Privacy guidance for nsw.gov.au

NSW privacy laws require NSW public sector agencies and staff to safeguard the privacy of the personal information they collect, store and use.

For nsw.gov.au, where we are handling personal information every day, this means that we are legally obliged to the below:

1. The information we collect is done in a lawful, direct, open, and relevant way. We minimise the data we collect by only collecting what we need.
2. The Personal Information (PI) we collect is used only for the purpose it was collected for.
3. The way we store information is to be in a secure manner, within appropriate retention periods, and archived safely.
4. The accuracy of, and access to, our information must be transparent, easy to obtain, and always correct.

Privacy Impact Assessment

Every time your agency collects personal information, it may pose a risk to the privacy of the people who provide the information.

Submitting a PIA request allows us to find the risk level and recommend suitable mitigation strategies. Raising the request before the webform is built will help your agency. It will integrate privacy measures from the start. Refer to the Conducting a Privacy Impact Assessment (PIA) article for more information.

A link to a PIA document must be added in the Content Management System (CMS) to every new or modified webform. Refer to Adding a Privacy Impact Assessment (PIA) link in a webform for more information.

Principles of privacy

Key principles adopted by nsw.gov.au:

• IPP1 Lawful: Collect personal information (PI) lawfully, for the purpose related to your agency's function and necessary for it
• IPP2 Direct: Collect PI directly from the person concerned unless authorised otherwise
• IPP3 Open: Inform people why you are collecting PI and what you are going to do with it
• IPP4 Relevant: Ensure PI is relevant, accurate, complete, up-to-date and not excessive

Information Protection Principles (IPPs) for Agencies

A detailed explanation into Information Protection Principles (IPPs) for Agencies can be found from Information and Privacy Commission.

Privacy is the NSW Government’s priority

As NSW has embraced a digital transformation into e-government, this transformation brings about several benefits, as well as some challenges. For example, the new channels and digital services we have implemented present efficiencies and facilitate instantaneous engagement for our citizens, as well as introduce new risks to their personal information. This transformation must therefore be accompanied by e-governance to mitigate these risks, to protect our NSW citizens and businesses in online environments, and to ensure the government remains accountable and transparent to the way information is handled and presented to our citizens.

Furthermore, as cyber threats have rapidly grown in volume and sophistication, with notable attacks such as the 2022 Optus breach, it is clear that privacy responsibilities and data security must be aligned across, and led by, the government, and a coordinated and holistic approach to digital and cyber security implemented. The OneCX program ensures that NSW Agency sites on nsw.gov.au lead the charge in driving this implementation of cyber and data management maturity across the government, and for our citizens.

Your role towards privacy as a NSW Government Agency

As a NSW Government Agency, you are accountable to ensuring that privacy is upheld in every content that exists on your site, and all third-party application/software that it is integrated with. You have an obligation to understand and comply with your Agency’s Governance and Legal Functions, as well as ensuring and managing legal compliance and reporting. For example, citizens must have transparent information to what we will be doing with the data they submit to us, you are only collecting data that you need, and having a data breach response, remedy, and escalation plan in place.

One of the ways you can do this is by upskilling yourself on the various Privacy Collection Notices on nsw.gov.au, and ensure every form on your site is using them. See I want to use a Privacy Collection Notice for my form on nsw.gov.au to download the templates.

Another way is to get yourself privacy ready by considering the following points:

1. Review your data collection points. What would the impact be to the citizen, agency, and nsw.gov.au if the data was breached, leaked, or hacked?
2. Identify and engage your ICT subject matter expert to set up a cyber safe data storage location for personal, sensitive, or classified data?
3. Identify and engage your local/agency privacy advisor. Understanding who your support contacts are is crucial in the discovery phase of the program.

Digital Channels helps with privacy for agencies on nsw.gov.au

We work with you and your agency as an enabler for uplifting privacy in the development, planning, designing and delivery of government information and services on nsw.gov.au. As such, our platforms, products and services, deliver on adherence and commitment to the Information and Privacy Commission (IPC), the Privacy and Personal Information Protection Act 1998 (PPIP Act), and the Health Records and Information Privacy Act 2022 (HRIP Act).

Some of the ways we do this is by –

• Having strong governance structures that support assessing, protecting, reporting and managing privacy issues
• Embedding data governance and privacy best practice principles into all program increments, designs and processes
• Providing training and support to ensure all stakeholders are aware of their responsibilities and escalation processes
• Guiding Agency stakeholders on the importance of enhancing public trust in government services in today’s digital environment, with particular focus on respect to citizens’ privacy rights and rights to access government information
• Building sustainable privacy and data governance practices to match the pace of development and innovation in the digital landscape