face public enquiries rests with Service NSW. Should a customer or stakeholder need to meet a Revenue NSW staff member, all buildings have secure access, requiring visitors to be logged and signed in. This registration captures the visitor’s name, organisation they represent and phone contact.
Revenue NSW owns and maintains the website: www.revenue.nsw.gov.au. This website is used to enable administration of taxes, fines, state debt, grants and benefits. It is used to enable electronic lodgement of information, promote Acts and publish resources to help our stakeholders understand and use the Acts.
Revenue NSW does not publish personal or health information on the website without permission. Website data is stored on secure servers and on securely managed networks.
Once we have confirmed your identity, we will take reasonable steps to let you find out:
We have a broad obligation to the community to be open about how we handle personal and health information. This is different to privacy collection notification (outlined in IPP 4 and HPP 2 above), which is specific, and given at the time of collecting new personal or health information.
The PMP for Revenue NSW is available on our website. The DCS PMP will be available through the DCS website, any appropriate division’s website and by request. These set out the major categories of personal and health information that we hold, explain the privacy obligations, and explain the process for accessing and/or amending any of the personal and health information we hold about you.
Everyone has the right to access the personal and/or health information Revenue NSW holds about them. You can make enquiries at any time to find out if we hold personal or health information about you. Once we have confirmed your identity, you may access your personal and health information without unreasonable delay or expense. We will only refuse access where authorised by law. If requested, we will provide written reasons for any refusal in line with our commitment to be open and transparent.
If you want a copy of your own personal or health information held by Revenue NSW, we will usually be able to be provide it to you, free of charge, directly from the appropriate business unit. Sometimes your personal information may need a formal application under the GIPA Act, for example when your personal information contains the personal information of others.
If you are having difficulties accessing your personal or health information, or you wish to make a formal application for information, you can email the Revenue NSW Privacy Officer.
Once we have confirmed your identity, you may update or amend your personal or health information held by us to ensure it is accurate, relevant, up-to-date, complete and not misleading.
Revenue NSW may wish to verify the accuracy of any information you request be amended, such as confirming qualifications with a training provider or information about a bankruptcy with the Bankruptcy Trustee.
In general, any proposed corrections to your personal or health information should be provided in writing so we can verify your identity and keep a record of the correction. You can send any requests for correction of your information directly to the business area you are dealing with or through the Revenue NSW Privacy Officer via email.
Before using personal or health information we take reasonable steps to ensure that the information is relevant, accurate, up-to-date, complete and not misleading.
We ensure the accuracy of the information by collecting it directly from you wherever practicable, or otherwise in accordance with legislation (as set out in IPP 2 and HPP 3 above).
We take such steps as are reasonable in the circumstances to ensure that the information is relevant, accurate, up-to-date, complete and not misleading. This may be achieved through the requirement of supporting documentation or by confirming the information with an outside agency. For example,
This gives you the opportunity to correct the information and allows us to ensure the information is relevant, accurate, up-to-date, complete and not misleading prior to the use of the information.
What might be considered ‘reasonable steps’ will depend upon all the circumstances, but some points to consider for this are:
Note: Use’ is different to ‘disclose’. We use information when we ‘use’ it internally.
We may use personal and health information:
As a general principle, we use the personal and health information we’ve collected only for the purpose for which it was collected. The relevant purpose should have been set out in a privacy notice at the time of collection.
We may also use personal and health information for a directly related secondary purpose. A directly related secondary purpose is a purpose that is very closely related to the primary purpose for collection and would closely align with people’s expectations around the use of their information. For example, information collected for a worker’s compensation claim may be accessed and used to investigate the complaint of an injured worker about the handling of their claim by a worker’s compensation scheme agent. Or information collected by Revenue NSW (or an issuing authority) to issue a fine may be accessed and used to assess a request for review application.
There are several permitted purposes for using health information such as lessening or preventing a serious threat to public safety, managing health services, training, research, etc.
Revenue NSW applies the exception for “lawfully authorised or required” to personal information being used for management of a customer’s matter across different tax, fines or state debt legislation. For example, information collected from fines may be used by us for state debt and tax purposes and vice versa.
Note: Use’ is different to ‘disclose’. We use information when we ‘use’ it internally.
If you are a Revenue NSW employee, your personal and health information will be used within DCS for personnel management, such as salary payments, wellbeing in the workplace, and performance management. You have unlimited access to any of your own personal information that is held by the agency, for example through SAP, MyPerformance, or GovConnect. This includes your payslips, leave balances, MyPerformance comments from your supervisor, timesheets and other types of personal information. Staff are entitled to access their personnel file or any other related human resources or employee safety and wellbeing files that contain your personal or health information.
Some information is maintained at a local level or accessed by Business Units for management purposes. This includes storing and using employees’ personal and health information on internal databases for management purposes, case review and training. You can request access to and amend your personal or health information at any time. This information will be updated without excessive delay
Note: ‘Disclose’ is different to ‘use’. We disclose information when we provide it to someone outside the agency
We may disclose your information if:
We may disclose information we are lawfully authorised or required to disclose, such as where a public register is required to be kept by law. See below for more information about exemptions from the IPPs and HPPs and the type of information published on DCS’s public registers.
Other disclosures we make will be appropriately related to the purpose for which the information was collected and/or we will have your consent. We may also disclose personal and health information to secondary service providers, such as consultants or investigators, where it is lawful and necessary for carrying out our functions.
We also disclose personal information to other government agencies where it is lawful. For example, under section 13AA of the Ombudsman Act 1974, the NSW Ombudsman can request information from a public authority and the relevant provisions of the PPIP Act and HRIP Act do not apply to the agency’s response to such a request.
When we are required to disclose information between DCS Divisions or with other public sector agencies, we will do so in accordance with the privacy laws.
We only disclose personal or health information to someone outside NSW, or to a Commonwealth agency, if any of the following applies:
We administer many laws that have equivalent laws in other states and territories. We will therefore liaise with agencies in other parts of Australia when it is lawful and necessary for carrying out our functions, such as verifying a person’s licence status or compliance background in, or for, another state or territory.
As stated in Part 6 of the PPIP Act, a public register is a register of information that is publicly available or open to public inspection. If you hold an authority that is required to be published on a public register such as a company registration in Australian Security and Investment Commission, some of your personal information will be publicly available, such as your name and address.
Revenue NSW administers one public register that may disclose personal information, that is the Unclaimed Monies Register.
We are also responsible for another public register that is not currently required to disclose personal information, this is the Register of Insurers.
If you are unsure whether information you have provided to Revenue NSW may appear on a public register, please contact us and we can clarify this for you.
We only disclose personal information kept in the above registers in accordance with what is required or permitted under the relevant laws. If you have any specific concerns about your personal information being on a public register, you can contact our Privacy Officer.
Any request for your information to be suppressed from a public register must be in writing, must provide reasons for the request, and should also include any evidence, such as a copy of a police report or apprehended violence order.
In making any decision to suppress your information, we will balance your rights with the public interest in maintaining public access to the information, in accordance with legal requirements.
We will use statistical information based on the personal information gathered from our customers and staff for analysis, policy formulation, and process and service improvement. If this data is used outside of the business unit which collected it, we ensure it is de-identified so that no person can be recognised through the data.
Sometimes we will publish statistical information on our websites. Whenever this is done, again the information is de-identified. For example, we publish data on the number of speeding fines issued by both the NSW Police and fixed speeding cameras. The number and value of the fines is aggregated, and no names or addresses are included, so that when another person is looking at the data, they will not identify who received the fine.
Disclosing sensitive information (e.g. your ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities) is only allowed with your consent or if there is a serious and imminent threat to a person’s life or health.
Disclosing personal or health information to someone outside of NSW, or to a Commonwealth agency, is only permitted in limited circumstances as set out in the legislation.
We make every effort to minimise the amount of information we collect about your ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities. Where this information is collected, it is treated with the highest protection wherever possible.
We may only assign identifiers (e.g. a number) to an individual’s health information if it is reasonably necessary. We must not include health information in a health records linkage system without your consent.
Health information is generally only collected by our Client Services: Taxes and Grants, Client Services: Fines and Debt, Technical and Advisory Services and People and Culture business areas. DCS have their own privacy management plans which provide more detail about how health information is stored and identified from People and Culture.
People and Culture may collect health information in order to manage cases of injured staff and to investigate workplace incidents. Where health information has been gathered to case manage an injured staff member, it is not given a separate identifier but kept against the relevant employee’s injury management record. Where the information has been gathered as part of an investigation of a workplace incident, the information is held against the investigation file, and not given any separate identifier. People and Culture have no linkages to any health records systems.
Other business units may inadvertently collect health information, even though it is not sought. For example, a person’s medical condition may be disclosed to Revenue NSW during an internal review of a traffic fine to explain why the person was not at fault for the offence or there were mitigating circumstances. When this sort of information is collected, it is not given any separate identifier and is not included in any health records linkage system.
The IPPs and HPPs do not apply in certain situations or to certain information collected. Some of the key situations where collection, use or disclosure of information is exempted from the compliance with certain IPPs and HPPs include:
For example, Section 117A of the Fines Act 1996 provides that personal information may be disclosed to an agency referred to under the Act only if the disclosure is reasonably necessary to monitor the status of outstanding fines.
The subsequent use of any personal information disclosed by Revenue NSW may be constrained by the PPIPA or the privacy laws of other jurisdictions, for example, the Privacy Act 1988 (Commonwealth) and the Information Privacy Act 2000 (Victoria).
To access or amend your personal and/or health information, simply contact Revenue NSW with your request. Please contact the business area you are working with. If you are unsure, email the Revenue NSW Privacy Officer.
With an informal application, there is no need to put a request in writing. If necessary, you will be asked to verify your identity or, if applicable, make a formal application instead. Revenue NSW aims to respond to informal requests within five working days.
After making your request, you will be informed if your request is likely to take longer than expected. You will be contacted you to advise you of the outcome of the request. In some cases, particularly if it is sensitive information, you may be asked to make a formal application. If you are not happy with the outcome of your informal request, you can submit a formal application.
You can make a formal application at any time, without first making an informal request. Address your formal application to the Privacy Officer by email or post (see 3.4 Privacy Contact Details).
The application should:
Revenue NSW responds in writing to formal applications within 20 working days. We will contact you if your request is likely to take longer than expected.
If you believe Revenue NSW is taking an unreasonable amount of time to respond to your application for personal information, you are encouraged to contact the IPC to ask for an update or time frame.
If Revenue NSW decides not to give access to or amend your personal or health information, the reason will be clearly explained to you in writing or over the telephone. You also have the right to make a formal application to access information under the GIPA Act. For more information, please refer to the Revenue NSW website.
The PPIP Act and the HRIP Act gives people the right to access their own information; the Acts generally do not give people the right to access someone else’s information. However, section 26 of the PPIP Act allows a person to give consent for Revenue NSW to disclose his or her personal information to someone else that would not normally have access to it. Likewise, under sections 7 and 8 of the HRIP Act, an ‘authorised person’ can act on behalf of someone else. The Health Privacy Principles (HPPs) also contain information regarding other reasons Revenue NSW may be authorised to disclose health information, such as in the event of a serious and imminent threat to the life, health and safety of the individual, in order to help find a missing person, or for compassionate reasons. If none of the above scenarios are relevant, a third party can consider making an application for access to government information under the GIPA Act.
If you believe there is a potential data breach, please advise the Revenue NSW Privacy Officer.
Revenue NSW will follow an approved process to manage any breach, following the four key steps in responding to a data breach:
If you believe your privacy has been breached through actions by Revenue NSW, you can apply for an internal review of the conduct that led to the breach. If you decide to lodge a request for a privacy internal review, please complete the IPC application for an internal review and lodge it the Revenue NSW Privacy Officer, see above contact details.
The DCS Privacy Officer will conduct the internal review unless the internal review is about the conduct of the Privacy Officer. In this case, the Revenue NSW Deputy Secretary will appoint someone else within DCS to conduct the internal review. DCS aims to:
The DCS Privacy Officer will inform you of the progress of the internal review and if it is likely to take longer than first expected. You can expect the DCS Privacy Officer to respond to you in writing within 14 calendar days of deciding the outcome of the internal review. This is a requirement under section 53 (8) of the PPIP Act. If you disagree with the outcome of the internal review or are not notified of an outcome within 60 calendar days, you have the right to seek an external review.
Please keep in mind that you have six months from when you first became aware of the potential breach to seek an internal review. This six-month time frame continues to apply even if attempts are being made to resolve privacy concerns informally. Please consider this time frame when deciding whether to make a formal request for internal review or continue with informal resolution.
If you believe that we have not met our privacy obligations in our handling of your personal information, you may lodge a complaint by contacting our Revenue NSW Privacy Officer at Revenue NSW.
If we do not resolve your privacy complaint to your satisfaction, you may lodge a complaint with the Privacy Commissioner by calling them on 1800 472 679, making a complaint online at https://www.ipc.nsw.gov.au, or writing to them at GPO Box 7011, Sydney NSW 2001.
If you are unhappy with the outcome of the internal review conducted by the DCS Privacy Officer, or do not receive an outcome within 60 days, you have the right to seek an external review by the NSW Civil and Administrative Tribunal (NCAT). You have 28 calendar days from the date of the internal review decision to seek an external review under Section 53 of the Administrative Decisions Review Act 1997 (NSW). To request an external review, you must apply directly to the NCAT, which has the power to make binding decisions on an external review.
To apply for an external review or to obtain more information about seeking an external review, including current forms and fees, please contact the NCAT:
Phone: (02) 9377 5711
Visit/post: Level 9, John Maddison Tower, 86-90 Goulburn Street, Sydney NSW 2000
The NCAT cannot give legal advice, however the NCAT website has general information about the process it follows and legal representation.
Revenue NSW welcomes the opportunity to discuss any privacy issues you may have. You are encouraged to try to resolve privacy issues with Revenue NSW informally before lodging an internal review. You can raise your concerns with Revenue NSW by:
You have the right to make a public interest disclosure (PID) to the Information Commissioner about potential breaches of the GIPA Act by government agencies. The Information Commissioner and the Assistant Director Legal Counsel and Regulatory Advice (ADLCRA) are generally the only staff members in the IPC office who have access to and deal with public interest disclosures. PID files are locked in secure cupboards and electronic files and access to the information is restricted on a need-to-know basis.
Generally, the IPC does not disclose the identity of the complainant to anyone, including the agency against which the public interest disclosure was made. Sometimes, however, it may be difficult to properly investigate the disclosure without disclosing the identity of the complainant. In these cases, the Information Commissioner or the ADLCRA will speak with the complainant about courses of action.