Contents

1. Introduction

2. Personal Information

3. Main Classes of Information Held by the Department

4. Information Protection Principles

5. Privacy Codes of Practice

6. Current Policies and Law Relating to Information

7. Other Considerations

8. Public Registers

9. Internal and External Review Processes

10. Dissemination of Policies – Training

11. External Service Providers

12. Strategies for Compliance

12.1.1. Assessment of Current Practices

12.1.2. Collection

12.1.3. Storage

12.1.4. Use

12.1.5. Disclosure

12.1.6. Internal Review

12.1.7. Public Registers

13. Appendices:

A. Main Types of Information Held by Department

B. Summary of Information Protection Principles and Relevant Exceptions

C. Legislation Affecting Processing of Information

D. Policies Affecting Processing of Information

E. Internal review Procedure

1.1. This Privacy Management Plan is a plan for the Department’s compliance with the principles and requirements of the Privacy and Personal Information Protection Act 1998 (“the Act”). The Act requires each “public sector agency” to prepare and implement a Privacy Management Plan by 30 June 2000.

1.2. This plan is drafted in a way which takes account of the diverse range of functions of the Department’s various cost centres. It aims to give officers in Department cost centres dealing with personal information guidance on the requirements of the Act, strategies for compliance with those requirements and to set down some procedures which can be adopted by the Department to eliminate or reduce the risk of non compliance.

2.1. The Act is concerned with “personal information”. This is defined in the Act as being “any information or opinion about a person whose identity is apparent or can be reasonably ascertained from the information or opinion”. The information does not have to clearly identify a person. It need only provide sufficient information to lead to the identification of a person. It is not limited to confidential or sensitive personal details. It covers information held in paper or electronic records and may even extend to body samples or biometric data.

2.2. While the definition of “personal information” is very broad, there are some important exceptions to the definition. The exceptions which are most relevant to the Department are:

2.3. These exceptions do not interfere with the confidentiality or sensitivity of these types of information and exemption from the requirements of the Act does not mean that other policy or statutory requirements, such as the confidentiality of Cabinet documents, should be disregarded.

3.1. Given the diversity of functions within the Department, the range of holdings of personal information is wide. A list of cost centres and program functions within the Department is contained in Appendix A. A list of types of information held by the Department together with some notes on particular issues relevant to types of holdings is found at Appendix B. Although not a Department cost centre, the Minister’s Office deals with a large range of information which will, to varying degrees, be covered by the Act.

4.1. The protections provided by the Act are based on 12 Information Protection Principles set out in the Act. They cover collection, storage, use and disclosure of personal information. Many of the principles only require that “reasonable” steps be taken having regard to the circumstances. Factors which will determine the “reasonableness’ of steps to be taken will include the sensitivity of the information, the possible uses of the information, the context in which it was obtained and the financial and practical effects of strategies for compliance on the continued ability of the cost centre to perform its legitimate functions.

4.2. The Act also contains a number of exceptions to the operation of the principles. A summary of the Information Protection Principles together with a summary of the exceptions to the principles which are relevant to the Department is set out at Appendix C. Officers are alerted to the need to consult the full text of the principles as they appear in the Act or in the Privacy NSW publication “ A Guide to the Information Protection Principles”. A copy of that publication has been provided to each cost centre in the Department.

5.1. Privacy Codes of Practice as provided for in the Act are statements of how a public sector agency proposes to depart from the Information Protection Principles or public register provisions of the Act.

5.2. Currently the only proposal for the Department to make a Privacy Code of Practice is in relation to the Bureau of Crime Statistics and Research. However, cost centre managers are directed to monitor their cost centre’s capacity to comply with the principles and to alert senior management to any possible need for a Code of Practice.

6.1. A range of other legislation affects the way the Department processes personal information. Some applies to the Department as a whole and some applies to individual cost centres. In many cases such legislation prohibits disclosure of certain kinds of information except in specified circumstances. On the other hand, some legislation authorises the collection of information in a particular way or the sharing of information with other agencies. A list of such legislation appears at Appendix D. The most wide reaching and comprehensive legislation of this type is the Freedom of Information Act. The Act makes it clear, however, that it is not intended to affect the operation of the Freedom of Information Act.

6.2. There is also a range of departmental and whole of government policies which affect the way in which personal information is dealt with by cost centres. A list of such policies is at Appendix E.

7.1. A number of other considerations, apart from expressed policy and statutory requirements, play a role in the way cost centres deal with personal information. It should be remembered by cost centres that compliance with or exemption from the requirements in the Act will not affect obligations arising under other legislation or under general law principles. Some matters for cost centres to continue to consider are obligations arising under principles of confidentiality, legal professional privilege, privilege for confidential professional communications and public interest immunity.

8.1. Public Registers are defined in the Act as registers containing personal information that are made publicly available or open to public inspection. Some registers are in effect, at least in part, exempted from the requirements in the Act relating to public registers because the information contained in the register falls within one of the exceptions to the definition of “personal information”.

8.2. For example, a register which has, and is authorised to have, its entire contents published in a publicly available publication would not be a public register within the meaning of the Act. See paragraph 2.2 above for a list of the main exceptions to the definition of “personal information”. In addition, if access to a register is given only to specific categories of people rather than to the public at large, then it may be that it is not a public register within the meaning of the Act because it is not “publicly available or open to public inspection”.

8.3. The Department maintains the following registers of information:

§ Register of Births, Deaths and Marriages

§ Roll of Legal Practitioners

§ Roll of Public Notaries

§ Register of Schemes under the Charitable Trusts Act

8.4. The cost centres which administer each of these registers will analyse the public register provisions of the Act and, to the extent to which those provisions apply to those registers, will adopt strategies for compliance with the Act’s requirements in relation to public registers. In summary, those requirements are that:
§ Before disclosing any personal information from a public register, the responsible agency must be sure that the information is to be used for a purpose which is legitimate by reason of its relationship to the purpose of the register or of the legislation under which the register is kept; and

§ Where the agency suppresses, on request, a person’s information from a public register the agency must be satisfied that the safety or well-being of the person will be adversely affected by not suppressing the information and that the suppression is not against the public interest.

8.5. It should be remembered that registers which do not fall within the public register requirements of the Act are still subject to the privacy information principles in the Act.

9.1. People who have complaints about how the Department has dealt with personal information may apply to the Department for “internal review”. Applications for internal review may concern conduct by a cost centre which a person believes:
§ breaches an information protection principle;

§ breaches a code that applies to the department or one of its cost centres; or

§ is an inappropriate disclosure by the Department or one of its cost centres of personal information kept in a public register.

9.2. The Act sets out a number of requirements for the processing of applications for review including time frames, reporting requirements and requirements for advice to people about their rights to internal and external review.

9.3. The Department has developed a procedure for the conduct of internal reviews. A copy of the procedure, which also canvasses external review by the Administrative Decisions Tribunal, is attached at Appendix F.

10.1.The Corporate Development and Training Unit of the Department offers a variety of courses for staff of the Department which provide opportunities for disseminating policies and practices relating to the Department’s privacy obligations. All new staff complete a one day induction course in workplace ethics and privacy obligations. Relevant policies and practices are canvassed in this context. The Corporate Development and Training Unit also runs specialised courses for individual cost centres.

10.2.The Department’s Code of Conduct, issued to all staff, deals with the use and disclosure of information obtained in the course of employment and with the confidentiality obligations of staff who have left the Department.

10.3.All staff have a copy of, or access to, this Privacy Management Plan. Information sessions are to be held on the Plan in each cost centre.

10.4.Training for staff is also supplemented by resources to be accessed when more complex decisions or assessments have to be made. Currently available resources include:

11. External Service Providers

11.1.The Department has contractual arrangements with a range of service providers. These contracts are ongoing and in some cases span a number of years. Some were in existence prior to the commencement of the Act.

11.2.Existing contracts are being reviewed and updated to reflect the obligations of the Department under the Act. New contracts will include appropriate clauses covering compliance issues.

12.1. Assessment of Current Practices
12.1.1. The first step in compliance with the Act and its principles is to assess current practice and procedure. Individual cost centres can do this by:
§ determining which types of information are held, by reference to Appendix B, and identifying the personal information contained in those holdings;

§ determining the functions and purposes of the cost centre by reference to relevant Department program functions and the Business Plan of the cost centre;

§ ascertaining the coverage of the Information Protection Principles and relevant exceptions to the personal information held, initially by reference to Appendix C and paragraph 2.2 above;

§ referring to the current law and policies which already govern the way in which information is processed and ascertaining the policies and procedures adopted in compliance with those laws and policies; and

§ identifying any remaining areas of risk or exposure under applicable Information Protection Principles.

12.1.2. If such areas of risk or exposure are identified then procedures must be adopted in line with or beyond the following general strategies for compliance. If the need for a Privacy Code of Practice is identified, this must be brought to the attention of Senior Management immediately (see paragraph 5 above).

12.1.3. A number of general strategies for compliance with the Information Protection Principles have been identified for adoption by the Department as a whole and for adaptation where necessary by individual cost centres. These strategies have been grouped together below under the Information Protection Principles’ main areas of coverage.

12.2. Collection
12.2.1. Cost centres will review all application forms used to collect personal information from clients or employees to ensure that notification requirements (as per Principle 3) are met and consent to further disclosures is covered where necessary to the operation of the cost centre. The Lawlink website will be similarly posted. Where necessary, interim pamphlets and/or stickers for this purpose will be provided to clients.

12.2.2. All department staff will be notified of programs and policies for monitoring of telephone, e-mail and internet usage.

12.2.3. Staff in cost centres which collect personal information by telephone will be equipped with a form of words to notify clients of matters required by Principle 3 and to obtain consent to further disclosure where necessary. Alternatively, pro forma letters, confirming notification and consent will be forwarded to clients following telephone contact. In addition, where telephone conversations are monitored by recording for quality control and supervision purposes, clients will be advised of this at the outset of the conversation.

12.3. Storage
12.3.1. The Department will further develop and review separate policies for storage of electronic and paper information with reference to the Department’s Security of Information Systems Policy and the Government’s Security of Electronic Information Policy.
12.4. Use
12.4.1. Where information is stored in a computerised database, cost centres will ensure that appropriate descriptions are used to avoid errors or misinterpretation of data and standards are adopted which allow consistent transfer of information between cost centres or agencies within the Department.

12.4.2. Standards will be adopted, with reference to the functions and purposes of the particular cost centre, to ensure personal information is used only for the purposes for which it was collected.

12.4.3. Where information is proposed to be used for research purposes this will be done in accordance with guidelines to be prepared by the Office of the Privacy Commissioner or with a Code of Practice similar to that proposed to be made by the Bureau of Crime Statistics and Research

12.5. Disclosure
12.5.1. Cost centres will develop written procedures to cover the main kinds of personal information staff can be expected to disclose and the authority for such disclosures. Staff with frequent contact with department clients will be given additional training in the application of the Information Protection Principles to disclosure in the context of their cost centre’s functions.

12.5.2. Information disclosed by the Department or any of its cost centres for research purposes will be anonymised.

12.5.3. The Community Relations Division of the Department will, in consultation with the Attorney General’s Office, develop a protocol for the disclosure of personal information by way of Ministerial correspondence. This protocol will take into account the exception contained in section 28(3) of the Act relating to disclosure for the purpose of informing the Minister or the Premier.

12.6. Internal Review
12.6.1. Staff of each cost centre will be made aware through training and Department circulars of the legal rights people have to internal review, and, in particular, what constitutes an internal review and the time limits for processing of internal reviews.

12.6.2. An internal review officer will be appointed for each cost centre and equipped by training and access to advice from the Privacy Commissioner’s Office to deal with issues arising in any complaint.

12.6.3. An officer in the Community Relations Division of the Department will be designated to be notified of each application for internal review and to be responsible for notifying the Privacy Commissioner and compiling statistics on internal review for the Department’s Annual Report.

12.6.4. Individuals will be told about their rights to internal and external review through the inclusion of statements about these rights on forms and notices completed by people providing personal information. The format of such statements will differ between cost centres and as between the information provided and the purpose for which it is provided. However the statement will contain advice that:

§ people have the right of access to, and correction of personal information about them;

§ if they consider that personal information about them is being handled incorrectly, then they may request the Department to undertake an internal review or they may contact the Office of the Privacy Commissioner;

§ time limits apply to the making of applications, complaints and to the handling of internal reviews

12.6.5. Application forms for internal review will be provided to people wishing to apply for internal review. The application form will contain advice about:
§ the range of action that may be taken by the department at the conclusion of the review;

§ the time limits on the review; and

§ the right of appeal to the Administrative Decisions Tribunal

12.7. Public Registers
12.7.1. The cost centres which administer registers of information will analyse the public register provisions of the Act and, to the extent to which those provisions apply to those registers, will adopt strategies for compliance with the Act’s requirements.

Privacy - Appendix A

MAIN TYPES OF PERSONAL INFORMATION HELD BY THE DEPARTMENT

The Department holds a range of information, some of which includes information which falls within the definition of “personal information” under the Privacy and Personal Information Protection Act. The main classes of such information held by the Department and some pertinent matters affecting the way that information should be handled are:

1. Personnel records including:

· Medical assessment records;
· Attendance and leave records;
· Recruitment, appeals, promotion and transfer records;
· Personal employee files and service records;
· Staff registers;
· Counselling and discipline records;
· Performance management and evaluation records;
· Training and apprenticeship records;
· Notices of separation and exit questionnaires;
· Occupational health and safety and workers compensation records; and
· Records of race, sex, marital status and impairments of employees for equal employment opportunity purposes

Personnel records may be held by the Department’s Human Resources Division or by individual cost centres. The Public Sector Personnel Handbook gives detailed directions on handling employee records in accordance with the Act and other relevant legislation.

In particular, Part 6-18 of the Handbook deals with the information required to be collected for approval of a sick leave application. Division 6-18.10 of the Handbook deals with the issue of confidentiality of illness and sets out procedures for those cases where employees do not wish to disclose the nature of an illness. The Department is currently preparing a Management of Sick Leave Absence Policy and Best practice Guidelines. This policy and guidelines will be reviewed to ensure that its directions, particularly on collection and disclosure of personal information, comply with the Information Protection Principles.

Records of disciplinary proceedings which have not resulted in a finding of misconduct should be kept separate from personal files.

Retention and disposal periods for specific classes of employee records are set out in the State Records Authority’s Disposal Schedule – Personnel Records, March 1992.

Records of race, sex, marital status and impairments of employees for equal employment opportunity purposes are used only with the consent of the employees concerned for the identification of relevant opportunities or otherwise disclosed only in statistical form.

2. Administrative records including:

· Vehicle usage;
· Telephone records from particular extensions;
· Network and electronic mail accounts;
· Stored electronic mail messages;
· Internet access and usage; and
· Records of public access to the LawLink website

A large number of administrative records can contain personal information. Most of this information is collected automatically as a result of people using a particular service, eg, vehicles, telephone, email, without any effort being made to identify individuals. The information becomes personal information by virtue of its potential, when accumulated, to create a profile of the activity or conduct of a particular officer or user of the services.

The identification of these kinds of records as containing personal information does not mean that the information cannot be used for the purposes for which it was collected. For example, the reasonable monitoring of telephone and internet usage in accordance with Government policy would not be prevented. However, staff and website users should be made aware of how and why the information is collected and steps should be taken to ensure that the information is only used for the purposes for which it was collected or a directly related purpose.

3. Correspondence and Complaint files

In most cases, cost centres which investigate complaints from members of the public are governed by legislation which provides for particular investigative powers and functions. Particular investigative bodies within the department, eg, the Office of the Legal Services Commissioner and the Anti-Discrimination Board, have particular exemptions from the operation of some of the Information Protection Principles.

By reason of their investigative functions, other cost centres, eg, the Community Relations Division, may also have the benefit of exemptions from some Information Protection Principles when dealing with matters referred to them by an investigative agency or which could be referred to an investigative agency.

Cost centres which handle complaints generally have in place standard complaints handling procedures which are consistent with relevant statutory requirements, the balancing of confidentiality against the right to adequate particulars of the complaint and the separation of active and inactive or closed complaint files.

Ministerial correspondence attracts an exemption from the Information Protection Principles relating to disclosure where personal information is disclosed by one agency to another agency under the administration of the same Minister for the purpose of informing the Minister or disclosure by an agency to an agency under the administration of the Premier for the purpose of informing the Premier.

4. Case files

Courts and tribunals within the Department maintain a separate file for each case. To the extent that the information on each file relates to the exercise of judicial functions, it is exempt from the operation of the Information Protection Principles. However, this exemption does not apply to the administrative functions of the court or tribunal, particularly once the legal action has been finalised.

In addition, records of some court matters will be subject to the spent convictions provisions of the Criminal Records Act or Part VII C of the Commonwealth Crimes Act, or to suppression orders.

5. Transcripts and court and tribunal records

The Court Reporting Branch of the Department maintains taped transcripts of cases before the Supreme and District Courts. Transcripts are made for the benefit of the Court, the parties to the action and other people and organisations with a legitimate interest in the case. Personal information in transcripts may also be covered by suppression orders or non disclosure orders, which can be enforced to prevent access by non parties.

Privacy - Appendix B

SUMMARY OF INFORMATION PRIVACY PRINCIPLES AND RELEVANT EXCEPTIONS

Collection

1.Personal information should be collected lawfully and only when reasonably necessary for the purposes of the agency.

2.Personal information should be collected directly from the person to whom it relates unless that person has authorised collection from someone else or the person is under the age of 16 and the information has been collected from the person’s parent or guardian.

Exceptions to Principle 2:

3.When personal information is collected reasonable steps must be taken to ensure that the person to whom it relates is aware:

· that the information is being collected;
· of the purposes of collection;
· of who will receive the information;
· of whether supply of the information is voluntary and the consequences of a failure to supply the information;
· of the person’s right to access or change the information; and
· of the name and address of the agency collecting and holding the information.

Exceptions to Principle 3:

Storage

4.When personal information has been collected, the agency must take reasonable steps to ensure that the information is relevant to the purpose for which it was collected, not excessive, accurate, up to date, and complete and does not intrude to an unreasonable extent on the personal affairs of the person to whom it relates.

5.When personal information is held by an agency, it must ensure that the information is:

· kept no longer than is necessary for the purposes for which it is collected;
· disposed of securely when no longer needed;
· protected against loss and unauthorised use or dissemination by reasonable security safeguards; and
· similarly protected if, of necessity, transferred to a person in connection with the provision of a service to the agency, eg, a contractor or consultant.

Exception to Principle 5:

6.When personal information is held by an agency, it must take reasonable steps to enable any person to ascertain:

· whether the agency holds personal information in relation to the person; and
· the nature, main purposes of holding and how the person may gain access to the information.

Exception to Principle 6:

7 When an agency holds information about a person it must, on request of the person, provide the person with access to the information without excessive delay or expense.

Exception to principle 7:

8.When an agency holds information about a person it must, at the request of the person, make appropriate amendments to ensure the information is accurate, up to date, relevant, complete and not misleading.

Exception to Principle 8:

Use

9.An agency must not use personal information held by it without taking reasonable steps to ensure that the information is relevant, accurate, up to date, complete and not misleading.

10.An agency must not use personal information other than for the purpose for which it was collected unless:

· the person who is the subject of the information consents;
· the other purpose is directly related to the original purpose; or
· the use of the information for the other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the person or of another person.

Exception to Principle 10:

Disclosure

11.An agency must not disclose personal information to another body, including another public sector agency, unless:

· the purpose of the disclosure is directly related to the purpose for which the information was collected;
· the person concerned is reasonably likely to be aware, or has been made aware, that information of that kind is usually disclosed to the body; or
· the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the person concerned.

Exceptions to Principle 11:

12.An agency should only disclose personal information relating to a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership if disclosure is necessary to prevent or lessen a serious and imminent threat to the person’s life or health or that of another person.

Exceptions to Principle 12:

Privacy - Appendix C

LEGISLATION AFFECTING PROCESSING OF INFORMATION

Legislation with General Application

Crimes Act 1900. Part 6 creates offences for unauthorised obtaining of access to or interference with data in computers. There are higher penalties for accessing certain categories of sensitive government information eg law enforcement information or for alteration or destruction of data.

Criminal Records Act 1991: restricts access to and disclosure of spent and quashed convictions. BOCSAR and the DPP are exempted from restrictions on disclosure.

Freedom of Information Act 1988: deals with applications for access to cost centre documents which may contain personal information and applications for amendment of operational records of information relating to the personal affairs of the applicant. The Act creates an alternative means of accessing personal information but the Department may use limitations and conditions affecting access under the FOI Act when responding to applications for access and correction made under the Privacy and Personal Information Protection Act.

Independent Commission against Corruption Act 1988: defines corrupt conduct in a way which has been found to relate to unauthorised disclosures of information for personal benefit.

Privacy and Personal Information Protection Act 1998: in addition to the requirements covered in this Plan the Act prohibits disclosures of personal information by public sector officers which are not done in accordance with the performance of their official duties. These provisions are primarily directed against corrupt or irregular disclosure of personal information staff may have access to at work and not to inadvertent failure to follow policies and guidelines.

Protected Disclosures Act 1994: the definition of personal information under the Privacy and Personal Information Protection Act excludes information contained in a protected disclosure. This means that a person cannot seek review of the use or disclosure of a protected disclosure or be prosecuted for unauthorised disclosure of protected disclosure information under the Privacy and Personal Information Protection Act. However, the Privacy Management Plan is still able to address strategies for the protection of personal information disclosed under the Protected Disclosures Act.

State Records Act 1998: defines the circumstances under which the Department can dispose of its records and authorises the State Records Authority to establish policies, standards and codes to ensure adequate records management by the Department. Compliance with requests to delete irrelevant, inaccurate, or out-of-date information under section 15 of the PPIP Act appears to override the restrictions on destruction under the State Records Act (section 20(4)).

Legislation Affecting Specific Cost Centres

Anti-Discrimination Act 1977: defines the functions of the Anti-Discrimination Board and the Administrative Decisions Tribunal in dealing with discrimination matters and makes arrangements for sharing information with other jurisdictions. The Act also authorises the collection of information necessary for the preparation of an equal opportunity management plan (which may include special classes of personal information referred to in section 19(1) of the PPIP Act) and gives the Director of Equal Employment Opportunity responsibilities in relation to the oversight of EEO plans.

Births Deaths and Marriages Registration Act 1995: contains comprehensive provisions dealing with the notification and registration of births, adoptions, marriages, changes of name and sex and deaths of persons including notification by third parties, exchanges of information with other jurisdictions, access to the register, searching and unauthorised access and disclosure. It also confers broad discretions on the Registrar to determine access to and disclosure of information held in the register and indexes.

Charitable Trusts Act:1993: sets out procedures for schemes relating to charitable trusts which are approved by the Attorney General and creates a public right to access the register.

Community Justice Centres Act 1983: section 29 of the Act restricts disclosures by staff of the CJC for approved purposes.

Fines Act 1996: Part 8 defines the functions of the State Debt Recovery Office, including its powers to obtain certain information about fine defaulters.

Guardianship Act 1987: defines the functions of the Public Guardian including provisions dealing with the use of medical and health records, consent for disabled persons to participate in clinical trials and disclosure of information.

Imperial Acts Applications Act 1969: authorises the Attorney General to issue commissions of peace appointing Justices of the Peace, and implicitly authorises supervision of justices.

Jury Act 1977 specifies functions for the Sheriff’s Office in compiling and screening jury rolls.

Law Reform Commission Act 1967: creates the New South Wales Law Reform Commission and gives it Royal Commission powers in relation to the collection of information.

Legal Profession Act 1987: defines functions and powers of the Legal Practitioners Admission Board, Legal Profession Advisory Council, and Legal Services Commissioner. The Legal Profession Regulation 1987 authorises the creation and publication of the Register of Practising Legal Practitioners.

Privacy and Personal Information Protection Act 1998: defines the functions of the Privacy Commissioner, his/her powers to obtain information, the investigation of complaints and the disclosure of information by officers of the Privacy Commissioner’s office.

Professional Standards Act 1994: Part 6 of the Act deals with the functions and powers of the Professional Standards Council, including the power to investigate complaints involving members of regulated professions.

Protected Estates Act 1983: defines functions and powers of the Protective Commissioner including powers to collect evidence, consult with relatives of protected persons and exchange information with other jurisdictions.

Public Defenders Act 1995: defines functions of the public defenders.

Sheriff’s Act 1900: may influence by implication some of the information processing functions of the Sheriff’s office.

Victims Compensation Act 1996: section 58 enlarges the power of Victims Services to obtain information about the whereabouts of defendants.

The Courts

The Privacy and Personal Information Protection Act does not relate to the exercise of judicial functions by courts and tribunals. However, it does cover the handling of personal information in the exercise of administrative functions.

District Court Act 1973: Part 3A provides for mediation and neutral evaluation.

Industrial Relations Act 1996: Chapter 4 deals with the constitution of the Industrial Commission and the office of Industrial Registrar. The Industrial Registrar has some administrative responsibilities over other parts of the Act, eg. rules covering the negotiation and approval of enterprise agreements while other parts are administered by the Department of Industrial Relations.

Justices Act 1902: section 73 authorises disclosures to interested parties of criminal judgment information by Local Court registries.

Local Court (Civil Claims) Act 1970: Part 3C provides for mediation and neutral evaluation.

Land and Environment Court Act 1979: administrative functions which are relevant to the Privacy Management Plan include:

· administrative procedures not specifically covered by the Rules;
· inquiries by Commissioners under section 35 of the Act
· mediation and evaluation under Part 5A including the privileges under section 61I and the secrecy provisions of section 61J

Supreme Court Act 1970: relevant administrative functions include:

· administrative procedures not specifically covered by the Rules;
· mediation and neutral evaluation under Part 7B

Statutory Instruments

Privacy Codes of Practice applicable to the Department

The Workforce Profile Code of Practice, covers collection of employee information which is forwarded to the Premier’s Department as part of the Workforce Profile.

Privacy - Appendix D

POLICIES AFFECTING PROCESSING OF INFORMATION

Department Policies

· Code of Conduct reinforces and supplements the requirements of the Act, in particular:
· Part 5 dealing with use and disclosure of information obtained in the course of employment
· Part 13 setting out the confidentiality obligations of staff who have left the Department
· Policy for the Use of Electronic Mail and the Internet
· Information Technology Strategic Plan (draft)
· Security of Information Systems Policy
· Security of Electronic Information

External Policies

The following external documents provide guidance on appropriate ways of collecting, storing, using and disposing of personal information:

NSW Ombudsman’s Office

Ombudsman’s Effective Complaint Handling Guidelines

Office of Information Technology,

IM&T Blueprint Memorandum Number 3.3: Security of Electronic Information available at <http://www.oit.nsw.gov.au>.

Policy and Guidelines for the Use by Staff of Employer Communication Devices

(defines the responsibility of public sector employees in relation to the use of the Internet and electronic mail, available at:

http://www.premiers.nsw.gov.au/publications/pubs_dload/coms_pol/compol.htm

State Records New South Wales

Destruction of Records: A Practical Guide, 1996

General Disposal Authority Administrative Records

(authorises routine disposal of commonly held categories of administrative records in accordance with approved schedules)

(authorises routine disposal of commonly held categories of personnel records in accordance with approved schedules)

Calling Number Display,

(Attachment C Guidelines for Organisations using Caller ID available from the Australian Communications Authority Web site)

<http://www.aca.gov.au/consumer/reports/cnd/index.html>

Guideline Participant Monitoring of Communications, July 1998

(recommends conduct to be followed by organisations which monitor phone calls between employees and clients)

Telephone Information Monitoring Systems, 1983

(establishes principles for recording employee calls. The Guidelines have been identified by Privacy NSW as in need of review to reflect new call recording and billing technology).

Privacy - Appendix E

PRIVACY AND PERSONAL INFORMATION PROTECTION ACT 1998

Procedures For Conducting Internal Reviews

1. Initial Discussions

1.1. The Department has a policy of providing all reasonable assistance to anyone wishing to complain about the Department’s handling of their personal information.

1.2. The assistance will include, in the first instance and where possible, access to and correction of personal information without the need for recourse to formal internal review procedures.

1.3. Where a person, after discussion with the responsible officer, remains concerned or dissatisfied and wishes to proceed with a formal application for internal review the following procedures will be undertaken.

2.1. Advice of the rights of people to internal review is included in all forms issued by the Department which collect personal information. In addition the Department makes available a pamphlet which explains, among other things, people’s rights to internal review.

3.1. Applicants for internal review are assisted in the completion of their applications by the provision of an application form which ensures that all of the information required to constitute an effective application is obtained from the applicant. The form also makes provision for information to be completed by the responsible officer for the purpose of tracking the progress of the internal review to comply with statutory time limits. Specific assistance is also available for people with disabilities and those who require the assistance of an interpreter.

3.2. A copy of the form, which is in the format suggested by the Office of the Privacy Commissioner, is attached.

4.1. In these procedures the term “responsible officer” means an officer within the relevant cost centre who is qualified to deal with the subject matter of the complaint, by reason of the officer’s seniority and experience, and who was not involved in the subject matter of the complaint.

4.2. On receipt of the application for review, the responsible officer will advise the nominated officer in the Community Relation Division of the Department of the application and will, in conjunction with that officer, notify the Privacy Commissioner of the application and keep the Privacy Commissioner informed of the progress of the internal review. A review must be completed as soon as practicably reasonable and if not completed within 60 days from the date of receipt of the application, the applicant has a right to seek a review of the conduct by the Administrative Decisions Tribunal.

4.3. The responsible officer will assess the application to determine whether the review will be undertaken by the Department or whether it will be undertaken by the Privacy Commissioner. Matters which will influence this assessment will include whether the applicant has made a specific request for the review to be undertaken by the Privacy Commissioner or whether review by the Department could reasonably give rise to a perception of conflict or bias. Generally, preference will be given to the review being undertaken by the Department.

4.4. Following assessment, the officer will inform the applicant in writing of the name, position and contact telephone number of the officer conducting the review or of the fact that the review has been referred to the Privacy Commissioner, if applicable. This advice will also include information about the timeframe for completing the review and the range of actions the Department may decide to take in resolving the complaint. These include:

· take no further action;

· make a formal apology;

· take appropriate remedial action, which may include payment of compensation;

· give an undertaking that the conduct will not recur;

· implement measures to prevent recurrence of the conduct.

4.5. The responsible officer will take the following steps in the completion of the review:
§ Assist the applicant to provide all relevant information and documentation in support of the complaint, including the particulars and evidence of the alleged breach and the harm, if any, caused by the alleged breach;

§ Interview relevant staff and examine records and obtain any other pertinent information on the circumstances of the alleged breach;

§ Identify the nature of the breach within the terms of the Privacy and Personal Information Protection Act, that is, whether the alleged conduct breaches an Information Protection Principle, a Code of Practice or a public register provision of the Act;

§ Seek advice from the Office of the Privacy Commissioner, if required;

§ Determine whether a breach has occurred and, if so, what harm or damage it has caused to the applicant;

§ Prepare a report to the cost centre manager and Deputy Director General of the Department setting out the steps taken in the review, the conclusions reached and a recommendation for action to be taken to resolve the complaint. Letters to the applicant and to the Privacy Commissioner will accompany the report advising of:

4.6. The responsible officer will also advise the applicant in writing of the status of the review if the complaint is not resolved within 30 days of the date of the application.

5.1. The nominated officer in the Community Relations Division of the Department will maintain, in secure storage, statistical information on all applications for internal review and the outcomes of those applications for inclusion in the Department’s Annual Report and for the information of the Privacy Commissioner.

6.1. People may apply to the Administrative Decisions Tribunal for a review of the action taken by the Department in conducting its review. The Tribunal may make orders requiring the Department to: