Managing personal and health information at SafeWork

On this page

This section details how SafeWork complies with its obligations with the 12 Information Protection Principles (IPPs) set out under the PPIP Act, and the 15 Health Privacy Principles (HPPs) set out under the HRIP Act. These principles follow the lifecycle of information, being collection, use, disclosure and storage.

3.1 Collection (IPP 1, 2, 4 + HPP 1, 2, 3)

While we must collect some types of personal and health information to meet our legal obligations, we will limit our collection of personal and health information to what is reasonably necessary to fulfil SafeWork’s functions. The collection of this information may be in writing, e-mail, photos, videos, through our websites, the SpeakUp app, forms, over the phone, or in person. Depending on the services, or your interactions with SafeWork, we may collect personal and health information in the following ways:

  • to assist customers with a work health and safety enquiry
  • in response to a complaint or notification of a work health and safety incident for yourself or someone else
  • if an individual reports a workplace incident or provides a witness statement
  • to process a license application or related appeal
  • to conduct compliance management and monitoring
  • to investigate complaints
  • to respond to requests for access to information we hold
  • small business rebates
  • conferences and other events
  • when an individual visits our website, uses our online services (such as applying for a license or making an enquiry). This may include:
    • Location information (if enabled on your device) IP address
    • The date and time you visited the site o The type of browser used.
    • Find more information about the digital information we collect.
  • for business planning and service improvements, and
  • surveys and research to develop or improve our services

The types and examples of personal or health information that SafeWork may collect to manage workplace incidents are:

  • SafeWork staff member comments when recording or investigating a workplace matter
  • name and contact details of third parties
  • audio files
  • details and dates of injuries and medical treatment
  • details and dates of the issue/complaint
  • video files (including body worn videos by inspectors)
  • witness statements/records of interview, including material about illnesses and injuries
  • inspection reports conducted by SafeWork inspector’s
  • inspector’s report
  • reference to or copies of relevant evidence
  • notes of conversations
  • consent
  • signatures
  • action taken by requestor
  • notices issued
  • factual reports
  • correspondence i.e., emails, text messages, faxes, letters, including details of medical appointments, treatment and history
  • action taken by inspector
  • photographs

Workers' compensation claim file information may include:

  • return to work and injury management plans
  • name and contact details
  • insurance information
  • personal injury claim history
  • capacity to work
  • Medicare number
  • nature of injury, medical information and medical reports
  • wages
  • interpreter use
  • pre-existing condition(s)
  • surveillance footage/photos
  • employment details
  • medical certificates
  • date of birth
  • signatures
  • witness statements
  • benefit payments
  • income details
  • correspondence i.e. emails, text messages, faxes, letters
  • income details
  • investigations
  • complaints

We collect personal and health information direct from the person for whom it relates, unless they have consent otherwise, we are lawfully authorised to do so, or unless it is unreasonable or impracticable to do so.

Where the person is under the age of 16 or lacks capacity (e.g., because of mental illness, intellectual disability, dementia, brain injury), we can ask their authorised representative, parent or guardian for the information instead. However, we must also still try to communicate with them directly. The NSW Privacy Commissioner’s guide Privacy and Persons with Reduced Decision-Making Capacity explains how to collect personal information from or about a person who has limited or no capacity.

There are also some instances where we will collect information from third parties, including from:

  • our agents or contractors
  • persons conducting a business or undertaking (PCBU)
  • workers
  • members of the public
  • insurers
  • courts and tribunals
  • ministers and Parliament
  • privacy sector companies
  • academics and researchers
  • department of health
  • medical and allied health professionals
  • non-government organisations
  • solicitors and other legal representatives
  • industry and business associates
  • unions
  • media
  • third parties, such as training and research organisations, Australia Post and Service NSW for the processing of licences and the SIRA when our inspectors are acting as an authorised person under the workers compensation legislation
  • state or territory agencies regarding activities relevant to licence applications or licences and equivalent regulators in other jurisdictions
  • other state and federal government agencies, such as NSW and Federal Police (for security or criminal reference checks), icare, Australian Skills Quality Authority or a State Training Authority (for training related complaints or investigations)
  • other agencies, organisations or individuals in the event of an emergency.
  • we will sometimes collect personal and health information from SIRA, the Department of Primary Industries and Regional Development (the regulator under the Work Health and Safety (Mines and Petroleum Sites) Act 2013), and other agencies, organisations or individuals, for the purpose of exercising our functions and activities.

For example, we may be lawfully authorised to do this under:

Collection of this information from third parties will only occur where it is necessary for us to properly exercise our investigative and other functions to ensure compliance with the Acts, regulations and other instruments made under the Acts.

When collecting personal and health information from individuals, SafeWork will ensure that the information we are collecting is relevant, accurate, up-to-date, complete and not excessive or intrusive in any way.

We achieve this by designing forms and notification processes that only collect relevant information that is required to fulfil our functions, taking into account whether it is lawful for us to collect this information, for example if legislation authorises the collection, or whether it is directly related to the agency’s functions.

If an individual wishes to provide information to SafeWork anonymously, this will be permitted, granted it allows us to fulfil our functions. It is important to note that even though information is anonymous, SafeWork must consider the broader context of the information to ensure there is no possibility of this information being able to identify an individual, thus being personal information.

3.1.1 Body worn video

SafeWork inspectors may use Body Worn Video (BWV) devices during inspections, site visits, or enforcement activities under the Surveillance Devices Act 2007, WHS Act and the Explosives Act 2003. These devices may capture audio, video, and images of individuals, workplaces, and work related incidents.

3.1.2 Validation of proof of identity

SafeWork will often request a customer to provide proof of identity to proceed with a particular transaction (for example, a licence application or a request for information under the Government Information (Public Access) Act 2009 (GIPA Act) or PPIP Act). SafeWork may use a validation service such as the Commonwealth Document Verification Service. SafeWork will obtain the customer’s consent before disclosing proof of identity information to a validation service or obtaining the results from a validation service. SafeWork may collect proof of identity information in its own right, or as part of a transaction for a partner agency.

3.1.3 CCTV and surveillance

SafeWork installs and maintains closed circuit television (CCTV) cameras on some premises for several purposes in accordance with the Workplace Surveillance Act 2005 (NSW), including:

  • to ensure the safety and security of staff and visitors whilst on SafeWork premises
  • to protect assets and property of SafeWork and others
  • to assist in crime prevention and aid in the investigation of criminal activity or other misconduct.

When utilised, prominent signage notifies all staff, visitors and members of the public of the use of CCTV and that they may be under camera surveillance. Access to the CCTV images is controlled and secure to ensure that only authorised staff have access to any images.

3.1.4 Personal and health information held about staff

Most of the personal and health information about staff members is collected and managed by the DCS. Some information is maintained at a local level or accessed for management purposes. For further information, please see the DCS Privacy Management Plan.

3.2 Open and transparent (IPP 3 + HPP4)

When SafeWork collects personal and health information, for example, in licence application forms, notifications, etc., we will take reasonable steps to inform an individual of the following:

  • the fact that the information is being collected
  • the purposes for which the information is being collected
  • the intended recipients of the information
  • whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided
  • the existence of any right of access to, and correction of, the information
  • the name and address of the agency that is collecting the information and the agency that is to hold the information

Where personal and health information is being collected verbally from an individual, we will take reasonable steps to advise that individual of the above. In relation to health information, we will take these reasonable steps unless this would pose a serious threat to the life or health of an individual, or in accordance with the NSW Privacy Commissioner Guidelines on collecting health information.

Notification of collection is generally given via a privacy collection notice which SafeWork includes on its application forms, web pages and verbal messages (for example, through contact centre staff scripts or a reasonable attempt to make a person likely to be recorded aware of this by inspectors when using body worn video) at the point closest to where the information is being collected.

We will not use information for another purpose other than what it was collected for unless we are lawfully authorised or have the persons express or implied consent, either via writing or orally, or are required to by law.  For consent to be valid, it must be voluntary, informed, specific, current and given by a person with the capacity to give or withhold consent.

Voluntarily means that you must be free to say ‘no’ and still receive the primary service you are asking for. It cannot be included as a standard condition. You must be given a genuine opportunity to give or withhold your consent being requested by SafeWork without feeling pressured or coerced to do so.  We will not consider silence as consent.

3.3 Storage and security (IPP 5 + HPP 5)

SafeWork takes its responsibilities in securely storing the personal and health information it collects seriously. We will ensure personal, and health information is stored securely, not kept longer than necessary, and disposed of appropriately. We take reasonable steps to protect personal and health information from loss, misuse, unauthorised access, use, modification, or disclosure. This involves implementing reasonable security measures, including technical, physical, and administrative actions, to protect information. Security and disposal measures examples include:

  • limiting data access to staff members with a defined and legitimate business need
  • conducting regular reviews of user access permissions
  • keeping detailed logs and activity records to support monitoring and auditing
  • implementing multi-factor authentication for added access security
  • requiring strong computer passwords and mandating regular password updates
  • supplying employees with secure storage options near their work areas for safekeeping of documents and electronic devices
  • ensuring information is securely disposed of once it’s no longer needed, in accordance with the relevant retention schedules
  • including terms in contracts with external vendors to prohibit any unauthorised access, use, or disclosure of our information
  • evaluating the data protection practices and security protocols of third-party providers
  • delivering ongoing training to staff on secure information handling and data protection responsibilities

SafeWork have a Data Governance Framework which provides guidance for managing and utilising data effectively to support our broader objectives.

Our information is managed in line with the NSW State Records Act and with the NSW Government Information Classification Labelling and Handling Guidelines. Since July 2015 these Guidelines have included the category “Sensitive: Health Information” and “Sensitive: Law Enforcement”. We comply with records management legislation and have retention and disposal rules in place for our general administration and functional information. SafeWork inspectors, staff and contractors have access to a range of internal information and records management systems as appropriate for their work. Access to these systems is password protected and limited to staff needing access to the information to do their work. Access is required to be reviewed regularly to ensure the security level allocated to individual staff is appropriate and to remove access for people who no longer require it as part of their role.

3.3.1 Private sector companies, government agencies and contractors

SafeWork may use private sector companies, contractors, or other government agencies for services. If these organisations or individuals have or are likely to have access to personal information, SafeWork ensures that personal and health information is managed in line with the PPIP Act, HRIP Act and data sharing and information security policies. SafeWork might do this by:

  • asking for evidence of their information handling processes
  • inserting privacy requirements into our contracts/Memorandum of Understanding and Data Sharing Agreements.
  • consider how a private sector company, agency or contractor will manage personal or health information they may have access to before engaging with them

An external entity that may manage or collect personal information on behalf of SafeWork includes:

  • DCS in providing information technology and human resources systems and support
  • a secure shredding company in order to carry out the destruction of sensitive documents
  • temporary staff procured from providers under government contracts
  • event management companies in order to host events and manage registrations
  • training providers
  • independent contractors
  • IT contractor

3.4 Access or amend personal information (IPP 6, 7, 8 + HPP 6, 7)

In most cases, you have the right to access, update, correct and amend the personal and health information we hold about you, for example if you need to update your contact details. You are entitled to have access to this information without cost or excessive delay. However, you may be required to pay a fee if the application is made under the HRIP Act or if you are lodging a formal application under the GIPA Act.

3.4.1 Informal request

You are encouraged to contact the relevant business unit within SafeWork directly if you are trying to access or amend your personal or health information. You can also complete our online form or contact our privacy team at privacy@safework.nsw.gov.au.

SafeWork is committed to protecting personal information against unauthorised access, use, modification, or disclosure, and will not disclose personal information except in accordance with the IPPs (or exceptions to same) contained in PPIP Act or if required to by legislation or subpoena. For this reason, proof of identity showing a signature and/or current address with or without a photo may be sought prior to releasing the information. Each request will be considered on a case-by-case basis, and our team will use its discretion to ascertain what is reasonable to verify your identity.

We aim to respond to informal requests within 5 working days. We will tell you how long the request is likely to take, particularly if it may take longer than first expected. We will contact you to advise the outcome of the request.

Please note that some business units within SafeWork have forms available on our website to enable your amendment of your personal or health information. For example, SafeWork Licensing has a form available to allow a licence holder to change their details for a SafeWork issued licence.

3.4.2 Formal request

Formal requests to access personal or health information can be made under the PPIP Act, HRIP Act or the GIPA Act, depending on the circumstances and the sensitivity of the information involved. You would generally need to complete a particular form and provide specific details before your application will be valid. You can find out about making formal access applications under GIPA via accessing information page on our website.

You may need to lodge a formal application if any of the follow applies:

  • the information relates to a third party
  • there are significant public interest considerations that need to be considered
  • you request a large volume of information, or
  • it would take a significant amount of time to consider your request.

No fee is required if you are requesting information under the PPIP or HRIP Acts, however GIPA applications will require the application fee of $30 to be paid.

The Office of the Privacy Commissioner, within the IPC, can also provide help and guidance about your rights to access your personal and health information.

3.4.3 Why we might not give access to or amend information

If we decide not to give you access to or amend your personal or health information, we will clearly explain our legal reasons. For example, when investigating workplace incidents under the WHS Act, we are generally restricted from giving people access to information we have obtained from NSW public sector agencies for the purposes of conducting the investigation. We may, however, release the information if the agency or person explicitly consents to its release.

3.4.4 Limit on accessing or amending information

We are usually restricted from giving you access to someone else’s personal and health information.

While the PPIP Act and the HRIP Act give you the right to access your own information, the Acts generally do not give you the right to access someone else’s information. However, both the PPIP Act and HRIP Act allow you to give us permission to collect your personal and health information from, and disclose it to, someone else. For example, when contact with us worsens an anxiety condition or if you are mentally or physically unfit to represent yourself. If you are under 16, we are allowed to collect information directly from your parents or guardian. If you do require someone to act on your behalf, you will need to provide us with written consent.

The Acts also enable us to disclose information in limited circumstances, such as to prevent a serious and imminent threat to the life, health and safety of an individual, or if withholding your information would prejudice you. In the case of health information, other reasons include to find a missing person or for compassionate reasons. The Information & Privacy Commission’s Guide to Privacy and Persons with Reduced Decision-making Capacity explains how to seek consent for a secondary use or disclosure of personal information from a person who has limited or no capacity.

Under the GIPA Act, any member of the public has an inherent human right to access government held information. The information that is subject to a GIPA request, therefore, may include personal or health information of other individuals. The provisions under the GIPA Act are thoroughly considered when assessing the release of any information in scope of a GIPA request. More information in relation to GIPA requests can be found on our website.

3.5 Use (IPP 9, 10 + HPP, 9, 10)

Before using any personal or health information, we take reasonable steps in ensuring the information is relevant, accurate, up-to-date, complete and not misleading. We may use personal and health information:

  • for the primary purpose for which it was collected
  • for a directly related secondary purpose
  • if we believe the use is necessary to prevent or lessen a serious and imminent threat to life or health,
  • for another purpose, if the person has consented
  • for a purpose permitted by law

‘Use’ is different to ‘disclose’. We use information when we handle or ‘use’ it internally.

As a general principle, we use the personal and health information we’ve collected only for the purpose for which it was collected. The relevant purpose should have been set out in a privacy notice at the time of collection.

We may also use personal and health information for a directly related secondary purpose. A directly related secondary purpose is a purpose that is very closely related to the purpose for collection and would be the type of purpose that people would quite reasonably expect their information to be used for. For example, information collected during the licence application process may be used to send licence renewal notices, using the information to conduct internal reviews related to compliance of licence renewal notice and, linking an individual’s records across internal systems to improve accuracy and enable our regulatory functions.

SafeWork may contact customers to clarify or verify personal or health information when the information provided is incomplete, irrelevant, outdated, or inconsistent. This ensures the accuracy and reliability of the information we collect.

Further to the circumstances set out above, we may also use health information to lessen or prevent a serious threat to public health or safety; management of health services; training; research purposes; finding a missing person; for law enforcement purposes and in respect of suspected unlawful activity, unsatisfactory professional conduct or breach of discipline.

3.6 Disclosure (IPP 11, 12 + HPP 11, 14)

We may disclose information if:

  • the person has consented
  • the information is not ‘health information’ or ‘sensitive information’, and the individual has been made aware that the information is likely to be disclosed to the recipient
  • the information is not ‘health information’ or ‘sensitive information’, and the disclosure is directly related to the purpose for which the information was collected, and we have no reason to believe the individual would object to the disclosure, or
  • the information is ‘health information’ and the disclosure is for the purpose for which the information was collected, or for a directly related secondary purpose within the person’s reasonable expectations
  • we have a reasonable belief that we would prevent or lessen an imminent threat to life or health by disclosing the information
  • disclosure of the information is authorised by law (for example, other state and federal government agencies, such as NSW and Federal Police (for security or criminal reference checks), icare, Australian Skills Quality Authority or a State Training Authority (for training related complaints or investigations.

'Disclose' is different to 'use'. We may disclose information when we disclose it to someone outside of SafeWork. Stricter rules apply to sensitive personal information. Disclosing sensitive information (e.g., a person’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities) is generally only allowed with the person’s consent. We can generally only disclose personal or health information to someone outside NSW, or to a Commonwealth agency if one of the following applies:

  • they are subject to a law, scheme or contract that upholds principles substantially similar to the information privacy principles
  • the individual concerned has consented
  • if it is necessary for a contract with (or in the interests of) the individual concerned
  • if it will benefit the individual concerned and it is impracticable to obtain their consent, but we believe the person would be likely to give their consent
  • this disclosure is reasonably believed by the public sector agency to be necessary to lessen or prevent a serious and imminent threat to the life, health or safety of the individual or another person
  • we have taken reasonable steps to ensure the information won’t be dealt with inconsistently with the information privacy principles e.g. we have bound the recipient by contract to privacy obligations equivalent to the principles, or
  • if it is permitted or required by legislation or any other law

We may disclose information we are lawfully authorised to disclose. See Appendix 2 below.

Most other disclosures we make will be appropriately related to the purpose for which the information was collected and/or the individual will have the consent of the individual.

When we are required to share information with other business areas within SafeWork or other public sector agencies, we will do so in accordance with the privacy laws.

Requests for personal or health information from outside bodies, including from government agencies, will be assessed to determine whether we are permitted to provide the information.

3.6.1 What is a privacy/data breach?

A breach of a person's privacy occurs when their personal and/or health information is compromised. A breach can occur:

  • when there is unauthorised access to, or disclosure of, personal information held by SafeWork, or
  • where personal information held by SafeWork is lost in circumstances where unauthorised access or disclosure of the information is likely to occur.

When responding to a privacy breach SafeWork will investigate using the following steps:

  • Contain - Immediately take steps to minimise the impact of the breach and to prevent any further compromise of personal information.
  • Assess - Gather facts about the incident to determine the extent of the breach, identify the individual's affected, and what type of information was involved.
  • Notify - Determine who needs to be notified of the incident.
  • Review – Conduct a review of the privacy breach and compile a report with recommendations about preventing a recurrence of a similar event and reduce future risk.

SafeWork has a Privacy/Data Breach Response Procedure that outlines our plan for responding to a privacy breach, including how we manage a breach and the process for notifying people affected by the breach.

3.6.2 Mandatory notification of data breaches

The Mandatory Notification of Data Breach (MNDB) Scheme requires every NSW public sector agency bound by the PPIP Act to notify the Privacy Commissioner and affected individuals of eligible data breaches.

A data breach is eligible under the amendment if it is likely to result in serious harm to any of the individuals to whom the information relates. Whether a data breach is likely to result in serious harm

requires an assessment, determined from the viewpoint of a reasonable person. Serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

When a staff member or contractor identifies a suspected data breach, they must report it to their people leader or relevant business owner. The people leader or business owner will then notify the privacy team by submitting a completed notification form. The privacy team will assign an appropriate assessor to work with the relevant functions to contain the incident, investigate the circumstances, and assess the impact of the data breach.

Separate from this Plan, SafeWork complies with DCS Data Breach Policy, which outlines the detailed processes to contain, assess, manage, and notify an eligible data breach under Part 6A of the PPIP Act.

3.7 Identifiers and anonymity (HPP 12, 13, 15)

We will allow people to receive services from us anonymously, where lawful, secure, and practicable.

We will only assign identifiers to the people we serve where required.

We will only use health records linkage systems when individuals have expressly consented to their information being included on such a system, or for research purposes which have been approved by an Ethics Committee and in accordance with the Statutory Guidelines on Research issued under the HRIP Act.

Back to top