Print this page Reduce font size Increase font size
Privacy and Personal Information Protection Act 1998 No 133
Current version for 4 January 2013 to date (accessed 24 May 2013 at 18:16)
Part 2Division 1

Division 1 Principles

8   Collection of personal information for lawful purposes

(1)  A public sector agency must not collect personal information unless:
(a)  the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and
(b)  the collection of the information is reasonably necessary for that purpose.
(2)  A public sector agency must not collect personal information by any unlawful means.

9   Collection of personal information directly from individual

A public sector agency must, in collecting personal information, collect the information directly from the individual to whom the information relates unless:
(a)  the individual has authorised collection of the information from someone else, or
(b)  in the case of information relating to a person who is under the age of 16 years—the information has been provided by a parent or guardian of the person.

10   Requirements when collecting personal information

If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected or as soon as practicable after collection, the individual to whom the information relates is made aware of the following:
(a)  the fact that the information is being collected,
(b)  the purposes for which the information is being collected,
(c)  the intended recipients of the information,
(d)  whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided,
(e)  the existence of any right of access to, and correction of, the information,
(f)  the name and address of the agency that is collecting the information and the agency that is to hold the information.

11   Other requirements relating to collection of personal information

If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that:
(a)  the information collected is relevant to that purpose, is not excessive, and is accurate, up to date and complete, and
(b)  the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates.

12   Retention and security of personal information

A public sector agency that holds personal information must ensure:
(a)  that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and
(b)  that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and
(c)  that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and
(d)  that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.

13   Information about personal information held by agencies

A public sector agency that holds personal information must take such steps as are, in the circumstances, reasonable to enable any person to ascertain:
(a)  whether the agency holds personal information, and
(b)  whether the agency holds personal information relating to that person, and
(c)  if the agency holds personal information relating to that person:
(i)  the nature of that information, and
(ii)  the main purposes for which the information is used, and
(iii)  that person’s entitlement to gain access to the information.

14   Access to personal information held by agencies

A public sector agency that holds personal information must, at the request of the individual to whom the information relates and without excessive delay or expense, provide the individual with access to the information.

15   Alteration of personal information

(1)  A public sector agency that holds personal information must, at the request of the individual to whom the information relates, make appropriate amendments (whether by way of corrections, deletions or additions) to ensure that the personal information:
(a)  is accurate, and
(b)  having regard to the purpose for which the information was collected (or is to be used) and to any purpose that is directly related to that purpose, is relevant, up to date, complete and not misleading.
(2)  If a public sector agency is not prepared to amend personal information in accordance with a request by the individual to whom the information relates, the agency must, if so requested by the individual concerned, take such steps as are reasonable to attach to the information, in such a manner as is capable of being read with the information, any statement provided by that individual of the amendment sought.
(3)  If personal information is amended in accordance with this section, the individual to whom the information relates is entitled, if it is reasonably practicable, to have recipients of that information notified of the amendments made by the public sector agency.
(4)  This section, and any provision of a privacy code of practice that relates to the requirements set out in this section, apply to public sector agencies despite section 25 of this Act and section 21 of the State Records Act 1998.
(5)  The Privacy Commissioner’s guidelines under section 36 may make provision for or with respect to requests under this section, including the way in which such a request should be made and the time within which such a request should be dealt with.
(6)  In this section (and in any other provision of this Act in connection with the operation of this section), public sector agency includes a Minister and a Minister’s personal staff.

16   Agency must check accuracy of personal information before use

A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.

17   Limits on use of personal information

A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless:
(a)  the individual to whom the information relates has consented to the use of the information for that other purpose, or
(b)  the other purpose for which the information is used is directly related to the purpose for which the information was collected, or
(c)  the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.

18   Limits on disclosure of personal information

(1)  A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:
(a)  the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or
(b)  the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or
(c)  the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.
(2)  If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.

19   Special restrictions on disclosure of personal information

(1)  A public sector agency must not disclose personal information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities unless the disclosure is necessary to prevent a serious and imminent threat to the life or health of the individual concerned or another person.
(2)  A public sector agency that holds personal information must not disclose the information to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless:
(a)  a relevant privacy law that applies to the personal information concerned is in force in that jurisdiction or applies to that Commonwealth agency, or
(b)  the disclosure is permitted under a privacy code of practice.
(3)  For the purposes of subsection (2), a relevant privacy law means a law that is determined by the Privacy Commissioner, by notice published in the Gazette, to be a privacy law for the jurisdiction concerned.
(4)  The Privacy Commissioner is to prepare a code relating to the disclosure of personal information by public sector agencies to persons or bodies outside New South Wales and to Commonwealth agencies.
(5)  Subsection (2) does not apply:
(a)  until after the first anniversary of the commencement of this section, or
(b)  until a code referred to in subsection (4) is made,
      whichever is the later.
Top of page