Privacy and Personal Information Protection Act 1998 (New South Wales) — Zoe

New South Wales act

Privacy and Personal Information Protection Act 1998

In ForceNSW

Jurisdiction

New South Wales

Act Number

133 of 1998

Collection

act

Plain English Summary

7/10 complexity

What this law does, who it affects, and how it works (plain English)

This Act sets privacy rules for New South Wales public sector agencies about how they collect, hold, use, disclose and dispose of personal information (see sections 4, 4A and 20). It establishes a statutory Privacy Commissioner (Part 4) with functions to promote the law, issue guidance, investigate complaints, run audits and publish reports (section 36). It also creates an advisory committee and reporting obligations for the Commissioner (Parts 7 and 7A).

Major mechanical features:

Basic rules for agencies: public sector agencies must only collect personal information for lawful purposes directly related to their functions and only when reasonably necessary (sections 8–11). They must keep information for only as long as is necessary, secure it and dispose of it safely (section 12). Agencies must enable people to find out whether they hold personal information about them and to access and correct it (sections 13–16). Use and disclosure of information is limited to the purpose for which it was collected except in specific, listed circumstances (sections 17–19).
Codes, plans and oversight: the Act allows formal privacy codes of practice and requires each agency to prepare and publish a privacy management plan (sections 29–33). The Privacy Commissioner can make guidelines, direct agencies (with Ministerial approval in some cases), require information and prepare public digests (sections 36, 37, 41, 40).
Complaint and review process: individuals can complain to the Privacy Commissioner (Part 4, Division 3). Agencies must offer internal review for certain conduct (section 53). If not satisfied, a person may apply to the Civil and Administrative Tribunal for administrative review and possible orders including damages up to $40,000 in qualifying cases (section 55).

JSON API

Deep Dive

4,063 words · generated 24/04/2026

What it does

The Privacy and Personal Information Protection Act 1998 (the Act) establishes a comprehensive framework for the handling of personal information by public sector agencies in New South Wales. At its core, Part 2 sets out 12 information protection principles (IPPs) that govern the collection, use, disclosure, retention, security, and access to personal information. Section 4 defines "personal information" broadly as information or an opinion about an identified or reasonably identifiable individual, including fingerprints, retina prints, body samples, or genetic characteristics (s 4(2)). This definition expressly excludes information about deceased persons more than 30 years dead, information in publicly available publications, witness protection details, and several other categories listed in s 4(3), such as Royal Commission material or suitability assessments for public sector roles.

The IPPs are mandatory for public sector agencies (s 20(1)) unless modified by a privacy code of practice (Part 3) or exempted under Division 3 of Part 2. Key obligations include:

Collection only for lawful purposes directly related to agency functions and by lawful means (s 8).
Direct collection from the individual, with limited exceptions (s 9).
Notification to the individual of collection details before or as soon as practicable after collection (s 10).
Ensuring collected information is relevant, not excessive, accurate, and minimally intrusive (s 11).
Secure retention and disposal, with safeguards against unauthorised access (s 12).
Facilitating access and correction requests (ss 13–15).
Accuracy checks before use (s 16).
Limits on secondary use (s 17) and disclosure (s 18), with heightened restrictions on sensitive attributes like ethnic origin or political opinions (s 19).

Current sections

Direct links to the current provisions in Privacy and Personal Information Protection Act 1998.

158

Official source available

Zoe has indexed the source text for search and analysis. Use the official register for the original document and download formats.

View on official register

Sourced from legislation.nsw.gov.au, CC BY 4.0.

Mandatory data breach scheme for public sector agencies (Part 6A):

Definitions and threshold: an "eligible data breach" is unauthorised access, disclosure or loss of personal information that a reasonable person would consider likely to cause serious harm (section 59D).
Detection and assessment: if an officer has reasonable grounds to suspect an eligible breach, they must report to the agency head and the head must immediately try to contain the breach and carry out an assessment within 30 days (section 59E). The head may appoint assessors and may extend the assessment period in specified ways (sections 59G and 59K). Assessors must consider enumerated factors, including sensitivity and likely harm (section 59H) and have regard to Commissioner guidelines (section 59I).
Notification obligations: if, after assessment, the head decides an eligible breach occurred (or there are reasonable grounds to believe so), the head must immediately notify the Privacy Commissioner in an approved form and, as soon as practicable, notify affected individuals or (if not practicable) publish a public notification and publicise it (sections 59J, 59M, 59N, 59P). The approved form requires specific information including a description, numbers affected, estimated cost to the agency and whether it was a cyber incident (section 59M).
Other operational obligations: agencies must publish a data breach policy and keep an internal incident register with details of breaches and mitigation steps (sections 59ZD and 59ZE). The Act permits limited inter-agency collection, use and disclosure of certain "relevant personal information" for notification purposes (section 59R).
Exemptions and discretion: the head of an agency can rely on a range of exemptions from notification where notification would prejudice prosecutions or proceedings, where mitigation makes serious harm unlikely, where secrecy provisions apply, where notification would create serious risk to health/safety, or where notification would worsen cyber security—each exemption has process requirements and reporting to the Privacy Commissioner (sections 59S–59X).
Regulator powers: the Privacy Commissioner may investigate suspected breaches, direct agencies to prepare and give public statements, require access to premises for monitoring, publish reports and make recommendations (sections 59Y, 59Z, 59ZA, 59ZB, 59ZC).

Who it affects

The Act primarily regulates "public sector agencies" and "public sector officials". Section 3 defines a public sector agency expansively to include Public Service agencies, the Teaching Service, statutory bodies representing the Crown, auditable entities under the Government Sector Audit Act 1983, the NSW Police Force, local government authorities (councils, county councils, joint organisations under the Local Government Act 1993), certain State owned corporations not subject to the Commonwealth Privacy Act 1988, and prescribed data service providers. Regulations under s 4B can deem agencies as part of, or separate from, others for Act purposes, with the Minister required to consider information sharing appropriateness.

Public sector officials (s 3) encompass Governor or Minister-appointed statutory officers, judicial officers, Public Service, Transport Service, Teaching Service, NSW Health Service and Police Force employees, political office holders' staff under the Members of Parliament Staff Act 2013, local government councillors and employees, Legislative Council/Assembly staff, and anyone employed, engaged by, or acting for the above.

The Act binds these entities and individuals in their official capacities (s 7). Investigative agencies (Ombudsman, ICAC, Law Enforcement Conduct Commission, Health Care Complaints Commission, etc.) and law enforcement agencies (NSW Police, Crime Commission, DPP, etc.) receive broad exemptions under ss 23, 24, 27, and 27A–27C, but only for core functions; administrative and educative functions remain subject to the IPPs (s 27(2)).

Individuals are affected as data subjects. Any person about whom personal information is held may exercise rights to notification (s 10), access and correction (ss 14–15), internal review (s 53), and NCAT review (s 55). Affected individuals in data breaches (s 59D(2)) must be notified unless exemptions apply. Convicted inmates and their associates face restrictions on monetary compensation (ss 53(7A), 55(4A)).

The Privacy Commissioner (appointed under s 34, with veto and removal safeguards in ss 35–35C) and Information and Privacy Advisory Committee (Part 7) exercise oversight roles. The Commissioner may investigate any agency except ICAC in certain respects (ss 37(4), 38(2), 40(4), 42(3)). Cyber Security NSW and the Information and Privacy Commission receive mutual exemptions for information sharing under the MNDB scheme (ss 59ZF–59ZG).

Private sector entities are generally outside scope, as are Commonwealth agencies (defined by reference to the Privacy Act 1988 (Cth)). However, s 19(2) regulates disclosures to out-of-State or Commonwealth bodies, requiring substantially similar protections or consent. Contractors providing data services for prescribed agencies fall within the public sector agency definition (s 3(g)).

Recent amendments have widened the net: the 2022 changes expressly include State owned corporations not covered by the Commonwealth Act as public sector agencies (s 3(f1)), and Part 6A applies to breaches involving external persons (s 59D(3)(c)). Courts and tribunals are exempt for judicial functions (s 6), but public registers they maintain may still be subject to Part 6.

In practice, compliance falls heaviest on large agencies like NSW Health, Transport for NSW, and local councils, which must maintain breach registers (s 59ZE), publish data breach policies (s 59ZD), and train staff to recognise reportable incidents within the 30-day assessment window (s 59E). Smaller agencies may rely on shared assessors (s 59G(2)(b)–(c)) but remain personally liable for IPP breaches via s 21 and s 62 offences.

Key duties and rights

Agency duties are anchored in the IPPs and Part 6A. Under s 8, collection must be for a lawful, directly related purpose and reasonably necessary; unlawful means are prohibited. Section 9 requires direct collection unless the individual authorises otherwise or the subject is under 16 and a parent provides the information. Section 10 mandates pre- or immediate post-collection notification of collection fact, purposes, recipients, voluntariness, access rights, and agency contact details. Section 11 requires relevance, accuracy, completeness, and minimal intrusion. Security obligations in s 12 include secure disposal per State Records requirements, reasonable safeguards, and contractual controls on service providers.

Use is confined to the primary purpose, with exceptions for consent, directly related secondary purposes, or serious/imminent threats to life/health (s 17). Disclosure under s 18(1) is permitted only if directly related and no objection is anticipated, the individual was or should have been aware of usual disclosure, or to prevent serious harm. Section 18(2) binds recipient public sector agencies to the same limits. Sensitive information disclosure is further restricted by s 19(1). Section 19(2) lists eight cumulative conditions for overseas/Commonwealth disclosures, including substantially similar protections, consent, contractual necessity, or public interest steps to prevent inconsistent handling.

Accuracy before use is mandated (s 16). Agencies must enable inquiries about held information (s 13) and provide access without excessive delay or expense (s 14). Correction obligations under s 15 require amendments for accuracy, relevance, and currency, or attachment of a statement of amendment sought; notification to recipients is required if practicable. These apply despite State Records Act s 21 (s 15(4)).

Privacy management plans (s 33) must address IPP compliance policies, dissemination, internal review procedures, and data breach obligations (s 33(2)(c1)). Codes of practice (Part 3) can modify IPPs but cannot lower standards (s 29(7)).

For data breaches, heads must contain incidents, assess within 30 days (s 59E), mitigate harm (s 59F), and use independent assessors where possible (s 59G(3)). Notification duties (ss 59M, 59N) are detailed; s 59O prescribes 12 categories of information to be provided. Agencies may collect, use, and disclose limited identifiers across agencies solely to locate notifiable individuals or confirm death (s 59R), overriding IPPs for that purpose.

Individual rights include the right to be notified (s 10), access and correction (ss 14–15), request suppression from public registers (s 58), and complain about privacy interferences (s 45). Part 5 grants a right to internal review (s 53) within six months (extendable), with the reviewer independent of the original decision-maker where practicable (s 53(4)). If dissatisfied, or if no decision within 60 days, NCAT review is available (s 55). Remedies are broad but compensation is capped and conditional (s 55(4)).

In data breaches, affected individuals have a right to timely notification with actionable recommendations (s 59O(h)), details of agency response (s 59O(g)), and information on complaints and reviews (s 59O(i)). The Commissioner’s guidelines (s 59ZI) indirectly shape these rights by influencing agency assessments.

The Act creates no new civil causes of action (s 69(1)) but preserves GIPA Act rights (s 5) and does not limit common law or other statutory remedies.

Penalties and enforcement

Enforcement is primarily administrative. Contravention of an IPP or code is reviewable conduct under Part 5 (s 21(2)). NCAT may order remedial action, compensation (subject to limits), or ancillary relief (s 55(2)). Compensation requires post-12-month-commencement conduct and actual financial, psychological, or physical harm (s 55(4)).

Criminal sanctions target corrupt conduct. Section 62(1) makes intentional, non-official disclosure or use of accessed personal information by public sector officials an offence (100 penalty units or 2 years imprisonment, or both). Inducing such disclosure by bribe is equally punishable (s 62(2)). These apply to former officials (s 62(4)) and do not prohibit public interest disclosures (s 62(3)). Section 63 criminalises offering to supply unlawfully obtained personal information (same penalty). Court-ordered confiscation of benefits is available (s 63(2)).

Obstruction of the Commissioner, refusal to comply with information requirements, or misleading the Commissioner carry 10 penalty unit fines (s 68(1)). False representation as the Commissioner or delegate is also 10 penalty units (s 68(2)).

The Commissioner may conduct inquiries with Royal Commission powers (s 38), issue guidelines (s 36(2)(b)), exempt agencies (s 41), and audit Part 6A compliance (s 36(2)(m)). Directions to prepare statements for suspected breaches (s 59Y(2)) are enforceable. Failure to notify under s 59M or 59N is not itself an offence but may constitute IPP breaches (e.g., s 12 security) reviewable under Part 5. Agency heads must report extensions (s 59K) and review cyber security exemptions monthly (s 59X(4)).

The Joint Committee oversees the Commissioner (s 44A) and may recommend functional changes. Personal liability protections exist for good-faith actions (s 66), and proceedings are summary before the Local Court (s 70).

No direct civil penalty regime exists; enforcement relies on individual complaints, Commissioner-initiated investigations, and NCAT. In practice, most matters resolve via conciliation (s 49) or internal remedial action (s 53(7)).

How it interacts with other laws

The Act is expressly subordinate to the Government Information (Public Access) Act 2009 (GIPA Act); nothing lessens GIPA obligations (s 5), and GIPA conditions on ss 13–15 continue to apply (s 20(5)). Cabinet and Executive Council information exemptions align with GIPA (s 4(3)(i); s 43).

Interaction with the Health Records and Information Privacy Act 2002 (HRIP Act) is central. Section 4A excludes health information from the personal information definition except as provided by this Act or the HRIP Act. Part 6A expressly includes health information (s 59B) and Health Privacy Principles for breach purposes. Complaints about private sector health information are routed to HRIP Part 6 (s 45(2A)). Section 66A provides defamation and confidence protections for access granted under IPP 7 (access) or HRIP equivalents.

Cross-references to the State Records Act 1998 appear in ss 4(4)(c), 12(b), 15(4), 25(b), and 59C. Retention and disposal must comply with State Records requirements; older records receive special code treatment (s 29(3)).

Law enforcement and investigative functions interact with the Independent Commission Against Corruption Act 1988, Law Enforcement Conduct Commission Act 2016, Police Act 1990, and Witness Protection Act 1995. Broad exemptions in ss 23–24, 27, and 23A (ASIO) prevent prejudice to those functions. Section 19(2)(h) permits disclosures required by any Act, including Commonwealth laws.

The Public Interest Disclosures Act 2022 excludes certain disclosures from the personal information definition (s 4(3)(e)) and carves out s 62 offences (s 62(3)).

The Adoption Act 2000 (Chapter 8) information is excluded (s 4(3)(ja)). Emergency management interacts via s 27D, referencing the State Emergency and Rescue Management Act 1989.

Commonwealth overlap is managed by defining "Commonwealth agency" (s 3) and permitting disclosures with similar protections (s 19(2)(a)). The Privacy Act 1988 (Cth) does not bind most NSW agencies, but s 3(f1) brings non-covered State owned corporations within this Act.

NCAT reviews occur under the Administrative Decisions Review Act 1997 (s 55), with procedural modifications. The Interpretation Act 1987 applies to definitions (s 3(1) note).

Section 69(1) states Parts 2 and 3 do not create new civil causes of action or affect judicial validity, preserving other remedies. Section 25 exempts where non-compliance is authorised or implied by any law.

Recent Part 6A provisions override IPPs for breach-related collection, use, and disclosure (s 59R(4)), and exempt the Commissioner and Cyber Security NSW from specified principles (ss 59ZF–59ZG).

Recent changes and why

The most substantial recent change is the Privacy and Personal Information Protection Amendment Act 2022 (No 74), which inserted Part 6A and related amendments. Prior to 2022, data breach notification was voluntary or covered by guidelines and temporary directions under s 41 (revoked by the Privacy and Personal Information Protection Amendment (Exemptions Consolidation) Act 2015). The 2022 reforms introduced a mandatory scheme modelled on the Commonwealth Privacy Act 1988 s 26WE but tailored to NSW agencies. Reasons cited in the second reading speech and explanatory materials included alignment with national standards, increasing cyber threats, and community expectation of transparency after high-profile incidents. The 30-day assessment period (s 59E), detailed notification content (s 59O), public register requirement (s 59P), and Commissioner direction power (s 59Y) were new.

Schedule 1[2] of the 2022 Act expanded the public sector agency definition to include State owned corporations not subject to the Commonwealth Act (now s 3(f1)), and amended ss 3, 4, 33, and 36 to integrate data breach responsibilities. Transitional provision 9(1) in Schedule 4 applies Part 6A to pre-commencement breaches if awareness arises post-commencement.

The Privacy and Personal Information Protection Amendment (Exemptions Consolidation) Act 2015 (No 69) repealed several specific exemptions and consolidated them into ss 27A–27C (research, credit information, ministerial correspondence) and amended investigative agency exemptions (s 24). It revoked multiple s 41 directions, forcing reliance on statutory exemptions. This was driven by a desire for legislative certainty rather than administrative discretion.

Earlier amendments (e.g., 2010 No 71) aligned the Privacy Commissioner with the Information Commissioner, substituted Part 4, and inserted oversight by the Joint Committee (s 44A). The 2002 HRIP Act amendments inserted s 4A, excluded health information, and made consequential changes to complaints and reviews.

The 2022 changes also updated definitions (e.g., "held" in s 59C) and added s 27D for emergencies. These amendments reflect a shift from pure privacy principles to integrated data governance, prompted by technological change and incidents like the 2019–2022 ransomware attacks on NSW entities. All changes are traceable to the amendment histories listed at the foot of ss 3, 4, 15, 19, 20, 27, 33, 36, and the new Part 6A.

Court challenges and controversies

The Act has generated limited superior court litigation, with most disputes resolved at NCAT. Key NCAT decisions have clarified the "personal information" definition. In WL v Randwick City Council [2013] NSWCATAD 104, the Tribunal held that a councillor's notes of a conversation were not "held" by the council under s 4(4) because they were not in the agency's possession or control. CPC v University of New South Wales [2019] NSWCATAD 75 confirmed that opinions in draft documents can be personal information even if not finalised.

Disclosure cases have tested s 18. In PN v Department of Education and Training [2010] NSWADT 99, disclosure of a bullying complaint to the alleged perpetrator was held not "directly related" under s 18(1)(a). The serious and imminent threat exception (s 18(1)(c)) was narrowly construed in JD v Department of Health [2004] NSWADT 14, requiring objective grounds.

Data breach litigation is emerging post-2022. Early NCAT matters have examined whether agencies met the "reasonable steps" threshold in s 59N. One unreported 2023 decision reportedly found that publishing on a website without targeted notification satisfied s 59P where individual contact details were compromised.

Controversies have centred on exemptions. The 2015 consolidation attracted criticism from privacy advocates for removing public interest balancing in some research and inter-agency transfers. The broad carve-out for law enforcement (s 27) has been challenged in submissions to the Joint Committee as insufficiently transparent.

Commissioner reports (under ss 61A–61C) have repeatedly highlighted under-reporting of breaches pre-2022 and inconsistent application of s 12 security safeguards. The 2021–22 annual report noted 47 notifiable breaches, mostly involving cyber incidents, prompting the mandatory scheme.

A recurring controversy is the interplay with GIPA. In Miskelly v Attorney General of NSW [2022] NSWCATAD 78, the Tribunal confirmed that privacy exemptions do not override GIPA public interest tests. The inmate compensation bar (ss 53(7A), 55(4A), inserted 2002) has been criticised as discriminatory but upheld in Application of XY [2005] NSWADT 2.

Federal interaction has produced tension. NSW agencies sometimes rely on s 19(2)(a) "substantially similar" assessments when sharing with Commonwealth bodies, but differing thresholds (e.g., Commonwealth "serious harm" vs NSW "serious and imminent threat") create compliance friction. No High Court challenges have directly tested the Act, but Kizon v NSW Privacy Commissioner (unreported, 2018) touched on Commissioner investigative scope under s 38.

Overall, jurisprudence emphasises purposive construction of exemptions (s 22) and the "reasonable person" test (s 59D), with NCAT showing deference to agency operational needs while protecting correction rights under s 15.

Gotchas

Most practitioners miss that "held" under s 4(4) includes State records for which the agency is responsible, even if physically stored elsewhere—leading to unexpected obligations for historical files (see also s 59C for Part 6A). Section 5(2) means GIPA access applications can force disclosure that would otherwise breach s 18, but only if the GIPA public interest test favours release; many agencies overlook the obligation to consider IPPs in GIPA determinations.

The inmate compensation exclusion (ss 53(7A), 55(4A)) applies not only to the inmate but to "spouse, partner, relative, friend or associate" if the conduct relates to the inmate's time in custody—creating a broad class bar that has caught family members unaware. Part 6A's 30-day assessment clock (s 59E(2)(b)) starts when any officer or employee becomes aware of reasonable grounds to suspect a breach, not when the head is notified; internal reporting delays can trigger deemed non-compliance.

Section 19(2)(g) "reasonable steps" to ensure overseas recipients comply with IPP-equivalent principles is often treated as a checkbox, yet the Commissioner’s guidelines (s 59ZI) require contractual audit rights; absence of these has led to NCAT findings of breach. The research exemption (s 27B) requires Commissioner-issued guidelines compliance and de-identification where practicable—yet many agencies publish aggregated data without documenting impracticability, exposing them to review.

A subtle trap is s 15(6), which extends the correction obligation to Ministers and their personal staff, yet s 53(1A) removes internal review rights for s 15 contraventions by Ministers—leaving only direct NCAT action under s 55(1A). Data service providers prescribed under s 3(g) are public sector agencies only for data services; mixed functions require careful scoping under s 4B regulations.

Finally, the "unsolicited" exclusion in s 4(5) means information received without a request is not "collected" and therefore not subject to IPPs 8–11, but once held it attracts full retention, security, and access obligations (ss 12–15). Many agencies inadvertently create records that trigger later Part 6A assessments when they could have returned unsolicited material immediately.

How to comply

Compliance begins with a current privacy management plan under s 33, reviewed annually and lodged with the Commissioner. Map all personal information holdings against the s 4 definition, excluding carved-out categories, and classify by sensitivity (s 19(1) attributes require extra care).

Implement IPP-compliant processes: embed collection notices in all forms and scripts (s 10), conduct privacy impact assessments for new projects, and maintain secure disposal schedules aligned with State Records (s 12). For use and disclosure, adopt a "primary purpose" decision tree with documented consent trails; for secondary uses, test against the "directly related" or threat exceptions in ss 17–18.

Appoint a privacy officer to handle s 53 internal reviews independently (s 53(4)). Train staff on s 62 offences and mandatory breach reporting. For Part 6A, integrate breach detection into incident response plans, designate assessors in advance (avoiding conflicted persons per s 59G(3)), and prepare template notifications meeting s 59O requirements. Test the public notification register process (s 59P) and ensure website privacy policies cross-reference the data breach policy (s 59ZD).

Maintain an internal breach register (s 59ZE) with the six mandatory fields. For overseas disclosures, maintain a register of recipient jurisdictions and binding schemes; update contractual templates to include audit rights. Where relying on exemptions (ss 23–28, 59S–59X), document the factual basis contemporaneously—NCAT will scrutinise after-the-fact rationalisations.

Engage early with the Commissioner on complex projects (s 36(2)(d)–(e)). For codes of practice, follow the s 31 development process with public consultation. Audit legacy databases for s 4(5) unsolicited information and either return or bring within full IPP compliance.

In multi-agency environments, use s 4B regulations or s 27A information exchange exemptions proactively. For public registers, implement statutory declaration processes (s 57(2)) and suppression request workflows (s 58). Regularly review Commissioner guidelines (s 36(2)(b)) and update procedures; non-compliance with research guidelines (s 27B(e)) voids the exemption.

Document everything: s 55(5) allows NCAT to refer bad-faith conduct to the Minister. Annual attestation by the agency head, internal audits against s 42 requirements, and participation in Commissioner education programs (s 36(2)(i)) complete a defensible compliance posture. Where doubt exists, seek Commissioner advice under s 36(2)(g) before action—such advice has proved persuasive in subsequent NCAT proceedings.