New South Wales Consolidated Acts
[Index]
[Table]
[Search]
[Search this Act]
[Notes]
[Noteup]
[Download]
[History]
[Help]
PRIVACY AND PERSONAL INFORMATION PROTECTION ACT 1998
- As at 24 October 2024
- Act 133 of 1998
TABLE OF PROVISIONS
Long Title
PART 1 - PRELIMINARY
1. Name of Act
2. Commencement
3. Definitions
4. Definition of "personal information"
4A. Exclusion of health information from definition of "personal information"
4B. Regulations may declare whether agency is part of or separate from a public sector agency
5. Government Information (Public Access) Act 2009 not affected
6. Courts, tribunals and Royal Commissions not affected
7. Crown bound by Act
PART 2 - INFORMATION PROTECTION PRINCIPLES
Division 1 - Principles
8. Collection of personal information for lawful purposes
9. Collection of personal information directly from individual
10. Requirements when collecting personal information
11. Other requirements relating to collection of personal information
12. Retention and security of personal information
13. Information about personal information held by agencies
14. Access to personal information held by agencies
15. Alteration of personal information
16. Agency must check accuracy of personal information before use
17. Limits on use of personal information
18. Limits on disclosure of personal information
19. Special restrictions on disclosure of personal information
Division 2 - General provisions relating to principles
20. General application of information protection principles to public sector agencies
21. Agencies to comply with principles
Division 3 - Specific exemptions from principles
22. Operation of Division
23. Exemptions relating to law enforcement and related matters
23A. Exemptions relating to ASIO
24. Exemptions relating to investigative agencies
25. Exemptions where non-compliance is lawfully authorised or required
26. Other exemptions where non-compliance would benefit the individual concerned
27. Specific exemptions for certain law enforcement agencies
27A. Exemptions relating to information exchanges between public sector agencies
27B. Exemptions relating to research
27C. Exemptions relating to credit information
27D. Exemptions relating to emergency situations
28. Other exemptions
PART 3 - PRIVACY CODES OF PRACTICE AND MANAGEMENT PLANS
Division 1 - Privacy codes of practice
29. Operation of privacy codes of practice
30. Modification of information protection principles
31. Preparation and making of privacy codes of practice
32. Agencies to comply with privacy codes of practice
Division 2 - Privacy management plans
33. Preparation and implementation of privacy management plans
PART 4 - PRIVACY COMMISSIONER
Division 1 - Appointment of Privacy Commissioner
34. Appointment of Privacy Commissioner
35. Veto of proposed appointment of Privacy Commissioner
35A. Remuneration
35B. Vacancy in office
35C. Removal from office
35D. Filling of vacancy
35E. Privacy Commissioner a statutory officer and not Public Service employee
35F. Appointment of acting Privacy Commissioner
35G. Staff of Privacy Commissioner
35H. Delegation
Division 2 - Functions of Privacy Commissioner
36. General functions
37. Requirement to give information
38. Inquiries and investigations
39. General procedure for inquiries and investigations
40. Personal information digest
41. Exempting agencies from complying with principles and codes
42. Information about compliance arrangements
43. Disclosure of Cabinet or Executive Council information
44. (Repealed)
44A. Oversight of functions by Joint Committee
Division 3 - Complaints relating to privacy
45. Making of privacy related complaints
46. Preliminary assessment of privacy related complaints
47. Referring privacy related complaints to other authorities
48. Dealing with privacy related complaints
49. Resolution of privacy related complaints by conciliation
50. Reports and recommendations of Privacy Commissioner
51. Effect of dealing with privacy related complaints under this Division
PART 5 - REVIEW OF CERTAIN CONDUCT
52. Application of Part
53. Internal review by public sector agencies
54. Role of Privacy Commissioner in internal review process
55. Administrative review of conduct by Tribunal
56. (Repealed)
PART 6 - PUBLIC REGISTERS
56A. Personal information includes health information
57. Disclosure of personal information contained in public registers
58. Suppression of personal information
59. Provisions of this Part prevail
PART 6A - MANDATORY NOTIFICATION OF DATA BREACHES
Division 1 - Preliminary
59A. Definitions
59B. Personal information includes health information
59C. Meaning of information "held" by public sector agency for Part
59D. Meaning of eligible data breach and affected individual
Division 2 - Assessment of data breaches
59E. Requirements for public sector agency
59F. Mitigation of harm
59G. Assessors
59H. Assessment of data breach--factors for consideration
59I. Guidelines about process for assessing data breach
59J. Decision about data breach
59K. Extension of assessment period by head of public sector agency
Division 3 - Notification of data breaches to Privacy Commissioner
Subdivision 1 - Application
59L. Application of Division
Subdivision 2 - Immediate notification to Privacy Commissioner
59M. Public sector agencies must immediately notify eligible data breach
Subdivision 3 - Notification of eligible data breach
59N. Public sector agencies must notify certain individuals
59O. Information to be notified to certain individuals
59P. Public notification
Subdivision 4 - Other matters for notification
59Q. Further information to be provided to the Privacy Commissioner
59R. Collecting, using and disclosing information for notification
Division 4 - Exemptions from certain requirements for an eligible data breach
59S. Exemption for eligible data breaches of multiple public sector agencies
59T. Exemption relating to ongoing investigations and certain proceedings
59U. Exemption if public sector agency has taken certain action
59V. Exemption if inconsistent with secrecy provisions
59W. Exemption if serious risk of harm to health and safety
59X. Exemption for compromised cyber security
Division 5 - Powers of Privacy Commissioner
59Y. Privacy Commissioner may make directions and recommendations
59Z. Investigation and monitoring
59ZA. Access to premises to observe systems, policies and procedures
59ZB. Reports
59ZC. Process applying before publication of particular reports
Division 6 - Other requirements for public sector agencies
59ZD. Public sector agency to publish data breach policy
59ZE. Eligible data breach incident register
Division 7 - Miscellaneous
59ZF. Exemption for Privacy Commissioner from certain principles
59ZG. Exemption for Cyber Security NSW from certain principles
59ZH. Approval of forms
59ZI. Privacy Commissioner may make guidelines
59ZJ. Delegation by head of public sector agency
PART 7 - INFORMATION AND PRIVACY ADVISORY COMMITTEE
60. Establishment of Information and Privacy Advisory Committee
61. Functions of Information and Privacy Advisory Committee
PART 7A - REPORTS BY PRIVACY COMMISSIONER
61A. Annual report
61B. Report on operation of Act
61C. Special report to Parliament
61D. Procedure for reporting
PART 8 - MISCELLANEOUS
62. Corrupt disclosure and use of personal information by public sector officials
63. Offering to supply personal information that has been disclosed unlawfully
64, 65. (Repealed)
66. Personal liability of Privacy Commissioner and others
66A. Protection from liability
66B. Fees
67. Disclosure by Privacy Commissioner or staff member
68. Offences relating to dealings with Privacy Commissioner
69. Legal rights not affected
70. Proceedings for offences
71. Regulations
72. (Repealed)
73. Repeal of Privacy Committee Act 1975 No 37
74. Savings, transitional and other provisions
75. Review of Act
Schedule 1 (Repealed)
SCHEDULE 2
Schedule 3 (Repealed)
SCHEDULE 4
AustLII: Copyright Policy
| Disclaimers
| Privacy Policy
| Feedback