SafeWork privacy management plan

The SafeWork NSW Privacy Management Plan explains how SafeWork NSW manages personal and health information in line with New South Wales (NSW) privacy laws.

Why we have a privacy management plan

Given the nature of our work, we handle the personal and/or health information of many people. We take seriously our responsibility to look after your personal and health information and we are bound by law in the way we collect, use, store and release it. To help you understand how we do this, section 33 of the Privacy and Personal Information Protection Act 1998 (PPIP Act) requires that we have this privacy management plan (the plan) available.

Within this plan you will find information about how to access and amend any personal and health information we hold about you, as well as what to do if you think we have breached the PPIP Act or the Health Records and Information Privacy Act 2002 (HRIP Act).

Internally, we use this plan to train our staff in dealing with personal and health information and devising policies and procedures to ensure our compliance with privacy laws.

While we’ve attempted to use plain English throughout the plan to keep it user-friendly, if you’re interested in further research on privacy, there’s plenty more information available on the Information and Privacy Commissioner (IPC) website at www.ipc.nsw.gov.au.

While we hope this plan will answer any of your questions about privacy, please feel free to contact us if you need further assistance.

Part one: About us

General

Who we are

SafeWork NSW is the work health and safety regulator in NSW - a function undertaken by the Secretary, Department of Finance, Services and Innovation (DFSI). It was commenced in 2015 as part of the reforms to the states work health and safety and insurance schemes.

SafeWork NSW falls under the Better Regulation Division of Department of Customer Service and reports to the Minister for Better Regulation and Innovation.

What we do

SafeWork NSW is responsible for securing the health, safety and welfare of workers in NSW. It acts to prevent work‑related injuries, promote the development of healthy and safe workplaces, investigate workplace incidents and assist injured workers to return to work. SafeWork NSW’s main statutory functions are to administer and ensure compliance with the following legislation:

These laws govern workplace injury and disease prevention, handling dangerous goods and explosives.

We do this by:

  • providing advice on improving work health and safety to help stop workplace injuries and deaths from happening
  • providing assistance and support programs to businesses or people carrying out a business
  • providing licensing and registration for potentially dangerous work
  • enforcing NSW work health and safety laws and policies, and
  • appointing inspectors to:
    • provide information and advice about compliance with the Work Health and Safety Act 2011
    • assist in the resolution of work health and safety issues at workplaces
    • review disputed provisional improvement notices
    • require compliance with the Work Health and Safety Act 2011 through the issuing of notices, and
    • investigate contraventions of the Work Health and Safety Act 2011 and assist in the prosecution of offences
    • attend coronial inquests in relation to work-related deaths and examine witnesses.

The State Insurance Regulatory Authority (SIRA) also authorises these inspectors to exercise powers under the  Workplace Injury Management and Workers Compensation Act 1998. These powers include issuing improvement notices, exercising powers of entry, and exercising powers to obtain information and documents in relation to compliance with workers compensation legislation in NSW.

DFSI provides human resources, finance, information technology, legal services, government and ministerial, customer service, strategy, communications and corporate governance.

Our stakeholders

We may collect personal or health information from, or disclose personal or health information to, our stakeholders to do our work. These stakeholders include:

  • persons conducting a business or undertaking
  • workers
  • members of the public
  • insurers
  • other regulators
  • other law enforcement agencies
  • other state and federal government agencies and authorities
  • courts and tribunals
  • ministers and Parliament
  • private sector companies
  • academics and researchers
  • medical and allied health professionals
  • non-government organisations
  • solicitors and other legal representatives
  • industry and business associations
  • unions, and
  • media

Contacting us

Web: www.safework.nsw.gov.au

Email: contact@safework.nsw.gov.au

Phone:  13 10 50

Mail:     SafeWork NSW, Locked Bag 2906, Lisarow NSW 2252

Visit:     Head office is located at 92-100 Donnison Street, Gosford NSW 2250

Privacy responsibilities

SafeWork NSW’s privacy function ensurers the ongoing training and education of SafeWork NSW inspectors and staff members (including any third party service providers or consultants) about their obligations under the PPIP Act and HRIP Act including:

  • ensuring this plan remains up to date
  • making a copy of this plan available to all current and incoming staff, and contractors
  • informing staff and contractors of any changes to the plan
  • ensuring relevant privacy documents are consolidated and made available through the SafeWork NSW intranet
  • conducting or arranging staff training sessions on privacy matters as required
  • being available to answer any questions staff or contractors may have about their privacy obligations, and
  • ensuring the organisation meets its annual report obligations

To meet our annual reporting obligations each year, the Department of Customer Service annual report includes a statement of the action we’ve undertaken to ensure we comply with the requirements of the PPIP Act, and provide statistical details of any review we’ve conducted, or has been conducted on our behalf, under the PPIP Act.

The SafeWork NSW Privacy Officer can be contacted as follows:

Email: privacy@safework.nsw.gov.au

Phone: 13 10 50

Mail: SafeWork NSW Privacy Officer, Locked Bag 2906, Lisarow NSW 2252

Visit: Head office is located at 92-100 Donnison Street, Gosford NSW 2250

Responsibilities of our staff

All inspectors, employees, agents and contractors of SafeWork NSW are required to comply with the PPIP Act and HRIP Act. Both Acts contain criminal offence provisions applicable to staff and contractors who use or disclose personal information or health information without authority. It is an offence to:

  • intentionally disclose or use personal or health information accessed in doing our jobs for an unauthorised purpose
  • offer to supply personal or health information for an unauthorised purpose
  • attempt to persuade a person from making or pursuing a request for health information, a complaint to the Privacy Commissioner about health information, or an internal review under the HRIP Act, or
  • hinder the Privacy Commissioner or member of staff from doing their job
It is a criminal offence, punishable by up to two years’ imprisonment, an $11,000 fine (or both), for any person employed or engaged by SafeWork NSW (including former employees and contractors) to intentionally use or disclose any personal information or health information about another person, to which the employee or contractor has or had access in the exercise of his or her official functions, except in connection with the lawful exercise of his or her official functions.

Types of personal and health information we hold

When we use the term “personal information” we mean it according to the definition in the PPIP Act.

Personal information is any information or opinion that identifies a person (or that would allow a person’s identity to be ascertained). Personal information can include:

  • person’s name, address, financial information, and other details
  • photographs, images, video or audio footage, and
  • fingerprints, blood or DNA samples

There are some kinds of information that are not personal information eg. information about a person that’s been dead for more than 30 years, information about someone that is contained in a publicly available publication or information or opinion about a person’s suitability for employment as a public sector official.

When we use the term “health information” we mean it according to the definition in the HRIP Act.

Health information is a specific type of ‘personal information’. It includes:

  • information about a person’s physical or mental health, such as a psychological report, blood test or x-ray
  • personal information a person provides to any health organisation
  • information about a health service already provided to a person e.g. attendance at a medical appointment
  • information about a health service that is going to be provided to a person
  • a health service a person has requested, and
  • some genetic information

There are two main categories of personal and health information that SafeWork NSW holds or has access to:

Personal and health information held about members of the public and stakeholders

Examples of personal and health information we may hold about members of the public and stakeholders external to us include:

  • Information relating to workplace grievances and workplace injuries, and
  • information given as part of applications, for example for licences, for right to information and licence determination appeals

More specifically:

Workplace incident files may include:

  • SafeWork NSW data entry operator comments
  • name and contact details
  • audio files
  • details of injuries and medical treatment
  • detail of issue/complaint
  • videos
  • witness statements/records of interview
  • inspection reports
  • inspector’s report
  • reference to or copies of relevant evidence
  • notes of conversations
  • consent
  • action taken by complainant
  • notices issued
  • factual reports
  • correspondence i.e. emails, text messages, faxes, letters
  • action taken by Inspector
  • photographs

Workers compensation claim file information may include:

  • return to work and injury management plans
  • name and contact details
  • insurance information
  • personal injury claim history
  • capacity to work
  • medicare number
  • nature of injury and medical information
  • wages
  • interpreter use
  • pre-existing condition(s)
  • surveillance footage/photos
  • employment details
  • medical certificates
  • date of birth
  • signatures
  • witness statements
  • benefit payments
  • income details
  • correspondence ie. emails, text messages, faxes, letters
  • income details
  • investigations
  • complaints

Personal and health information held about employees

The majority of personal and health information about staff members is held by the Department of Customer Service. Some information is maintained at a local level or accessed for management purposes.

Part two: How we manage personal and health information

This section explains how we handle personal and health information.

Addressing the principles

Limiting our collection of personal information (PPIP Act s8, HPP 1)

The principle in brief

We will only collection personal and health information if:

  • it is for a lawful purpose that is directly related to one of our functions, and
  • it is reasonably necessary for us to have the information

Key points

We won’t collect personal information unless we need it for one of our functions.
As the body responsible for securing the health, safety and welfare of workers in NSW, with preventative and investigative functions, we may access personal information that SIRA obtained in connection with the Workplace Injury Management and Workers Compensation Act 1988 in order to fulfil our functions.

How we collect personal information – the source (PPIP Act s9, HPP 3)

The principle in brief

  • We collect personal information direct from the person, unless they have authorised otherwise
  • We collect health information direct from the person, unless it is unreasonable or impracticable to do so
  • We will obtain some information from others (e.g. SIRA) where we are lawfully authorised to do this

Key points

This principle will be applied when we collect personal or health information. For example, in collecting health information for the purpose of investigating workplace incidents and illnesses, SafeWork NSW inspectors will comply with this principle by following the procedure set out in the SafeWork NSW procedure: Obtaining Health Information (medical records and reports).

We will sometimes collect personal and health information from SIRA, the Department of Industry, Skills and Regional Development (the regulator under the Work Health and Safety (Mines and Petroleum Sites) Act 2013), and others, for the purpose of exercising our functions and activities.

For example, we may be lawfully authorised to do this by:

Collection of this information from third parties may be necessary for us to properly exercise our investigative and other functions and ensure compliance with the Acts, regulations and other instruments made under the Acts.

Where the person is under 16, we may collect their personal information from their parent or guardian. Where the person is aged 16 or over lacks some capacity (e.g. because of mental illness, intellectual disability, dementia, brain injury), we can ask their authorised representative for the information instead. However, we must also still try to communicate with them directly. The NSW Privacy Commissioner’s guide Privacy and people with decision making disabilities explains how to collect personal information from or about a person who has limited or no capacity.

The NSW Privacy Commissioner’s Handbook to Health Privacy provides some other examples of when it might be “unreasonable or impractical” to collect health information directly from the person.

Notification when collecting personal information (PPIP Act s10, HPP 4)

The principle in brief

When collecting personal and health information from an individual we will take reasonable steps to tell the person:

  • who we are and how to contact us
  • what the information will be used for
  • what other organisations (if any) routinely receive this type of personal information from us
  • whether the collections is authorised by law
  • what the consequences will be for the person if they do not provide the information to us, and
  • how the person can access and correct their personal information held by us

When collecting health information about an individual from someone else we will take reasonable steps to tell them these things unless this would pose a serious health threat, or it is in accordance with Privacy Commissioner Guidelines.

Key points

When designing or reviewing application forms for licences etc. we will include clear privacy statements indicating what the information being collected will be used for, who we are and how to contact us, what other organisations routinely receive this information whether the collection is authorised by law, consequences of not providing it and how the person can access or amend it.

Clear privacy statements with this information will be provided on documents we use to collect personal and health information e.g. claim forms, application forms and telephone scripts.

How we collect personal information – the method and content (PPIP Act s11, HPP 2)

The principle in brief

When we collect personal and health information from an individual we will ensure the information we collect is:

  • relevant, accurate, up-to-date and complete, and
  • not intrusive or excessive

Key points

We will ensure that when we design forms, communicate with members of the public (face to face, over the telephone and in writing), and collect information from individuals we do not seek personal or health information that is intrusive or excessive, and that the personal and health information we do collect is relevant, accurate, up-to-date and complete.

How we store and secure personal and health information (PPIP Act s12, HPP5)

The principle in brief

We will take reasonable security measures to protect personal and health information from loss, unauthorised access, modification, use or disclosure. We will ensure personal and health information is stored securely, not kept longer than necessary, and disposed of appropriately.

Key points

Security measures include technical, physical and administrative actions as well as assessment by independent audit.

SafeWork NSW information systems are designed to ensure that only authorised users can access them.

Information security is fundamental to information privacy. Our information technology systems and support is provided by the Information Services branch of DFSI. All our electronic information is stored on secure information systems. Information Services is compliant with ISO 27001 Information technology - Security techniques - Information security management systems - requirements and independently reviewed annually.

Our servers are backed up daily. Our networks are secure and require individual logins. Our staff members are not permitted to give out passwords to anyone or let anyone else use their computer login.

Our information is classified in line with the NSW State Records Keyword AAA Thesaurus and classified in line with the NSW Government Information Classification Labelling and Handling Guidelines. Since July 2015 these Guidelines have included the category “Sensitive: Health Information”. We comply with records management legislation and have retention and disposal rules in place for our general administration and functional information.

SafeWork NSW inspectors, employees and contractors have access to a range of internal databases as appropriate for their work. Access to these databases is password protected and access limited to staff needing access to the information to do their work. Access is required to be reviewed regularly to ensure the security level allocated to individual staff is appropriate and to remove access for people who no longer require it as part of their role.

Daily operational work is recorded in the above databases, within the shared drive, email, databases and in hardcopy. However, hardcopy files are the minority. Local security arrangements exist for the safe storage of information on the shared drive with access to those files limited to the individuals within a specified work area.

Our hard copy information is mainly located in our office locations. We archive older physical files in a secure storage facility in compliance with the State Records Act 1998. Our staff members have key card access to our office. Our offices are locked outside of business hours.

We keep physical files securely stored when we are not using them. We do not leave sensitive information on the printer and use secure printing where appropriate. We use locked bins for sensitive documents that need to be destroyed.

Transparency (PPIP Act s13, HPP 6)

The principle in brief

We will enable anyone to know:

  • whether we are likely to hold their personal or health information
  • the purposes for which we used personal information, and
  • how they can access their information

Key points

We have broad obligation to the community to be open about how we handle personal and health information. This is different to collection notification, which is specific, and given at the time of collecting new personal information.

This Privacy Management Plan will be available through our website. It sets out the major categories of personal and health information that we hold and explains our privacy obligations. Part three of the Plan explains the process for accessing any of the personal and health information we hold about you.

If you want more information or explanation you can request it through the SafeWork NSW Privacy Liaison Officer

Access to information we hold (PPIP Act s14, HPP7)

The principle in brief

Once we have confirmed their identity, we will allow people to access their personal and health information without unreasonable delay or expense. We will only refuse access where authorised by law. If requested we will provide written reasons for any refusal.

Key points

Part three of this Plan explains the process for accessing any of the personal and health information we hold about you.

Correction of information we hold (PPIP Act s15, HPP8)

The principle in brief

Once we have confirmed their identity, we will allow people to update or amend their personal information, to ensure it is accurate, relevant, up-to-date, complete and not misleading.

Key points

Part 3 of this Plan explains the process for correcting any of the personal and health information we hold about you.

Accuracy of information (PPIP Act s16, HPP 9)

The principle in brief

Before using personal or health information we will take appropriate steps to ensure that the information is relevant, accurate, up-to-date, complete and not misleading.

Key points

We ensure the accuracy of the information by collecting it directly from the individual wherever practicable,  and checking it with the individual before using it wherever practicable.

We take such steps as are reasonable in the circumstances to ensure that the information is relevant, accurate, up-to-date, complete and not misleading.

What might be considered ‘reasonable steps’ will depend upon all the circumstances, but some points to consider are:

  • the context in which the information was obtained
  • the purpose for which we collected the information
  • the purpose for which we now want to use the information
  • the sensitivity of the information
  • the number of people who will have access to the information
  • the potential effects for the person if the information is inaccurate or irrelevant
  • any opportunities we’ve already given the person to correct inaccuracies, and
  • the effort and cost in checking the information

Example: If we received information from a third party that your details had changed we would contact you to verify the information with you prior to amending your information.

How we use personal and health information (PPIP Act s17, HPP 10)

The principle in brief

We may use [1] personal and health information:

  • for the primary purpose for which it was collected
  • for a directly related secondary purpose
  • if we believe the use is necessary to prevent or lessen a serious and imminent threat to life or health, or
  • for another purpose if the person has consented

[1] ‘Use’ is different to ‘disclose’. We use information when we ‘use’ it internally.

Key points

As a general principle, we use the personal and health information we’ve collected only for the purpose for which it was collected. The relevant purpose should have been set out in a privacy notice at the time of collection.

We may also use personal and health information for a directly related secondary purpose. A directly related secondary purpose is a purpose that is very closely related to the purpose for collection and would be the type of purpose that people would quite reasonably expect their information to be used for. For example, information collected during the licence application process may be used to send licence renewal notices. Further to the circumstances set out above, we may also use health information to lessen or prevent a serious threat to public health or safety; management of health services; training; research purposes; finding a missing person; for law enforcement purposes and in respect of suspected unlawful activity, unsatisfactory professional conduct or breach of discipline.

How we disclose personal and health information (PPIP Act s18, HPP 11) and (PPIP Act s19, HPP14)

The principle in brief

We may disclose [2] information if:

  • the person has consented
  • the information is not ‘health information’ or ‘sensitive information’, and the individual has been made aware that the information is likely to be disclosed to the recipient
  • the information is not ‘health information’ or ‘sensitive information’, and the disclosure is directly related to the purpose for which the information was collected, and we have no reason to believe the individual would object to the disclosure, or
  • the information is ‘health information’ and the disclosure is for the purpose for which the information was collected, or for a directly related secondary purpose within the person’s reasonable expectations

[2] 'Disclose' is different to 'use'. We may disclose information when we disclose it to someone outside the agency.

Stricter rules apply to specific information

Disclosing sensitive information (e.g. a person’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities) is generally only allowed with the person’s consent.

We can generally only disclose personal or health information to someone outside NSW, or to a Commonwealth agency if one of the following applies:

  • they are subject to a law, scheme or contract that upholds principles substantially similar to the information privacy principles
  • the individual concerned has consented
  • if it is necessary for a contract with (or in the interests of) the individual concerned
  • if it will benefit the individual concerned and it is impracticable to obtain their consent but we believe the person would be likely to give their consent
  • this disclosure is reasonably believed by the public sector agency to be necessary to lessen or prevent a serious and imminent threat to the life, health or safety of the individual or another person
  • we have taken reasonable steps to ensure the information won’t be dealt with inconsistently with the information privacy principles e.g. we have bound the recipient by contract to privacy obligations equivalent to the principles, or
  • if it is permitted or required by legislation or any other law

Key points

We may disclose information we are lawfully authorised to disclose. See ‘Sometimes the Privacy Principles do not apply’ below.

Most other disclosures we make will be appropriately related to the purpose for which the information was collected and/or the individual will have the consent of the individual.

When we are required to share information with other business areas within DFSI or other public sector agencies, we will do so in accordance with the privacy laws.

Requests for personal or health information from outside bodies, including from government agencies, will be assessed to determine whether we are permitted to provide the information.

How we use unique identifiers and linkage of health records (HPP 12 & 13)

The principle in brief

We may only assign identifiers (e.g. a number) to an individual in relation to their health information if it is reasonably necessary. We must not include health information in a health records linkage system without an individual’s consent.

Key points

At this point we do not have any need to assign unique identifiers.

We will only use health records linkage systems when individuals have expressly consented to their information being included on such a system, or for research purposes which have been approved by an Ethics Committee and in accordance with the Statutory Guidelines on Research issued under the HRIP Act.

Sometimes the privacy principles do not apply

The Information Protection Principles (IPPs) and Health Privacy Principles (HPPs) in the PPIP Act and HRIP Act do not apply in certain situations or to certain information collected. Further details are provided in Appendix 2. Some of the key situations where collection, use or disclosure of information is exempted from the compliance with certain IPPs and HPPs include:

  • unsolicited information
  • personal information collected before 1 July 2000
  • health information collected before 1 September 2004
  • law enforcement and investigative and some complaints handling purposes
  • when authorised or required by a subpoena, warrant or statutory notice to produce
  • if another law authorises or requires us not to comply*
  • where non-compliance is otherwise permitted, implied or contemplated by another law*
  • in the case of health information, to lessen or prevent a serious threat to public health or public safety
  • some research purposes
  • in the case of health information, compassionate reasons
  • finding a missing person, and
  • information sent between public sector agencies to transfer enquiries or to manage correspondence from a Minister or member of Parliament

* Example of laws which may authorise or permit SafeWork NSW to not comply with certain IPPs and HPPs include:

  • Sections 271 and 271A of the Work Health and Safety Act 2011 Section 271 prohibits the use or disclosure of information obtained in exercising a power or function under the Act and sets out when these additional restrictions don’t apply (e.g. with the person’s consent,  when it’s necessary for the exercise of a power or function the Act, or for administering or monitoring or enforcing compliance with the Act, or necessary for administering or enforcement of another Act specified in the Regulation (see clause 702 of the Work Health and Safety Regulation 2017)
  • Section 271A authorises the disclosure of information between SafeWork NSW and the regulator under the Work Health and Safety (Mines and Petroleum Sites) Act 2013, the Department of Industry, Skills and Regional Development for the purpose of exercising functions under those Acts
  • The broad range of powers given to SafeWork NSW, and in particular inspectors, to enable them to fulfil their investigatory and regulatory roles. For example:
  • section 155 of the Work Health and Safety Act 2011 allows us to give a written notice to someone requiring them to provide information or in relation to a possible contravention of the Act or that will assist SafeWork NSW to monitor or enforce compliance with the Act
  • Sections 243 and 243A of the Workplace Injury Management and Workers Compensation Act 1998
  • Section 243 authorises SIRA and the Nominal Insurer to disclose certain information to us
  • Section 243A allows SIRA and the Nominal Insurer to collect certain information e.g. information relating to claims for compensation and work injury damage, from any source. It also allows them to disclose certain information, and places restrictions on the disclosure of health information

Role and powers of SafeWork NSW inspectors

SafeWork NSW inspectors have a wide range of responsibilities in helping to ensure that employers and workplaces are meeting their work health and safety and workers compensation and return to work responsibilities. Inspectors have been given a broad range of statutory powers to enable them to fulfill these functions, including powers to require the production of documents or other information, to inspect documents and make recordings of these, and to issue and execute search warrants. In exercising these powers inspectors will have regard to the privacy principles and will comply with each of the principles unless, in the particular circumstances, compliance with that particular principle is not required under the legislation. In particular, inspectors will collect health information in accordance with the procedure set out in SafeWork NSW’s procedure - Obtaining Health Information (medical records and reports).

Part three: How to access and amend personal and health information

In the majority of cases, you have the right to access and amend the personal and health information we hold about you, for example if you need to update your contact details.

We must provide access to or amend personal or health information without excessive delay or expense. We do not charge any fees to access or amend personal or health information.

Informal request

Informal requests do not need to be in writing.

You can request access to or amendment of your personal or health information by contacting us by telephone on 13 10 50 or by email at privacy@safework.nsw.gov.au.

You will need to verify your identity and in some circumstances, particularly if it is sensitive information, we may ask you to make a formal application.

We aim to respond to informal requests within 5 working days. We will tell you how long the request is likely to take, particularly if it may take longer than first expected. We will contact you to advise the outcome of the request. If you are unhappy with the outcome of an informal request, you can make a formal application to us.

Formal request

Formal requests need to be made in writing.

You do not need to ask informally before making a formal request, and you can make a formal request if you have already asked informally.

You can make a formal request to SafeWork NSW by email at privacy@safework.nsw.gov.au or post.

The formal request should:

  • include your name and contact details
  • include certified proof of identity
  • state whether you are making the request under the PPIP Act (personal information) or HRIP Act (health information)
  • explain what personal or health information you would like to access or amend, and
  • explain how you would like to access or amend it

We aim to respond in writing to formal request within 20 working days. We will contact you to advise how long the request is likely to take, particularly if it may take longer than expected.

If you think we are taking an unreasonable amount of time to respond or you disagree with the outcome, you have the right to seek an internal review. Before seeking an internal review, we encourage you to contact us to ask for an update or time frame for response.

Why we might not give access to or amend personal or health information

If we decide not to give you access to or amend your personal or health information, we will clearly explain our reasons. For example, when investigating workplace incidents under the Work Health and Safety Act 2011, we are generally restricted from giving people access to information we have obtained from NSW public sector agencies for the purposes of conducting the investigation. We may, however, release the information if the agency or person explicitly consents to its release.

Limit on accessing or amending personal or health information

We are usually restricted from giving you access to someone else’s personal and health information. While the PPIP Act and the HRIP Act give you the right to access your own information, the Acts generally do not give you the right to access someone else’s information.

However both the PPIP Act and HRIP Act allow you to give us permission to collect your personal and health information from, and disclose it to, someone else. For example when contact with us worsens an anxiety condition or if you are mentally or physically unfit to represent yourself.

If you are under 16 we are allowed to collect information directly from your parents or guardian.

If you do require someone to act on your behalf, you will need to provide us with written consent.

The Acts also enable us to disclose information in limited circumstances, such as to prevent a serious and imminent threat to the life, health and safety of an individual, or if withholding your information would prejudice you. In the case of health information, other reasons include to find a missing person or for compassionate reasons.

The Information & Privacy Commissioner’s Guide to Privacy and people with decision making disabilities explains how to seek consent for a secondary use or disclosure of personal information from a person who has limited or no capacity.

Part four: Privacy or Data Breaches

Mandatory Notification of Data Breaches

From 28 November 2023, amendments to the PPIP Act will take effect to introduce the Mandatory Notification of Data Breach (MNDB) Scheme. This scheme imposes further responsibilities on SafeWork, requiring us to notify the NSW Privacy Commissioner and affected individuals in the event of an eligible data or privacy breach which is likely to result in serious harm.

What is an eligible data or privacy breach?

An eligible data or privacy breach will occur when:

(a) There is unauthorised access to, or disclosure of personal information held by SafeWork, or loss of personal information held by SafeWork which would likely result in unauthorised access to or disclosure of that information, and

(b) A reasonable person is able to conclude that such access or disclosure would likely result in serious harm to an individual to whom the information relates.

In responding to a data or privacy breach, SafeWork will:

  1. Take steps to immediately contain the breach and prevent the personal information from being further compromised.
  2. Assess the privacy breach by gathering the facts and evaluating the risks to affected parties. At this stage, SafeWork will determine whether the incident constitutes an eligible data breach or privacy breach in line with the MNDB scheme and make reasonable attempts to mitigate the harm caused. This assessment will be carried out within 30 days.
  3. Notify the NSW Privacy Commissioner and any affected parties unless any exemptions apply. If it is not reasonably practicable to notify affected individuals directly, SafeWork may make a public notification of the breach.
  4. Review the incident and consider what actions can be implemented to prevent future breaches. Remediation actions that arise from this review may be added to this document.

These steps are clearly outlined in SafeWork’s Privacy/Data Breach Procedure. SafeWork also has an internal video for staff explaining what a privacy breach is and the process for responding to a breach. Both resources are accessible on the agency’s internal knowledge hub for all SafeWork staff. SafeWork teams will also be provided a copy of these resources by the privacy team when managing a data or privacy breach.

Part five: Review rights and complaints

Internal review

General principles

We encourage you to contact us directly to resolve any concerns you have about our handling of your personal and health information.

If you think we have breached your privacy, we encourage you to discuss any concerns with the staff member or business unit dealing with your information, or contact us us by telephone on 13 10 50 or by email.

The following general principles are relevant to applications for internal review of privacy complaints:

  • You may apply to SafeWork NSW for an ‘internal review’ of the conduct you believe breaches an Information Protection Principle and/or a Health Privacy Principle, or you may make a privacy complaint directly to the NSW Privacy Commissioner. For explanation of how we apply the Information Protection and Health Privacy Principles, refer to part two: How we manage personal and health information
  • Complaints to the NSW Privacy Commissioner can only result in a conciliated outcome, rather than a binding determination
  • You cannot seek an internal review for an alleged/potential breach of someone else’s privacy, unless you are an authorised representative of the other person
  • An application for an internal review must be made within six months from when you first become aware of the conduct you are concerned about (in limited circumstances SafeWork NSW may consider a late application for internal review)

How to apply for internal review

To help you apply for an internal review, you can use the application form in Appendix 3. Although we encourage use of the form, it is not compulsory. You may submit any other relevant material along with your application.

Requests for internal review should be sent to the SafeWork NSW Privacy Officer by email or post and needs to:

  • be in writing
  • be addressed to SafeWork NSW, and
  • include a return address in Australia

Applications in other languages will be accepted and translated, and all acknowledgments and correspondence from SafeWork NSW will be translated into the applicant’s preferred language. If the applicant is not literate in English and/or their first language and there is no organisation making the application on their behalf, the SafeWork NSW Privacy Officer will help write the application, using a professional interpreter if necessary.

What you can expect from us

  • your application will be acknowledged within 5 working days and will include an expected completion date.
  • either the SafeWork NSW Privacy Liason Officer (if they were not involved in the conduct which is the subject of the complaint), or another person not involved in the conduct which is the subject of the complaint, who is an employee or an officer of the agency, and is qualified to deal with the subject matter of the complaint will conduct the review
  • the internal review will be completed within 60 days of receiving your application. If you are not notified of the outcome of the review within 60 days, you have the right to seek external review at NSW Civil and Administrative Tribunal (NCAT). More information on external reviews is provided below, and
  • we will follow the NSW Privacy Commissioner’s Internal Review Checklist and give consideration given to any relevant material submitted by you and/or the Privacy Commissioner

In making a decision, we may decide to:

  • take no further action on the matter
  • make a formal apology to you
  • take appropriate remedial action, which may include payment to you of monetary compensation
  • undertake that the conduct will not occur again, and/or
  • implement administrative measures to ensure that the conduct will not occur again

You will be informed of the outcome within 14 days of the internal review being decided, including:

  • the findings of the review
  • the reasons for those findings
  • the action SafeWork NSW proposes to take
  • the reasons for the proposed action (or no action), and
  • your entitlement to have the findings and the reasons for the findings reviewed by NCAT

Role of the Information and Privacy Commissioner

The PPIP Act requires that the NSW Privacy Commissioner be informed of the receipt of an application for an internal review of conduct and receive regular progress reports of the investigation. In addition, the Commissioner is entitled to make submissions in relation to the application for internal review.

When we receive your application we will provide a copy to the Privacy Commissioner. We will then continue to keep the Privacy Commissioner informed of the progress of the internal review, the findings of the review and the proposed action to be taken by SafeWork NSW in relation to the internal review. Any submissions made by the Privacy Commissioner to the agency will be taken into consideration when making our decision.

The Privacy Commissioner’s contact details are:

Office: Information & Privacy Commission, Level 5, 47 Bridge Street, Sydney NSW 2000

Post: PO Box R232 Royal Exchange, NSW 2001

Phone: 1800 472 679

Email: ipcinfo@ipc.nsw.gov.au

Web: www.ipc.nsw.gov.au

External review

If you are unhappy with the outcome of the internal review, you can apply to NCAT to review the decision (an “external review”). Also, if we have not completed the internal review within 60 days, you can also take the matter to NCAT for external review.

However, please note, before you have the right to seek an external review you must first seek an internal review by SafeWork NSW. Generally you have 28 days from the date of the internal review decision to seek the external review.

NCAT has the power to make binding decisions on an external review, including ordering SafeWork NSW to pay damages of up to $40,000.

For more information about seeking an external review including current forms and fees, please contact NCAT:

Post:

NSW Civil & Administrative Tribunal, Administrative and Equal Opportunity Division, GPO Box 4005, Sydney NSW 2000

Phone: 1300 006 228 and select Option 3 for all Administrative and Equal Employment Opportunity Division enquiries

Website: www.ncat.nsw.gov.au

Part six: Continuous improvement

Reviewing the plan

Our plan will be reviewed at a minimum every two years, but more frequently when legislative, administrative or systemic changes occur that affect the way we manage the personal and health information we hold.

Promoting the plan

Public awareness

This plan is a commitment of service to our stakeholders of how we manage personal information and health information. As it is central to how we do business, this plan is easy to access and easy to understand for people from all kinds of backgrounds.

Additionally, we are required to make this plan publicly available as open access information under the Government Information (Public Access) Act 2009.

We aim to promote public awareness of this plan by:

  • writing the plan in plain English
  • publishing the plan in a prominent place on our website
  • providing hard copies of the plan free of charge on request, and
  • telling people about the plan when we answer questions about how we manage personal and health information.

SafeWork Executive

The SafeWork NSW executive team is committed to openness about how we comply with the PPIP Act and HRIP Act, which is reinforced by:

SafeWork Employees

We ensure our staff are aware of and how it applies to the work they do by:

  • training staff so they understand their privacy obligations and how they are to manage personal and health information
  • writing this plan in a practical way so our staff can understand what their privacy obligations are
  • what to do if unsure about their privacy obligations
  • making available in a prominent place on our intranet, and
  • highlighting the plan at least once a year (for example, during Privacy Awareness Week)

Part seven: Appendices

Appendix 1: Public registers and other related laws

This section contains information about public register requirements in the PPIP Act and a summary of other laws that may impact the way we handle personal and health information.

Public registers

The PPIP Act governs how NSW public sector agencies should manage personal information contained in public registers (Part 6 – Public Registers).

Section 57 “Disclosure of personal information contained in public registers” states:

(1) The public sector agency responsible for keeping a public register must not disclose any personal information kept in the register unless the agency is satisfied that it is to be used for a purpose relating to the purpose of the register or the Act under which the register is kept.

(2) In order to enable the responsible agency to comply with subsection (1), the agency may require any person who applies to inspect personal information contained in the public register to give particulars, in the form of a statutory declaration, as to the intended use of any information obtained from the inspection.

Section 58 “suppression of personal information” states:

(1) A person about whom personal information is contained (or proposed to be contained) in a public register may request the public sector agency responsible for keeping the register to have the information

(a) removed from, or not placed on, the register as publicly available, and

(b) not disclosed to the public.

(2) If the public sector agency is satisfied that the safety or well-being of any person would be affected by not suppressing the personal information as requested, the agency must suppress the information in accordance with the request unless the agency is of the opinion that the public interest in maintaining public access to the information outweighs any individual interest in suppressing the information.

(3) Any information that is removed from, or not placed on, a public register under this section may be kept on the register for other purposes.

The following register is maintained by SafeWork NSW:

  • Asbestos assessor register

Other laws that impact on the way we handle personal and health information

Other laws which impact on how we handle personal and health information include:

Government Information (Public Access) Act 2009 (GIPA Act) and Government Information (Public Access) Regulation 2009.

Under this law people can apply for access to government information we hold. Sometimes this information may include personal or health information. The Act contains public interest considerations against disclosure of information that would reveal an individual’s personal information; or contravene an information or health protection principle under the PPIP Act and HRIP Act.

If a person has applied for access to someone else’s personal or health information we will consult with the affected third parties. If we decide to release a third party’s personal information, we must not disclose the information until the third party has had the opportunity to seek a review of our decision.

When accessing government information of another NSW public sector agency in connection with a review, the Information Commissioner must not disclose this information if the agency claims that there is an overriding public interest against disclosure.

Government Information (Information Commissioner) Act 2009 (GIIC Act).

Under this law the Information Commissioner has the power to access government information held by other NSW public sector agencies for the purpose of conducting a review, investigation or dealing with a complaint under the GIPA Act and GIIC Act. The Information Commissioner also has the right to enter and inspect any premises of a NSW public sector agency and inspect any record.

This Act also allows the Information Commissioner to provide information to the NSW Ombudsman, the Director of Public Prosecutions, the Independent Commission Against Corruption or the Police Integrity Commission.

Data Sharing (Government Sector Act) 2015 in relation to the sharing of government data between government agencies and the government Data Analytics Centre, including the sharing of de-identified personal data. Enhanced privacy safeguards apply and this Act in no way alters how the current privacy legislation applies to the personal and health information we hold.

Crimes Act 1900 in relation to accessing or interfering with data in computers or other electronic devices.

Independent Commission Against Corruption Act 1988 in relation to the misuse information.

Public Interest Disclosures Act 1994 (PID Act) in relation to disclosing information that might identify or tend to identify a person who has made a PID.

State Records Act 1998 and State Records Regulation Act 2015 in relation to the management and destruction of records.

Appendix 2: Exemptions

The PPIP Act and HRIP Acts contain exemptions from compliance with certain IPPs and HPPs. The main exemptions to each principle are:

Limiting our collection of personal and health information – PPIP Act s8 & HPP 1

  • unsolicited information
  • personal information collected before 1 July 2000
  • health information collected before 1 September 2004
  • in the case of personal information, for certain Ministerial correspondence or referral of inquiries
  • in relation to personal information, certain research purposes

How we collect personal and health information – the source – PPIP Act s9 & HPP 3

  • unsolicited information
  • personal information collected before 1 July 2000
  • health information collected before 1 September 2004
  • personal information used for law enforcement or some investigative and complaints handling purposes
  • where another law authorises or requires us not to comply with this principle
  • where non-compliance is otherwise permitted, implied or contemplated by another law
  • in the case of personal information, where compliance would disadvantage the individual

Notification when collecting personal and health information – PPIP Act s10 & HPP 4

  • unsolicited information
  • personal information collected before 1 July 2000
  • health information collected before 1 September 2004
  • the individual concerned has expressly consented to the non-compliance
  • some law enforcement and investigative or complaints handling purposes
  • where another law authorises or requires us not to comply
  • where non-compliance is otherwise permitted, implied or contemplated by another law
  • where compliance would disadvantage the individual
  • where notification in relation to health information would be unreasonable or impracticable

How we collect personal and health information – the method and content – PPIP Act s11 & HPP 2

  • unsolicited information
  • personal information collected before 1 July 2000
  • health information collected before 1 September 2004
  • law enforcement or some investigative and complaints handling purposes
  • where another law authorises or requires us not to comply
  • where non-compliance is otherwise permitted, implied or contemplated by another law
  • where compliance would disadvantage the individual

Retention and security – PPIP Act s12 & HPP 5

  • there are no direct exemptions to the operation of the principle

Transparency – PPIP Act s13 & HPP 6

  • if another law authorises or requires us not to comply
  • where non-compliance is otherwise permitted, implied or contemplated by another law
  • where the provisions of GIPAA impose conditions or limitations (however expressed)

Access – PPIP Act s14 & HPP 7

  • Some health information collected before 1 September 2004
  • where another law authorises or requires us not to comply
  • where non-compliance is otherwise permitted, implied or contemplated by another law
  • the provisions of GIPAA that impose conditions or limitations (however expressed)

Correction – PPIP 8 & HPP 8

  • some health information collected before 1 September 2004
  • some investigative or complaints handling purposes
  • if another law authorises or requires us not to comply
  • where non-compliance is otherwise permitted, implied or contemplated by another law
  • the provisions of GIPAA that impose conditions or limitations (however expressed)

Accuracy – PPIP 9 & HPP 9

  • there are no direct exemptions to the operation of this principle

Use – PPIP 10 & HPP 10

  • law enforcement and some investigative or complaints handling purposes
  • where another law authorises or requires us not to comply
  • where non-compliance is otherwise permitted, implied or contemplated by another law
  • in the case of health information, to lessen or prevent a serious threat to public health or public safety
  • in the case of health information, finding a missing person
  • information sent to other agencies under the administration of the same Minister or Premier for the purposes of informing the Minister or Premier

Disclosure – PPIP 11 & 12 and HPPs 11 & 14

  • law enforcement or some and investigative and complaints handling purposes
  • when it is authorised or required by a subpoena, warrant or statutory notice to produce
  • if another law authorises or requires us not to comply
  • where non-compliance is otherwise permitted, implied or contemplated by another law
  • in the case of health information, to lessen or prevent a serious threat to public health or public safety
  • in the case of health information, compassionate reasons
  • finding a missing person
  • information sent to other agencies under the administration of the same Minister or Premier for the purposes of informing the Minister or Premier

Identifiers – HPP 12

  • There are no direct exemptions to the operation of this principle.

Linkage of health records – HPP 15

  • health information collected before 1 September 2004
  • where another law authorises or requires us not to comply
  • where non-compliance is otherwise permitted, implied or contemplated by another law

Appendix 3: Forms

Privacy complaint internal review application form

Back to top