A NSW Government website

Executive Summary

All NSW Government agencies are required to have a privacy management plan under section 33 of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).

Investment NSW has developed this Privacy Management Plan to demonstrate and ensure that our organisation applies the correct procedures to manage the personal information of our stakeholders and staff.

The purpose of this Plan is to:

  • demonstrate to the people of New South Wales how Investment NSW upholds and respects the privacy of its staff and all those who deal with Investment NSW;
  • explain how we manage personal information in line with the PPIP Act and health information in line with the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act); and
  • provide guidance and training for Investment NSW staff in dealing with personal and health information. This helps to ensure that we comply with the PPIP Act and HRIP Act (together, the Acts).

This Plan indicates that Investment NSW takes the privacy of its staff and the people of NSW seriously and we will protect privacy with the use of this Plan as a reference and guidance tool.

1. Introduction

This Plan has been developed by Investment NSW as per section 33 of the PPIP Act.

This Plan identifies:

  • the types of personal and health information (as defined at 2.3) that Investment NSW holds or is responsible for;
  • the policies and practices used by Investment NSW to comply with the Acts;
  • how details of those policies and practices are made known to staff of Investment NSW and all engaged by the agency; and
  • how Investment NSW conducts Internal Reviews under section 53 of the PPIP Act.

1.1. The role and functions of Investment NSW

Investment NSW is a central agency that brings the NSW Government’s economic development and attraction activities into one place to drive local and international investment and create jobs for NSW. The agency’s focus is to:

  • attract investment from local and global businesses to continue to drive economic recovery
  • boost jobs, skills and investment, as part of the NSW Government’s COVID-19 Recovery Plan
  • act as a single point of accountability for the private sector to attract Australian and global companies, overseas capital, talent, tourists and students
  • accelerate NSW’s position as a safe and attractive place to do business for both domestic and global companies
  • continue to build on the strong foundations of the NSW Economic Blueprint and Global NSW.

Further information can be found on Investment NSW’s website.

Investment NSW collects, holds, uses and discloses personal and health information for the purpose of carrying out its functions. For instance, Investment NSW may handle personal and health information for the purpose of:

  • managing correspondence on behalf of the Premier, Deputy Premier and other Ministers’ Offices;
  • human resources management;
  • recruitment;
  • complaints handling; and
  • managing applications for Government information (meaning information contained in a record held by the agency) under the Government Information (Public Access) Act 2009 (GIPA Act).

Investment NSW takes the privacy of its staff and the people of NSW seriously and we will protect privacy with the use of this Plan as a reference and guidance tool. 

2. Personal and Health Information

2.1. Definitions

Collection is the method by which Investment NSW acquires the information. This can be completed by any means including a written form; a verbal conversation; an online form; or taking a picture or video.

Disclosure is how Investment NSW provides the personal or health information to an individual or body outside Investment NSW. This includes the sharing of personal or health information with other public service agencies.  

Personal information is information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion (section 4 of the PPIP Act).

Health information is any personal information about a person’s physical or mental health or disability or provision of health services to them. It also includes genetic information that is or could be predictive of the health of a person any personal information that was collected to provide, or in providing, a health service or in connect with donation of body parts, organs or body substances (section 6 of the HRIP Act).

2.2. Exclusions from the definition

Both the Acts exclude from the definition of personal and health information, information which:

  • relates to a person who has been dead for more than 30 years; or
  • is contained in a publicly available publication; or
  • refers to a person’s suitability for employment as a public sector official.

2.2.1. Information in a publicly available publication

The definitions exclude information about named or identifiable people which is published in newspapers, books or the internet, broadcast on radio or television, posted on social media such as Facebook or Twitter, or made known at a public event. Because such information is publicly available, it cannot be protected from use or further disclosure.

2.2.2. Employment-related information

Information referring to suitability for employment as an Investment NSW member of staff (such as selection reports and references for appointment or promotions, or disciplinary records) is excluded from the definitions and therefore from the provisions of the Acts.

Such information, however, is still stored, secured, used and disclosed by Investment NSW with the same care as if it were protected by the Acts.

Other employee-related personal information is protected by the Acts.

For example, records or information about work activities, such as video or photographs of staff in their workplace, are protected and may only be used in compliance with the Acts’ provisions.

Other examples of work-related personal and health information are staff training records, leave applications and attendance records. All these are within the scope of the definitions and are protected by the Acts.

2.3. Types of personal and health information held by Investment NSW

2.3.1. Employee records

Employee records for staff of Investment NSW are held by Investment NSW and GovConnect. This information includes, but is not limited to:

  • records of dates of birth, addresses and contact details;
  • payroll, attendance and leave records;
  • performance management and evaluation records;
  • training records;
  • workers compensation records;
  • work health and safety records; and
  • records of gender, ethnicity and disability of employees for equal employment opportunity recording purposes.

An employee of Investment NSW may access their own file under the supervision of HR staff.

Apart from the employee the file relates to, the members of the Human Resources team at Investment NSW are the only other members of the agency that have authorised access to personnel files.

Employee records are stored in soft copy in the SAP system and Objective files, maintained by GovConnect. These records include leave records, payroll processing information, leave accruals, medical certificates and parental leave information.

HR also maintains separate personnel files in the Objective document management system for all current employees. These files include contracts, remuneration details, and any ongoing case being managed by HR (such as conduct investigations and Work Cover claims). Access to these personnel files is controlled and limited only to authorised HR employees.

Investment NSW has an agreement with GovConnect, managed through the Department of Customer Service (DCS), that affects how GovConnect handles employee records in the SAP and Objective systems.

GovConnect is formed by two outsourced vendors managed by the Service Management Office, a division of DCS. Corporate services functions are managed by Infosys (Human Resources and Finance) and Unisys (Information Technology) on behalf of Investment NSW.  Therefore, GovConnect holds and is responsible for more detailed personal and health information about Investment NSW such as recruitment, payroll and leave records.

The Service Partnership Agreement between Investment NSW and GovConnect notes that GovConnect will have access to information from and about Investment NSW in the course of business, and that GovConnect is bound to comply with the PPIP Act.

2.3.2. Information collected relating to conflict of interest

Investment NSW staff are required to disclose any actual, potential or perceived conflicts of interest as part of the onboarding process. This information is reviewed and updated regularly, and as any conflicts arise or change.

2.3.3. Digital images

Investment NSW holds digital images of all staff members which are used for the production of staff identification cards and other internal uses including publication on Investment NSW’s intranet.

2.3.4. Contact Details

Investment NSW holds contact details of various third parties, including for:

  • government agency CEOs, members of inter-departmental working groups and similar, members of government boards and advisory committees;
  • stakeholders participating in stakeholder consultation forums;
  • businesses and individuals involved in Investment NSW’s programs and schemes;
  • businesses and individuals attending Investment NSW hosted events and some business familiarisation programs;
  • businesses and individuals that have registered to Investment NSW newsletter and collaboration/networking platforms;
  • businesses and individuals that have registered on Investment NSW hosted procurement systems;
  • businesses and individuals that are suppliers on Investment NSW managed contracts and schemes;
  • business and individuals that have applied to Investment NSW for funding, grants or other assistance and/or services;
  • businesses and individuals that have responded to a call for submissions on a particular project;
  • individuals participating in surveys and community engagement events;
  • individuals who have made a complaint, enquiry, compliment or suggestion through Investment NSW’s websites or other mechanisms; and
  • individuals who have made formal access applications under the GIPA Act.

Investment NSW uses the contact details for the purposes for which they were collected. Investment NSW does not use this information to contact people for secondary purposes, such as for unrelated marketing purposes. For example, where contact details have been provided as part of an enquiry made to Investment NSW, those contact details will only be used in managing and responding to that enquiry and will not be used for any other purpose unless the individual concerned has expressly consented to that secondary use.

2.3.5. Identification documents

In some circumstances, Investment NSW may hold identification documents for certain individuals. These documents are usually collected where individuals are required to prove their identity to access certain services or programs of Investment NSW and are attached to the application or form. Proof of identity documents may also be required when making applications for information under the GIPA Act or PPIP Act.

2.3.6. Correspondence records

Investment NSW holds the following correspondence records:

  • contact details of people who have written to or emailed Investment NSW or its responsible Ministers;
  • details of the nature of their correspondence, which can include sensitive personal information about matters such as ethnicity, religion, health conditions, sexuality;
  • copies of replies to correspondence; and
  • records of to whom, if anyone, their correspondence was referred.

This information is only used for the purpose of communicating a reply to the correspondent either from Investment NSW or the relevant Minister’s Office. Once a matter has been progressed and processed, it is closed and filed accordingly on relevant files stored and secured by GovConnect, as the Agency’s primary provider of records management services.

3. The Privacy Principles

3.1. Applying the privacy principles in NSW

Investment NSW is guided by the principles in sections 8 to 19 of the PPIP Act and Schedule 1 of the HRIP Act.

Sections 8 to 19 of the PPIP Act provide set privacy standards that public sector agencies are expected to follow when dealing with personal information. They are the information protection principles (IPPs), and they govern the collection, retention, accuracy, use and disclosure of personal information, including rights of access and correction.

3.2. Liability and offences

Parts 8 of the PPIP Act and HRIP Act contain criminal offences applicable to Investment NSW’s staff who use or disclose personal or health information without authority. For example, there are criminal offences relating to:

  • the corrupt disclosure and use of personal and health information by public sector officials; and
  • offering to supply personal or health information that has been disclosed unlawfully.

Investment NSW has policies and privacy controls to minimise the risk of staff committing an offence. For example:

  • Investment NSW’s Code of Conduct has specific provisions on privacy obligations, including in relation to the authorised access, disclosure and storage of personal information. The Code also has provisions on the handling of information, including in relation to the confidentiality, misuse and security of information, and on records management; and
  • Investment NSW’s Information Management Security Policy has provisions on information access and security, including that access to information and records held by ‘sensitive areas’ should be limited, and that staff must use information on a ‘need to see basis’.

Investment NSW also provides compulsory privacy training to staff to ensure they are aware of their responsibilities in handling personal information appropriately.

Below is an overview of the IPPs as they apply to Investment NSW:

12 Information Protection Principles

Collection

1.     Lawful – We only collect personal information for a lawful purpose that is directly related to our functions and activities

2.     Direct – We collect personal information from the person concerned

3.     Open – When collecting personal information, we inform people why their personal information is being collected, what it will be used for, to whom it will be disclosed, how they can access and amend it and any possible consequences if they decide not to give it to us

4.     Relevant – When collecting personal information, we ensure it is relevant, accurate, not excessive, and does not unreasonably intrude into people’s personal affairs

Storage

5.     Secure – we store personal information securely, keep it no longer than necessary, destroy it appropriately, and protect it from unauthorised access, use or disclosure

Access

6.     Transparent – we are transparent about personal information that is stored, what it is used for and people’s right to access and amend it

7.     Accessible – we allow people to access their own personal information without unreasonable delay or expense

8.     Correct – we allow people to update, correct or amend their personal information where necessary

Use

9.     Accurate – we make sure that personal information is relevant and accurate before using it

10.  Limited – we only use personal information for the purpose it was collected for unless the person consents to the information being used for an unrelated purpose

Disclosure

11.  Restricted – we will only disclose personal information with people’s consent unless they were already informed of the disclosure when the personal information was collected

12.  Sensitive – we do not disclose sensitive personal information (such as ethnicity or racial origin, political opinion, religious or philosophical beliefs, health or sexual activities, or trade union membership) without consent.

Schedule 1 of the HRIP Act provides a similar set of privacy standards for health information. They are the health privacy principles (HPPs), and they are largely the same as the IPPs, however without an equivalent to IPP 12 (Sensitive) and with other additional obligations and standards instead.

Below is an overview of the HPPs as they apply to Investment NSW:

12 Health Privacy Principles 

Collection

1.     Lawful – We only collect health information for a lawful purpose that is directly related to our functions and activities

2.     Direct – We collect health information from the person concerned unless it is unreasonable or impractical to do so

3.     Open – When collecting health information, we inform people why their health information is being collected, what it will be used for, to whom it will be disclosed, how they can access and amend it and any possible consequences if they decide not to give it to us

4.     Relevant – When collecting health information, we ensure it is relevant, accurate, not excessive, and does not unreasonably intrude into people’s personal affairs

Storage

5.     Secure – we store health information securely, keep it no longer than necessary, destroy it appropriately, and protect it from unauthorised access, use or disclosure

Access

6.     Transparent – we are transparent about health information that is stored, what it is used for and people’s right to access and amend it

7.     Accessible – we allow people to access their own health information without unreasonable delay or expense

8.     Correct – we allow people to update, correct or amend their health information where necessary

Use

9.     Accurate – we make sure that health information is relevant and accurate before using it

10.  Limited – we only use health information for the purpose it was collected for unless:

a.     the person has consented to its use for another purpose,

b.     it is being used for a purpose directly related to the purpose it was collected for,

c.     we believe that there is a serious threat to health or welfare,

d.     it is for the management of health services, training, research or to find a missing person, or

e.     it is for law enforcement or investigative purposes.  

Disclosure

11.  Restricted – we will only disclose health information for the purpose it was collected for unless:

a.     the person has consented to its disclosure for another purpose,

b.     it is being used for a purpose directly related to the purpose it was collected for,

c.     we believe that there is a serious threat to health or welfare,

d.     it is for the management of health services, training, research or to find a missing person, or

e.     it is for law enforcement or investigative purposes. 

Other

12.  Identifiers – we do not use unique identifiers for health information, as they are not needed to carry out Investment NSW’s functions

13.  Anonymity – we allow people to stay anonymous if it is lawful and practical for them to do so

14.  Transborder – we do not usually transfer health information outside of New South Wales

15.  Linkage – we do not currently use a health records linkage system and do not anticipate using one in the future. But if we were to use one in the future, we would not do so without people’s consent.

3.2.1. Collecting personal or health information (IPPs 1-4 and HPPs 1-4)

Investment NSW will only collect personal or health information if it is:

  • for a lawful purpose that is directly related to one of our functions; and
  • reasonably necessary for Investment NSW to have the information.

Investment NSW will ensure that when personal and health information is collected from an individual, either verbally or in written forms, the individual will be advised accordingly. This will be in the form of a collection notice that will include the purpose of the collection; any intended recipients of the information (where applicable); their right to access and correct the information; and the details of any agency that is collecting or holding the information on Investment NSW’s behalf (if applicable).

Investment NSW also advises individuals if the collection is voluntary or if it is lawfully required and informs individuals of any penalties or other possible consequences for not complying with Investment NSW’s request.

When collecting personal or health information from an individual, Investment NSW endeavours to ensure that the information is relevant, accurate, up to date and complete for the purposes for which it is being collected. Investment NSW will also endeavour to ensure that the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual, having regard to the purposes for which it is being collected.

Collection tips:

  • When designing a form, ask yourself: “do we really need each bit of this information?”
  • By limiting the collection of personal and health information to only what you need, it is much easier to comply with the principles.
  • If collecting personal or health information about someone, collect it from that person directly to ensure accuracy and to obtain any permission for disclosure of the information.
  • Do not ask for information that is not relevant.
  • Be mindful of whether you are asking for information that is sensitive, such as about a person’s ethnicity or race, political opinions, religious or philosophical beliefs, trade union membership or sexual activities. Treat this information with extra care and seek advice before disclosing it.
  • Individuals providing their personal or health information to Investment NSW have a right to know the full extent of how the information they provide will be used and disclosed, and to choose whether or not they wish to go ahead with providing information on that basis.
  • Think about whether you are collecting personal or health information from people living in the European Union (EU) with an intention of providing goods and services to them. If so, you might be subject to EU’s General Data Protection Regulation (GDPR), in which case you should make sure your collection meets the requirements of Articles 13-14 of the GDPR. This includes if you are collection information about and tracking web-based behaviour, where the behaviour is coming from the EU.

3.2.2. Storing personal and health information (IPP 5 and HPP 5)

Investment NSW takes reasonable security safeguards against the loss, unauthorised access, use, modification and disclosure of personal information.

Investment NSW has in place information security policies which provide guidance to staff around the handling and storage of personal information. This includes the use of unique user accounts and passwords to access our computer systems. In accordance with Investment NSW’s Information Management Security Policy, our staff do not give out passwords to anyone or let anyone else use their computer login.

Investment NSW’s security measures further include the use of restricted drives and authorised access. For example, correspondence containing personal information is stored in Investment NSW’s record management system with restricted access and editing privileges.

Personal information is kept for no longer than is necessary and is disposed of in a secure manner once no longer required, in accordance with government requirements.

Storage and security tips:

  • Check that document privileges are kept only to staff who require access to action or approve a task; and
  • Take reasonable steps to prevent any unauthorised use or disclosure of the personal information by a contractor or service provider. This should be done with appropriate privacy clauses in the relevant contract. Those clauses should bind our contractors to the same privacy obligations Investment NSW has under the PPIP Act.

3.2.3. Accessing personal or health information (IPPs 6-8 and HPPs 6-8)

Investment NSW aims to make it as easy as possible for individuals to access their own personal information. Generally, requests by an individual to access their personal or health information can be made on an informal basis.

Investment NSW will endeavour to ensure that all personal and health information is accurate, complete and current. Further, should an individual become aware of, or detect an error in Investment NSW’s records about their personal affairs, Investment NSW will make the necessary changes.

If Investment NSW disagrees with the person about whether the information needs changing, we must instead allow the person to add a statement to our records.

Access tips:

  • People should be able to easily see or find out what information we hold about them.
  • We should let complainants, clients and staff see their own personal and health information at no cost and through an informal request process.
  • We cannot charge people to lodge requests for access or amendment of their own personal or health information. We can, however, charge reasonable fees for copying or inspection, if we tell people what the fees are up-front.

3.2.4. Using personal and health information (IPP 9-10 and HPP 9-10)

Investment NSW will only use personal or health information for the purposes for which it was collected or for other directly related purposes. At the time Investment NSW collects personal or health information from an individual, they will notify the individual of the primary purpose for which the information is collected. Investment NSW will also take reasonable steps to check the accuracy and relevance of personal or health information before using it.

For example:

  • If the primary purpose of collecting a complainant’s information was to investigate their workplace grievance, directly related secondary purposes within the reasonable expectations of the person for which their personal information could be used by Investment NSW would include independent auditing of workplace grievance files.

Use tips:

  • Passing personal or health information from one officer within Investment NSW to another may amount to using that information. Think about the reason you are passing the personal information on, and whether it is for the same (or a directly related) reason that the information was collected for.
  • When collecting personal or health information, think about how the information might be used down the line. Are al the uses directly related to the purpose of collection? Make sure the use of the information is clear in any privacy notice accompanying the collection.
  • When using personal or health information, think about the purpose for which it was collected. The primary purpose for which Investment NSW has collected the information should have been set out in a privacy notice ( Appendix A (DOCX) 16 KB ). If you want to use the information for any purpose other than that primary purpose, check with the Investment NSW Legal team.
  • Before using personal or health information, think about how long ago the information was given. Could it now be outdated or misleading? When was the last time the information was used? Are there any processes in place to allow individuals to amend outdated information? Are there regular check-ins with the individuals to update their information if circumstances have changed?
  • Only provide personal information to a contractor or service provider if they really need it to do their job and remember to bind them to the same privacy obligations Investment NSW has. This will help us prevent any unauthorised use of the personal information by that contractor or service provider.
  • If the information you collected and intend to use is subject to the EU’s GDPR (see Collection Tips above for more information), make sure that consent for that use (if required) is specific, informed, and freely given. There is a difference between positive opt-in and compulsory acceptance of standard terms and conditions.

3.2.5. Disclosing personal or health information (IPPs 11-12 and HPP 11)

Investment NSW will only disclose personal or health information if:

  • at the time Investment NSW collected their information, the person was given a privacy notice (template at Appendix A (DOCX) 16 KB ) to inform them their information would or might be disclosed to the proposed recipient, and that disclosure is directly related to the purpose for which the information was collected,
  • the person concerned has consented to the proposed disclosure, or
  • an exemption applies (see section 3.2.6 for more information.

In addition to the above, Investment NSW can also disclose personal information (but not health information) if the person was notified of the disclosure at the time of collection – even if the purpose of that disclosure is not directly related to the purpose of collection. Notification of the disclosure is not enough in the case of health information unless the purpose of that disclosure is also directly related to the purpose of collection.

If an individual’s personal or health information is disclosed to other NSW public sector agencies, those agencies can only use information for the purpose for which it was disclosed to them. The information continues to be covered by the Acts.

Disclosure tips:

  • You can usually disclose information if the person was notified about that disclosure at the time their personal information as collected. When disclosing personal information, try to track down the point that it was collected and see if the disclosure you are intending to make was referred to in an accompanying privacy notice.
  • However, if Investment NSW did not tell the person about the proposed disclosure in a privacy notice, or if it is health information and Investment NSW wants to send it outside of New South Wales, you will usually need to seek the individual’s consent.
  • When collecting personal or health information, think about how the information might be disclosed – to who and for what purpose – and make sure to include this in the privacy notice.
  • Only provide personal information to a contractor or service provider if they really need it to do their job and remember to bind them to the same privacy obligations Investment NSW has. This will help us prevent unauthorised disclosure of the personal information by the contractor or service provider.
  • If the information you collected and intend to disclose is subject to the EU’s GDPR (see Collection Tips above for more information), make sure that consent for that disclosure (if required) is specific, informed, and freely given. There is a difference between positive opt-in and compulsory acceptance of standard terms and conditions.

3.2.6. Exemptions

There are a number of exemptions to the IPPs that limit their coverage in a number of ways including:

  • exchanges of information which are reasonably necessary for the purpose of referring inquiries between agencies (section 27A(b)(ii) of the PPIP Act);
  • disclosure relating to law enforcement and related matters (section 23 of the PPIP Act);
  • disclosure that would detrimentally affect complaint-handling or investigative functions (section 24 of the PPIP Act); and
  • where non-compliance is lawfully authorised or required or otherwise lawfully permitted (section 25 of the PPIP Act).

Some additional exceptions apply to the collection, use and disclosure of health information, including for compassionate reasons, research training and the management of health services. Information about which exceptions apply to each HPP can be found in Schedule 1 of the HRIP Act.

4. Code of Practice and PPIP section 41 Directions

Under the PIPP Act, Privacy Codes of Practice can be developed by agencies that provide for the modification of the application of one or more IPPs to particular activities or categories of information.

This is undertaken to take account of particular circumstances relating to legitimate use of Personal Information by agencies that might otherwise be in contradiction to the IPPs under the PPIP Act.

The Information and Privacy Commission can also prepare Codes of Practice common to a number of agencies. All Codes are approved by the NSW Attorney-General.

In addition, under section 41 of the PPIP Act the Privacy Commissioner may make a direction to waive or modify the requirement for an agency to comply with an IPP.

4.1. Privacy Code of Practice for the Public Service Commission

The NSW Public Service Commission has developed a Privacy Code of Practice for the Public Service Commission to allow analysis and reporting about employment characteristics.

Investment NSW provides personal information to the NSW Public Service Commission for this purpose. Confidentiality and privacy arrangements underpin the workforce profile.

5. Public Registers

Under section 3(1) of the PIPP Act, a Public Register is defined as ‘a register of personal information that is required by law to be, or is made, publicly available or open to public inspection (whether or not on payment of a fee).’

The PPIP Act requires that a public sector agency responsible for keeping a Public Register must not disclose any personal information contained in it unless the agency is satisfied that it is to be used for a purpose relating to the purpose of the register.

Investment NSW does not currently hold any Public Registers.

6. How to Access and Amend Personal Information

People have the right to access, amend and update Personal Information that Investment NSW holds about them.

Under section 13 and 14 of the PPIP Act, Investment NSW must assist a person to find out what personal and health information it holds about them, and then provide access to this information without excessive delay. Investment NSW does not charge any fees to access or amend personal or health information.

Investment NSW encourages staff wanting to access or amend their own personal or health information to contact HR Branch.

For members of the public, a request for access to any personal information held by Investment NSW should made in writing to the Investment NSW legal team (see above - Further Information and Contacts).

Any person can make a formal application to the Investment NSW and this application should:

  • include the person’s name and contact details (postal address, telephone number and email address if applicable);
  • explain what the person is seeking, such as whether the person is enquiring about the personal information held about them, or whether the person is wishing to access and amend that information
  • if the person is seeking to access or amend their information,
    • explain what personal or health information the person wants to access or amend; and
    • explain how the person wants to access or amend it.

Investment NSW aims to respond in writing to formal applications within 20 business days and will advise the applicant how long the request is likely to take, particularly if it may take longer than expected.

If an individual believes that Investment NSW is taking an unreasonable amount of time to respond to an application, they have the right to seek an Internal Review.

Before seeking an Internal Review, we encourage individuals to first contact Investment NSW to request provision of an update or timeframe.

7. Internal Review

Investment NSW encourages individuals to try to resolve privacy issues informally before going through the review process, or to at least contact the Investment NSW General Counsel to discuss the issue before lodging an internal review.

An individual should remember that they have six months from when they become aware of the potential breach to seek an internal review. The six month timeframe continues to apply even if attempts are being made to resolve privacy concerns informally. An individual may wish to consider this timeframe in deciding whether to make a formal request for internal review or continue with informal resolution.

7.1. Request for Internal Review

A breach of an individual’s privacy is where a breach of one or more of the IPPs or HPPs has occurred.

An individual who considers his or her privacy has been breached can contact Investment NSW to try and resolve the issue informally. Alternatively, or if no information resolution can be reached, individuals can also make a complaint to Investment NSW under section 53 of the PPIP Act and request a formal internal review of Investment NSW’s conduct in relation to the privacy matter (Internal review).

Applications for Internal Review must:

  • be in writing addressed to Investment NSW;
  • include a return address in Australia; and
  • be lodged with Investment NSW within six months of the time the applicant first became aware of the conduct which is the subject of the application.

The form for applying for a review of conduct under section 53 of the PPIP Act is at  Appendix B (DOCX) 25 KB .

Requests for review must allege a breach of the IPPs or Code of practice applicable to Investment NSW; or disclosure of Personal Information from Public Registers held by Investment NSW.

Applicants who are not satisfied with the findings of the review or the action taken by Investment NSW in relation to the Internal Review, have the right to appeal to the NSW Civil and Administration Tribunal (NCAT) under section 55 of the PPIP Act.

7.2. Internal Review Process

The Privacy Coordinator is responsible for receiving, allocating and overseeing Internal Reviews in relation to privacy matters. The Privacy Coordinator provides a single point for individuals seeking further information on how Investment NSW complies with the Acts. The Privacy Coordinator will receive all correspondence and enquiries regarding the Acts, including any Internal Review requests.

The Privacy Coordinator’s role also includes monitoring, recording and reporting on the progress of all Internal Review applications received.

Within Investment NSW, the responsibilities of the Privacy Coordinator are currently held by the Investment NSW General Counsel.

Internal Reviews will generally be conducted by a delegated officer with no involvement in the matter giving rise to the complaint of breach of privacy (the Reviewing Officer). The delegated officer may seek legal or other assistance in conducting the review, including from the Privacy Coordinator and Information Access and Governance Team.

Under section 54(1) of the PPIP Act, Investment NSW is required to notify the NSW Privacy Commissioner of the receipt of an application for an Internal Review of conduct and keep the NSW Privacy Commissioner informed of the progress reports of the internal review. In addition, the NSW Privacy Commissioner is entitled to make submissions to Investment NSW in relation to the application for Internal Review (section 54(2) of the PPIP Act).

Under section 53(6) of the PPIP Act, an Internal Review must be completed within 60 days of the receipt of the application.

Under section 53(8) of the PPIP Act, as soon as practicable, or in any event within 14 days, after the completion of the Internal Review, Investment NSW must inform the applicant of the:

  • findings of the review (and the reasons for those findings); and
  • action proposed to be taken by Investment NSW (and the reasons for taking that action); and
  • the right of the person to have those findings, and Investment NSW’s proposed action, administratively reviewed by NCAT.

When Investment NSW receives an Internal Review, the Privacy Coordinator will send:

  • an acknowledgment letter to the applicant and advise that if the Internal Review is not completed within 60 days, they have a right to seek a review of the conduct by NCAT; and
  • a letter to the NSW Privacy Commissioner with details of the application and a photocopy of the written complaint.

There is an example of a letter of notification to the Privacy Commissioner of receipt of request for an Internal Review at Appendix D (DOCX) 14 KB .

The Reviewing Officer responsible for completing the final determination must consider any relevant material submitted by the applicant or the NSW Privacy Commissioner.  Before completing the Internal Review, the Reviewing Officer should send a draft copy of the preliminary determination to the NSW Privacy Commissioner to invite any submissions.

Investment NSW follows the model of the Internal Review process provided by the NSW Information and Privacy Commission ( Appendix C (DOCX) 95 KB ).

In finalising the determination, the Reviewing Officer will prepare a report containing their findings and recommended actions.

Investment NSW may:

  • take no further action on the matter;
  • make a formal apology to the applicant;
  • take appropriate remedial action, which may include the payment of monetary compensation to the applicant;
  • undertake that the conduct will not occur again; and/or
  • implement administrative measures to ensure that the conduct will not occur again.

The Reviewing Officer will notify the applicant in writing of:

  • the findings of the review;
  • the reasons for the finding, described in terms of the IPPs and/or the HPPs;
  • any action Investment NSW proposes to take;
  • the reasons for the proposed action (or no action); and/or
  • their entitlement to have the findings and the reasons for the findings reviewed by NCAT.

7.3. Recording of Internal Reviews

Investment NSW records all applications for Internal Review in a secure Objective file and workflow. The workflow tracks the progress of the Internal Review process and the determination of the completed review.

The details recorded in this system will provide the statistical information on Internal Review applications to be included in Investment NSW’s Annual Report.

7.4. Extensions of time for lodgement

While the PPIP Act allows six months to apply for an internal review from the time the applicant first becomes aware of the conduct, Investment NSW may accept late applications.

Possible acceptable reasons for delay may be:

  • the applicant’s ill-health or other reasons relating to capacity, or
  • the applicant only recently becoming aware of his or her right to seek an internal review, or the applicant reasonably believing that he or she would suffer ill-effects as a result of making an application at an earlier time.

However, late applications that cannot be investigated in a meaningful way because of their age will be declined. In these cases, witnesses may no longer be available, documents may have been destroyed and memories may have faded.

Final decisions on the acceptance of late applications will only be made by Investment NSW’s General Counsel, or under his or her delegation. Where the decision is made not to accept an application because it is too old, the reason will be explained in a letter to the applicant.

8. External Review

External review processes are also available.

8.1. Complaints to the Privacy Commissioner

Any individual who considers his or her privacy has been breached can make a complaint to the Privacy Commissioner under section 45 of the PPIP Act without going through the Internal Review process of Investment NSW.  The complaint must be made within 6 months (or such later time as the Privacy Commissioner may allow) from the time the individual first became aware of the conduct or matter the subject of the complaint.

However, the Privacy Commissioner can decide not to deal with the complaint if it would be more appropriately dealt with as an Internal Review by Investment NSW (section 46(3)(e) of the PPIP Act).

8.2. Administrative Review by NCAT

If the applicant is not satisfied with the outcome of Investment NSW’s Internal Review, they may apply to NCAT to review the decision.  If Investment NSW has not completed the Internal Review within 60 days, the applicant can also take the matter to NCAT.

A person must seek an Internal Review before they have the right to seek an external review (section 55(1) of the PPIP Act).

To seek review by NCAT, the individual must apply within 28 days from the date of the Internal Review decision or within 28 days of the Internal Review not being completed within 60 days.

NCAT has the power to make binding decisions on an external review (section 55(2) of the PPIP Act). For more information including current forms and fees, please contact NCAT:

Website: https://www.ncat.nsw.gov.au/
Phone: 1300 006 228
Post: PO Box K1026, Haymarket NSW 1240
Visit: NSW Civil and Administrative Tribunal
Administrative and Equal Opportunity Division
Level 10 John Maddison Tower​
86-90 Goulburn Street
Sydney NSW 2000

NCAT cannot give legal advice; however, the NCAT website has general information about the process it follows and legal representation.

9. Promoting the Plan

9.1. Executive and Governance

The Investment NSW’s executive leadership team is committed to transparency in relation to compliance with the Acts. The leadership team reinforces transparency and compliance with the Acts by:

  • endorsing this Plan and making it publicly available;
  • reviewing and updating the Plan every three years; and
  • reporting on privacy issues in the Investment NSW’s Annual Report in line with the Annual Reports (Departments) Act 1985 (NSW).

9.2. Staff Awareness

To ensure that Investment NSW staff are aware of their rights and obligations under the Act, Investment NSW will:

  • publish this Plan and additional material in a prominent place on the Investment NSW intranet and website. Publication of this Plan on the website also educates members of the public about their privacy rights in relation to personal and health information held by Investment NSW;
  • introduce this Plan as part of our staff induction with training provided as required to raise awareness and appreciation of the privacy requirements;
  • provide refresher, and on-the-job training;
  • highlight and promote the Privacy Management Plan;
  • provide privacy briefing sessions at appropriate management forums; and
  • notify staff of the privacy offence provisions.

10. Further information and contacts

For further information about this Plan, the personal and health information Investment NSW holds, or if you have any concerns, please contact the Privacy Coordinator of Investment NSW:

General Counsel
Investment NSW
Level 9, 52 Martin Place
Sydney NSW 2001

Email: informationaccess@investment.nsw.gov.au

For more information on privacy rights and obligations in New South Wales, please contact the NSW Privacy Commissioner at:

NSW Information and Privacy Commission
Level 17, 201 Elizabeth Street
Sydney NSW 2000

Phone: 1800 472 679
Web: www.ipc.nsw.gov.au
Email: ipcinfo@ipc.nsw.gov.au

Variation

Owner Last review date Next revision
Chris Carr October 2021 October 2022