Australian privacy laws are complex with Commonwealth and State privacy legislation to be considered whenever a privacy breach occurs. Stephens Lawyers & Consultants’ ‘Privacy Breaches in N.S.W. – Information Sheet’ provides information on N.S.W. privacy laws.
Privacy Breaches in New South Wales – Information Sheet
Privacy breaches in New South Wales (NSW) involving an individual’s personal and medical/health information can result in psychological and physical damage and financial losses. An individual affected by privacy breach may be able to seek compensation and other remedies (including an apology) from the organisation responsible for the breach either under the NSW privacy laws or the Commonwealth Privacy Act. An individual may also have claims for the information privacy breach based on breach of contract, negligence and/or contravention of the Australian Consumer Law.
A. NSW Privacy Laws
The Information and Privacy Commission of New South Wales (the ‘NSW Privacy Commissioner’)[i].is the independent statutory authority responsible for administering the State privacy laws and regulations, namely:
1. The Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) – protects personal information and applies to NSW public sector agencies, including government agencies, local councils and universities, which collect, store and use personal information.
2. The Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) – protects health information and applies to:-
a) NSW public sector agencies (i.e. government agencies, local councils and universities which collect, store and use health information;
b) public and private health sector organisations (such as private and public hospitals and medical centres);
c) health service providers (such as a GP, dentist, optometrist); and
d) businesses with a turnover of more than $3million that hold health information.
What type of information is involved?
A privacy breach complaint in New South Wales must involve an individual’s personal or health information.
‘Personal information’ (which is defined in Sec 4 of the PPIP Act and Sec 5 of the HRIP Act) is any information or an opinion which may or may not be recorded in a material form (eg. in a database or written notes) and can also include:-
- a person’s name, address and other personal details,
- photographs, images, video or audio footage of individuals, and
- a person’s fingerprints, blood or DNA samples.
‘Health information’ (which is defined in Sec 6 of the HRIP Act) is a specific form of personal information or opinion concerning health related matters about an individual and extends to a wide range of health information or opinions including where it is:
- about an individual’s physical or mental health or disability;
- about a health service provided or to be provided to a person;
- collected to provide a health service;
- genetic information about an individual arising from a provided health service, or
- an individual’s healthcare identifiers (such as a number assigned to individuals and their healthcare providers).
B. Making a Privacy Breach Complaint in N.S.W.
In New South Wales (NSW), if an individual believes that there has been a privacy breach by a NSW public sector agency, organisation or business which involves the misuse of their personal and/or health information, the individual can:-
a) Make a complaint and seek an internal review by the NSW public sector agency/organisation that is responsible for the privacy breach. The NSW Privacy Commissioner is required to be kept informed of the process and result of the internal review. An internal review should be completed within 60 days after a request is made;
b) Make a complaint to the NSW Privacy Commissioner who may accept the complaint and seek to resolve the complaint by resolution or conciliation between the parties. The Privacy Commissioner may also provide a written report on the Commissioner’s findings about the complaint. The NSW Privacy Commissioner is unlikely to accept a privacy breach complaint against a NSW public sector agency where the individual has not first sought an internal review by that agency. Any complaint to the NSW Privacy Commissioner in respect of a privacy breach must be made within 6 months from the date that the individual first became aware of the privacy breach.
c) Apply to the NSW Civil and Administrative Tribunal (the ‘NCAT’) for a review of the findings of any internal review or the Privacy Commissioner findings for the privacy breach. Any application to the NCAT for a review of a finding must be made within 28 days of receiving findings sought to be reviewed.
If an individual’s complaint involves health information and is against a NSW private health provider or organisation with a turnover of over $3 million, the individual can make a complaint to the NSW Privacy Commissioner within 6 months from first becoming aware of the breach. Alternatively, the individual may choose to make a complaint to the Office of the Australian Privacy Commissioner (OAIC) under the Privacy Act 1988 (Cth), in which case the complaint must be made within 12 months from first becoming aware of the breach. A privacy breach complaint and internal review by the NSW private health provider or organisation responsible for the breach should be sought first.
C. Compensation and Other Remedies for Privacy Breach in N,S,W
The NSW Civil and Administrative Tribunal (NCAT) may award compensation for loss or damage (financial, psychological, and physical[ii]) suffered as a direct result of the privacy breach. However, there are statutory financial limits to the amount of compensation which may be awarded by NCAT[iii] as well as time limits for lodging claims for compensation[iv]. This can be a complex area to navigate and expert legal advice should be obtained.
The maximum amount of financial compensation which may be awarded by NCAT for privacy breach is set out in the applicable legislation[v]: and is currently:-
- In the case of a privacy breach by a public sector agency involving personal or health information: up to $40,000
- In the case of a privacy breach by a private sector organization (which is a body corporate) involving health information: up to $40,000; or
- In the case of a privacy breach by a private sector individual or person(s) (eg. A doctor/GP) involving health information: up to $10,000
In addition to awarding compensation NCAT may also order[vi]: :
- An apology.
- A requirement that the agency/organisation adopts and takes particular steps and measures to remedy any damage arising from the privacy breach.
- A requirement that the agency/organisation reviews its privacy/information handling policies, practices and procedures to ensure it won’t happen again.
Some things to consider before making a privacy breach complaint
There are a number of options available to an individual seeking a resolution or compensation for their privacy breach complaint, the selection of which depends on a consideration of various factors including:-
- the type of information involved – that is, is it personal information or health information;
- whether the complaint is against a NSW public sector agency;
- whether the complaint is against a health organisation or health service provider or a larger size business which holds health information;
- whether the complaint is against a Commonwealth Government public agency or a private sector organisation or business to which the NSW privacy laws do not apply, in which case the Privacy Act 1988 (Cth) may apply. To Read Stephens Lawyers & Consultants’ article titled ‘Compensation and Penalties for Privacy Data Breaches under the Privacy Act 1988 (Cth)’ SEE HERE
Privacy law can be complex. If a breach of privacy complaint cannot be resolved with the agency/organisation/party responsible for the breach, advice from a privacy law expert should be obtained as to the best options for the resolution of the privacy breach complaint.
Authored by Rochina Iannella, Lawyer, Stephens Lawyers & Consultants
© Stephens Lawyers & Consultants, December, 2021; Updated April 2023
This information sheet is not intended to be a substitute for obtaining legal advice.
For further information contact:
Stephens Lawyers & Consultants
Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
Email: [email protected]
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
[i] For more information and guidance about the New South Wales privacy laws see the website of the Information and Privacy Commission of New South Wales – https://www.ipc.nsw.gov.au/
[ii] Sec 55(4)(b) of the Privacy and Personal Information Protection Act 1998 (NSW) and Sec 54(2)(b) of the Health Records and Information Privacy Act 2002 (NSW)
[iii] For the current financial limits to the amount of compensation which may be awarded by NCAT See Sec 55(2)(a) of the Privacy and Personal Information Protection Act 1998 (NSW) and Sec 54(1)(a) of the Health Records and Information Privacy Act 2002 (NSW)
[iv] NSW Information and Privacy Commission webpage https://www.ipc.nsw.gov.au/privacy/citizens/privacy-reviews
[v] For the current financial limits to the amount of compensation which may be awarded by NCAT See Sec 55(2)(a) of the Privacy and Personal Information Protection Act 1998 (NSW) which currently states that the Tribunal may make an order “…requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct” ; and Sec 54(1)(a) of the Health Records and Information Privacy Act 2002 (NSW) which currently states that the Tribunal may make “…an order requiring the respondent to pay to the complainant damages not exceeding $40,000 if the respondent is a body corporate, or not exceeding $10,000 in any other case, by way of compensation for any loss or damage suffered by reason of the respondent’s conduct”
[vi] For the types of orders which NCAT may make see Sec 55(2) of the Privacy and Personal Information Protection Act 1998 (NSW) and Sec 54(1)(a) of the Health Records and Information Privacy Act 2002 (NSW)