Protecting your privacy

The Privacy and Personal Information Protection (PPIPA) Act 1998 and the Health Records and Information Privacy (HRIPA) Act 2002 has given individuals a legally enforceable right of access to personal information held about themselves by government agencies.  It also outlines a set of privacy standards that regulate the way NSW public sector agencies deal with personal information.

In the context of the Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.  Personal information also includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics.

Health privacy information covers personal information relating to the physical or mental health of an individual; health services delivered to that individual and/or the individual's wishes regarding organ donation.

What is privacy?

Privacy means different things to different people, such as the right:

• To be left alone.
• To control who knows your name, address, phone number and other personal or confidential information.
• To go about your daily life without having your person or actions deliberately observed, documented or recorded on camera or in other ways without your knowledge and consent.

Personal information

Personal information is any information that relates to an identifiable person. As well as information that can readily identify an individual such as name and contact details, it can also include genetic material, electronic records, video recordings and photographs.

Health information

Health information is a type of personal information. It includes personal information or an opinion about any of the following:

• The physical or mental health or a disability of an individual.
• The provision of or an individual’s express wishes about health services.
• The donation, or intended donation, of an individual’s body parts, organs or body substance.

The privacy standards

Privacy standards have been established for the NSW public sector, which direct agencies on how to deal with personal and health information. The standards include the Privacy and Personal Information Protection Act 1998 (the Privacy Act) and the Health Records and Information Privacy Act 2002 (the Health Privacy Act).

What the privacy standards mean

The RTA must meet the privacy standards of both Acts.
This means:

Applying the Information Protection Principles outlined in the Privacy Act to all personal information and the Health Privacy Principles to all health information, except in special cases where there are legislative exemptions, A Code of Practice or a Direction of the Privacy Commissioner.

Establishing procedures to deal with requests and complaints about the RTA’s dealings with personal information and health information.

Preparing a Privacy Management Plan that explains how the RTA complies with the Acts. You can view or download a copy of the plan from the box at the bottom of the page.

Exemptions

Exemptions provided in the Acts mean that in certain circumstances agencies do not have to comply with one or more of the principles. Examples include:

• Personal information used for law enforcement purposes.
• Personal information used for protection of the public revenue.

Code of Practice and Privacy Commissioner’s Direction

A Code of Practice or Direction of the Privacy Commissioner sets special exemptions from the Acts that apply in special circumstances.

The principles in brief

Information Protection Principles (Privacy Act)

For personal information the RTA must:

1. Only collect personal information for a lawful purpose directly related to the RTA’s functions.
2. Collect personal information from the individual unless authorised otherwise.
3. Inform the person what personal information is being collected and why, whether supplying it is mandatory or voluntary, and their right to access and correct it.
4. Ensure personal information is relevant, accurate, not excessive, complete and up-to-date, and that collecting the information does not unreasonably intrude into an individual’s personal affairs.
5. Keep personal information no longer than necessary, dispose of it appropriately, store it securely and protect it from unauthorised use or disclosure.
6. Explain what personal information is being held and how to access it.
7. Allow people access to their personal information.
8. Allow people to update, amend or add a notation to their personal information.
9. Take steps to use only relevant, accurate, up-to-date and not misleading personal information.
10. Only use personal information for the purpose for which it was collected or a directly related purpose except in nominated circumstances.
11. Only disclose personal information for the purpose for which it was collected or a directly related purpose except in nominated circumstances.
12. Do not disclose sensitive personal information (eg about ethnic or racial origin, trade union membership, etc).

Health Privacy principles (Health Privacy Act)

For health information the RTA must:

1. Only collect health information for a lawful purpose directly related to the RTA’s functions.
2. Collect health information from the individual unless it is unreasonable or impracticable to do so.
3. Inform the person what health information is being collected and why, by whom it is being collected and to whom it is usually disclosed.
4. Ensure health information is relevant, accurate, not excessive, complete and up-to-date, and that collecting the information does not unreasonably intrude into an individual’s personal affairs.
5. Keep health information no longer than necessary, dispose of it appropriately, store it securely and protect it from unauthorised access, use or disclosure.
6. Explain what health information is being held and how to access it.
7. Allow people access to their health information.
8. Allow people to update, amend or add a notation to their health information.
9. Take steps to use only relevant, accurate, up-to-date and non-misleading health information.
10. Only use health information for the purpose for which it was collected or a directly related purpose except in nominated circumstances.
11. Only disclose health information for the purpose for which it was collected or a directly related purpose except in nominated circumstances.
12. Only assign identifiers to people if necessary.
13. Allow people to receive anonymous services where practicable.
14. Do not transfer health information outside NSW except in nominated circumstances.
15. Do not link health information electronically except with express consent.

For further details including information about exemptions see:

• The Privacy and Personal Information Protection Act 1998, Part 2, ss 8-19 or Privacy NSW, A Guide to the Information Protection Principles 1999
• Health Records and Information Privacy Act 2002, Schedule 1 cls 1-5 or Privacy NSW Handbook to Health Privacy.

The Privacy Acts and you

RTA motor registries can assist with the following privacy issues covered by the Acts.

Access to personal information or health information

People can find out if personal or health information is held about them, what sort of information is held, what it is used for and how they can get access to it.

People wanting access to their driving or registration records should fill out a Request for Information form.

People wanting access to their other personal or health information should fill out a Request for Access form under the Freedom of Information/Privacy Acts.

Adjusting personal or health information

People can alter or add a notation to their personal or health information to ensure it is accurate, suitable, relevant, up-to-date and not misleading. The onus is on the customer to prove the information is wrong.

People wanting their licence or vehicle information altered (including changes of address) should visit a motor registry or contact the RTA on 13 22 13.

People wanting other personal or health information altered should fill out an Adjustment/Notation of Personal Records form. In some cases, a further medical certificate may be required.

Privacy complaints and reviews

A person who is not satisfied with the way the RTA has dealt, is dealing or intends to deal with their personal or health information, may complain. If a complaint relates to a breach of the Information Protection Principles, the Health Privacy Principles or a Privacy Code of Practice the RTA must conduct a formal review of the conduct complained about.

A complaint is best lodged in writing using a Complaint or Request for Review of Conduct form. Complaints should be made within six months of the time a person first became aware of the conduct complained about. The RTA notifies the NSW Privacy Commissioner about the review and its outcome.

Privacy complaints about the RTA can also be made directly to the NSW Privacy Commissioner, who in consultation with the complainant, could direct the complaint elsewhere for investigation.

A person who is not satisfied with the outcome of a review can appeal to the NSW Administrative Decisions Tribunal. The Tribunal has the power to make any orders it believes are necessary including the award of damages of up to $40,000 to the person making the complaint.

For further enquiries

Manager Records Access Unit
Roads and Traffic Authority
PO Box K198 HAYMARKET NSW 1240
Tel (02) 9218 6632 or 13 17 82 (local call)
Fax (02) 9218 6085
Email privacy@rta.nsw.gov.au

Privacy Commissioner
Privacy NSW
GPO Box 6 SYDNEY NSW 2001
Tel (02) 9228 8585
Fax (02) 9228 8577
Email privacy_nsw@agd.nsw.gov.au
Web www.lawlink.nsw.gov.au/privacynsw

Administrative Decisions Tribunal
Level 15, St James Centre
111 Elizabeth Street SYDNEY NSW 2000
Tel (02) 9223 4677 Freecall 1800 060 410
Fax (02) 9233 3283
Web www.lawlink.nsw.gov.au/adt

Language assistance

Translating and Interpreting Services
Tel 13 14 50

This information contained in this page must not be relied on as legal advice. More information about privacy in NSW may be obtained from the legislation and the publications issued by Privacy NSW.

Frequently asked questions

Q1 - What is the difference between asking for documents under the Privacy Acts and the Freedom of Information (FOI) Act?

Generally you can ask for you own documents under any of the Acts.  However, under Privacy you can only appeal to the NSW Administrative Decisions Tribunal if you do not agree with the decision given to you.

If you want someone else’s documents, you need to apply under the FOI Act.  In these cases, you have the added appeal mechanisms of an Internal Review or the NSW Ombudsman.

Q2- How much will it cost me to make an application?

FOI fees and charges (GST exempt)

* A 50% reduction in fees may apply if the applicant is under 18 years of age, suffers financial hardship, is a non-profit organisation or applies for public interest reasons.

Privacy fees (GST inclusive)

*A 50% reduction in fees may apply if the applicant is under 18 years of age, suffers financial hardship, is a non-profit organisation or applies for public interest reasons.

Q3 - Who does the RTA allow to access my records?

Apart from you, the RTA only allows access to personal information where it is required or authorised to do so by law.

Q4 - What do I do if I feel the RTA has either inappropriately used or disclosed my personal information?

You can complain to either Privacy NSW or the RTA.  In either case your complaint will be investigated and you and the Privacy Commissioner will be provided with an explanation.  If you are not satisfied, you can appeal to the NSW Administrative Decisions Tribunal.

Q5 - What can I do if I think my personal RTA records are irrelevant, inaccurate, not up to date, incomplete or misleading?

You can contact the RTA and request a review of conduct.  The matter will be investigated and you will be provided with a determination. If you are not satisfied, you can ask for a notation to be placed on the records setting out your views and/or you can appeal to the NSW Administrative Decisions Tribunal.

Q6 - Where can I go if I have other questions about privacy or my rights?

You can contact either Privacy NSW (privacy_nsw@agd.nsw.gov.au) or the RTA (privacy@rta.nsw.gov.au).  If you have a complaint regarding unauthorised use or disclosure of your personal information held by a government department, you have the right to lodge an official complaint with that department.  Your complaint will be investigated under the NSW Privacy Act and you will be notified of the outcome.  If you are not satisfied, you may appeal to the NSW Administrative Decisions Tribunal.