Listen

Chapters

  1. About Privacy Management Plan
  2. Types of personal and health information held by Revenue NSW
  3. Revenue NSW legislation and policy
  4. Information Protection Principles and Health Privacy Principles
  5. Exemptions from privacy legislation
  6. Notification of data breaches
  7. Privacy internal reviews and complaints
  8. Appendices

1. About Privacy Management Plan

Revenue NSW is committed to maintaining public trust and confidence in our products and services by ensuring that privacy protections are part of our processes and culture.

The Privacy Management Plan (PMP) explains how we manage personal and health information under NSW privacy laws. We have obligations to protect the privacy rights of customers, employees, and members of the public. It is aligned with the Department of Customer Service (DCS) PMP. We consistently review and update our policies and procedures as necessary.

Section 33 (1) of the Privacy and Personal Information Protection Act 1998 states that ‘each public sector agency must have and implement a privacy management plan within 12 months of the commencement of this section.' Revenue NSW is not a public sector agency for the purpose of the Privacy and Personal Information Protection Act 1998, however, is a part of the Department of Customer Service (DCS). Revenue NSW has a separate PMP to provide additional detail to the overarching DCS PMP, specifically regarding the data that is collected and held by Revenue NSW, and how this data is managed and protected.

Why we need this policy

Our Revenue NSW PMP shows what measures we take to comply with the;

Policies and procedures, including this Revenue NSW PMP, are communicated to staff in a range of ways, including through our intranet, knowledge management system and targeted training. Reference to personal information throughout this PMP are to be taken to include health information, unless health information is specifically mentioned.

Who has to comply with this policy

All Revenue NSW staff are required to comply with privacy legislation while undertaking work for us. Additionally, they are required to comply with the DCS Code of Ethics and Conduct and the DCS Conflict of Interest Policy.

Our privacy policies and practices

At Revenue NSW we have a range of policies to ensure compliance with privacy legislation, to manage privacy risks and to deal with other matters relevant to privacy and the protection of personal and health information held by Revenue NSW. For a full list, refer to ‘related policies’.

About Revenue NSW

Revenue NSW has a strong history of being reliable, trusted, and effective in collecting revenue on behalf of the state. However, we are much more than this. Our agency connects with over three million people each year. We administer grants to individuals and businesses quickly and fairly, and work closely with our business partners, stakeholders, and customers to best administer the fines system for NSW. We collect over one third of the state’s revenue which is used to fund essential services such as hospitals, schools, and infrastructure. We acknowledge that our customers’ circumstances can play a huge role in how, when, and why they interact with us. We pride ourselves on approaching all customers with empathy, directly focusing on providing the best service possible.

The taxes and fines collected by Revenue NSW are used by the NSW Government to pay for essential government services including teachers, schools, health professionals, hospitals, public transport and infrastructure. Intrinsic to our work is our commitment to protect the community by helping them responsibly resolve fines. We also support the community through the delivery of housing affordability grants, and vital concessions in times of distress such as bushfires and floods.

The Revenue NSW Privacy Officer

The Revenue NSW Privacy Officer is responsible for:

  • co-ordinating the Privacy Management Plan and privacy breach incident response,
  • privacy training for staff,
  • acting as a first point of contact for members of the public for all matters related to privacy and personal information,
  • assessing complaints lodged and making recommendations about whether or not it is about personal information under the PPIP Act and/or health information under the HRIP Act, and ensuring that all complaints about privacy breaches and/or internal reviews are dealt with in the proper manner,
  • disseminating information on privacy issues within Revenue NSW,
  • and acting as a first point of contact/liaison with the IPC for all matters related to privacy and personal information1.

The Revenue NSW Privacy Team has responsibility for managing the privacy management functions. These functions include providing guidance to Revenue NSW staff about their privacy obligations, and how to manage personal and health information in their day-to-day work.

The Team is responsible for Revenue NSW’s:

  • Privacy Management Plan,
  • Data breach response procedure,
  • Privacy partners network,
  • Reporting about privacy incidents,
  • Consulting with the Privacy Commissioner on high-risk privacy programs or incidents,
  • Providing advice and endorsement to projects or system changes that involve the use or handling of personal information,
  • Coordinating and, where appropriate, investigating privacy incidents, breaches and complaints.

Advice, review and continuous improvement

The Revenue NSW Privacy Team, in collaboration with business area privacy leads, undertake a range of initiatives to ensure Revenue NSW staff and members of the public are informed of our privacy practices and obligations under privacy legislation.

The Team provides advice to business areas to ensure new initiatives, projects and upgrades to systems involving personal information are designed in line with privacy legislation and expectations of our customers.

The Team also continuously evaluates privacy practices, policies, and procedures to ensure they remain effective and identify, evaluate, and mitigate risks of potential noncompliance with privacy legislation.

The Privacy Partners Network comprises representatives from across Revenue NSW and DCS and meets regularly to discuss privacy and identify opportunities for better practice in protecting privacy.

Assessment of privacy risks

Revenue NSW adopts risk management practices in accordance with the ISO31000 Risk Management Standard and the NSW Treasury TPP 20-08 Internal Audit and Risk Management Policy for the government sector. Privacy risks are managed in accordance with the Department of Customer Service (DCS) Risk Management Policy, Framework and Process and within the DCS Risk Appetite Statement. Privacy risks are considered proactively using a privacy by design approach during project and process development and delivery.  Our Revenue NSW Privacy team provides advice and consults with business and project leaders to ensure privacy risks are understood and actively managed.

Footnotes

1  https://www.ipc.nsw.gov.au/privacy/agencies/role-privacy-contact-officers