The Privacy and Personal Information Protection (PPIPA) Act 1998 and the Health Records and Information Privacy (HRIPA) Act 2002 has given individuals a legally enforceable right of access to personal information held about themselves by government agencies. It also outlines a set of privacy standards that regulate the way NSW public sector agencies deal with personal information.
In the context of the Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. Personal information also includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics.
Health privacy information covers personal information relating to the physical or mental health of an individual; health services delivered to that individual and/or the individual's wishes regarding organ donation.
What is privacy?
Privacy means different things to different people, such as the right:
- To be left alone.
- To control who knows your name, address, phone number and other personal or confidential information.
- To go about your daily life without having your person or actions deliberately observed, documented or recorded on camera or in other ways without your knowledge and consent.
Personal information
Personal information is any information that relates to an identifiable person. As well as information that can readily identify an individual such as name and contact details, it can also include genetic material, electronic records, video recordings and photographs.
Health information
Health information is a type of personal information. It includes personal information or an opinion about any of the following:
- The physical or mental health or a disability of an individual.
- The provision of or an individual’s express wishes about health services.
- The donation, or intended donation, of an individual’s body parts, organs or body substance.
The privacy standards
Privacy standards have been established for the NSW public sector, which direct agencies on how to deal with personal and health information. The standards include the Privacy and Personal Information Protection Act 1998 (the Privacy Act) and the Health Records and Information Privacy Act 2002 (the Health Privacy Act).
What the privacy standards mean
Roads and Maritime Services (replacing Roads and Traffic Authority) must meet the privacy standards of both Acts.
This means:
Applying the Information Protection Principles outlined in the Privacy Act to all personal information and the Health Privacy Principles to all health information, except in special cases where there are legislative exemptions, A Code of Practice or a Direction of the Privacy Commissioner.
Establishing procedures to deal with requests and complaints about Roads and Maritime Services (replacing Roads and Traffic Authority)’s dealings with personal information and health information.
Preparing a Privacy Management Plan that explains how Roads and Maritime Services (replacing Roads and Traffic Authority) complies with the Acts. You can view or download a copy of the plan from the box at the bottom of the page.
Exemptions
Exemptions provided in the Acts mean that in certain circumstances agencies do not have to comply with one or more of the principles. Examples include:
- Personal information used for law enforcement purposes.
- Personal information used for protection of the public revenue.
Code of Practice and Privacy Commissioner’s Direction
A Code of Practice or Direction of the Privacy Commissioner sets special exemptions from the Acts that apply in special circumstances.
The principles in brief
Information Protection Principles (Privacy Act)
For personal information Roads and Maritime Services (replacing Roads and Traffic Authority) must:
- Only collect personal information for a lawful purpose directly related to Roads and Maritime Services (replacing Roads and Traffic Authority)’s functions.
- Collect personal information from the individual unless authorised otherwise.
- Inform the person what personal information is being collected and why, whether supplying it is mandatory or voluntary, and their right to access and correct it.
- Ensure personal information is relevant, accurate, not excessive, complete and up-to-date, and that collecting the information does not unreasonably intrude into an individual’s personal affairs.
- Keep personal information no longer than necessary, dispose of it appropriately, store it securely and protect it from unauthorised use or disclosure.
- Explain what personal information is being held and how to access it.
- Allow people access to their personal information.
- Allow people to update, amend or add a notation to their personal information.
- Take steps to use only relevant, accurate, up-to-date and not misleading personal information.
- Only use personal information for the purpose for which it was collected or a directly related purpose except in nominated circumstances.
- Only disclose personal information for the purpose for which it was collected or a directly related purpose except in nominated circumstances.
- Do not disclose sensitive personal information (eg about ethnic or racial origin, trade union membership, etc).
Health Privacy principles (Health Privacy Act)
For health information Roads and Maritime Services (replacing Roads and Traffic Authority) must:
- Only collect health information for a lawful purpose directly related to Roads and Maritime Services (replacing Roads and Traffic Authority)’s functions.
- Collect health information from the individual unless it is unreasonable or impracticable to do so.
- Inform the person what health information is being collected and why, by whom it is being collected and to whom it is usually disclosed.
- Ensure health information is relevant, accurate, not excessive, complete and up-to-date, and that collecting the information does not unreasonably intrude into an individual’s personal affairs.
- Keep health information no longer than necessary, dispose of it appropriately, store it securely and protect it from unauthorised access, use or disclosure.
- Explain what health information is being held and how to access it.
- Allow people access to their health information.
- Allow people to update, amend or add a notation to their health information.
- Take steps to use only relevant, accurate, up-to-date and non-misleading health information.
- Only use health information for the purpose for which it was collected or a directly related purpose except in nominated circumstances.
- Only disclose health information for the purpose for which it was collected or a directly related purpose except in nominated circumstances.
- Only assign identifiers to people if necessary.
- Allow people to receive anonymous services where practicable.
- Do not transfer health information outside NSW except in nominated circumstances.
- Do not link health information electronically except with express consent.
For further details including information about exemptions see:
- The Privacy and Personal Information Protection Act 1998, Part 2, ss 8-19 or Privacy NSW, A Guide to the Information Protection Principles 1999
- Health Records and Information Privacy Act 2002, Schedule 1 cls 1-5 or Privacy NSW Handbook to Health Privacy.
The Privacy Acts and you
Roads and Maritime Services (replacing Roads and Traffic Authority) motor registries can assist with the following privacy issues covered by the Acts.
Access to personal information or health information
People can find out if personal or health information is held about them, what sort of information is held, what it is used for and how they can get access to it.
People wanting access to their driving or registration records should fill out a Request for Information form.
People wanting access to their other personal or health information should fill out a Request for Access form under the Freedom of Information/Privacy Acts.
Adjusting personal or health information
People can alter or add a notation to their personal or health information to ensure it is accurate, suitable, relevant, up-to-date and not misleading. The onus is on the customer to prove the information is wrong.
People wanting their licence or vehicle information altered (including changes of address) should visit a motor registry or contact Roads and Maritime Services (replacing Roads and Traffic Authority) on 13 22 13.
People wanting other personal or health information altered should fill out an Adjustment/Notation of Personal Records form. In some cases, a further medical certificate may be required.
Information for the public regarding applications by car parking companies for personal information
Roads and Maritime Services (replacing Roads and Traffic Authority) may have provided your name and address to a car parking company in accordance with a court order. This is not a breach of Roads and Maritime Services (replacing Roads and Traffic Authority)’s privacy obligations.
The notices issued by the car parking companies are not penalty notices issued by Roads and Maritime Services (replacing Roads and Traffic Authority) under the Fines Act 1996 or road transport legislation. Roads and Maritime Services (replacing Roads and Traffic Authority) is not involved in any claims made by car parking companies.
Any further queries should be directed to the car parking companies direct as follows:
- Australian National Car Parks – 1300 728 412
- Care Park Pty Ltd – 1300 011 888
For further information about your rights you can also contact the Consumer Credit Legal Centre on 1800 808 488.
Privacy complaints and reviews
A person who is not satisfied with the way Roads and Maritime Services (replacing Roads and Traffic Authority) has dealt, is dealing or intends to deal with their personal or health information, may complain. If a complaint relates to a breach of the Information Protection Principles, the Health Privacy Principles or a Privacy Code of Practice Roads and Maritime Services (replacing Roads and Traffic Authority) must conduct a formal review of the conduct complained about.
A complaint is best lodged in writing using a Complaint or Request for Review of Conduct form. Complaints should be made within six months of the time a person first became aware of the conduct complained about. Roads and Maritime Services (replacing Roads and Traffic Authority) notifies the NSW Privacy Commissioner about the review and its outcome.
Privacy complaints about Roads and Maritime Services (replacing Roads and Traffic Authority) can also be made directly to the NSW Privacy Commissioner, who in consultation with the complainant, could direct the complaint elsewhere for investigation.
A person who is not satisfied with the outcome of a review can appeal to the NSW Administrative Decisions Tribunal. The Tribunal has the power to make any orders it believes are necessary including the award of damages of up to $40,000 to the person making the complaint.
For further enquiries
General Manager Government Information & Privacy
Roads and Maritime Services (replacing Roads and Traffic Authority)
Locked Bag 928 North Sydney NSW 2059
Tel (02) 8588 4981 or 13 17 82 (local call)
Fax (02) 8588 4109
Email privacy@rta.nsw.gov.au
Privacy Commissioner
Privacy NSW
GPO Box 6 SYDNEY NSW 2001
Tel (02) 9228 8585
Fax (02) 9228 8577
Email privacy_nsw@agd.nsw.gov.au
Web www.lawlink.nsw.gov.au/privacynsw
Administrative Decisions Tribunal
Level 15, St James Centre
111 Elizabeth Street SYDNEY NSW 2000
Tel (02) 9223 4677 Freecall 1800 060 410
Fax (02) 9233 3283
Web www.lawlink.nsw.gov.au/adt
Language assistance
Translating and Interpreting Services
Tel 13 14 50
This information contained in this page must not be relied on as legal advice. More information about privacy in NSW may be obtained from the legislation and the publications issued by Privacy NSW.
Frequently asked questions
Q1 - What is the difference between asking for documents under the Privacy Acts and the Freedom of Information (FOI) Act?
Generally you can ask for you own documents under any of the Acts. However, under Privacy you can only appeal to the NSW Administrative Decisions Tribunal if you do not agree with the decision given to you.
If you want someone else’s documents, you need to apply under the FOI Act. In these cases, you have the added appeal mechanisms of an Internal Review or the NSW Ombudsman.
Q2- How much will it cost me to make an application?
FOI fees and charges (GST exempt)
| Nature of application | Application fee | Processing charge |
|---|---|---|
| Access to records - personal request | $30.00* | $30.00 per hour after first 20 hours* |
| Access to records - other requests | $30.00* | $30.00 per hour* |
| Amendment of records | Nil | Nil |
| Review of determination / conduct | FOI - $40.00* | Nil |
* A 50% reduction in fees may apply if the applicant is under 18 years of age, suffers financial hardship, is a non-profit organisation or applies for public interest reasons.
Privacy fees (GST inclusive)
| Nature of application | Application fee | Processing charge |
|---|---|---|
| Access to records | Nill | Nill |
*A 50% reduction in fees may apply if the applicant is under 18 years of age, suffers financial hardship, is a non-profit organisation or applies for public interest reasons.
Q3 - Who does Roads and Maritime Services (replacing Roads and Traffic Authority) allow to access my records?
Apart from you, Roads and Maritime Services (replacing Roads and Traffic Authority) only allows access to personal information where it is required or authorised to do so by law.
Q4 - What do I do if I feel Roads and Maritime Services (replacing Roads and Traffic Authority) has either inappropriately used or disclosed my personal information?
You can complain to either Privacy NSW or Roads and Maritime Services (replacing Roads and Traffic Authority). In either case your complaint will be investigated and you and the Privacy Commissioner will be provided with an explanation. If you are not satisfied, you can appeal to the NSW Administrative Decisions Tribunal.
Q5 - What can I do if I think my personal Roads and Maritime Services (replacing Roads and Traffic Authority) records are irrelevant, inaccurate, not up to date, incomplete or misleading?
You can contact Roads and Maritime Services (replacing Roads and Traffic Authority) and request a review of conduct. The matter will be investigated and you will be provided with a determination. If you are not satisfied, you can ask for a notation to be placed on the records setting out your views and/or you can appeal to the NSW Administrative Decisions Tribunal.
Q6 - Where can I go if I have other questions about privacy or my rights?
You can contact either Privacy NSW (privacy_nsw@agd.nsw.gov.au) or Roads and Maritime Services (replacing Roads and Traffic Authority) (privacy@rta.nsw.gov.au). If you have a complaint regarding unauthorised use or disclosure of your personal information held by a government department, you have the right to lodge an official complaint with that department. Your complaint will be investigated under the NSW Privacy Act and you will be notified of the outcome. If you are not satisfied, you may appeal to the NSW Administrative Decisions Tribunal.