Listen

Chapters

  1. About Privacy Management Plan
  2. Types of personal and health information held by Revenue NSW
  3. Revenue NSW legislation and policy
  4. Information Protection Principles and Health Privacy Principles
  5. Exemptions from privacy legislation
  6. Notification of data breaches
  7. Privacy internal reviews and complaints
  8. Appendices

4. Information Protection Principles and Health Privacy Principles

The section provides an overview of how we manage personal and health information in accordance with the information protection principles and health privacy principles in the privacy legislation.

Collection

We collect personal and health information through lawful means and what is reasonably necessary for our functions and activities. We provide the required notice at the time of collection or as soon as reasonably practicable.

We avoid collecting sensitive information if we do not need it. Sensitive information is personal information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities.

NSW citizens may owe debts to any of the various local and state government agencies. The debts can relate to council rates and parking fines, licences, insurance premiums, leases and other government services. Revenue NSW collects this debt on their behalf and to administer this debt collection process, information is collected from these agencies, stored and used by Revenue NSW.

We will only collect information from a third party where:

  • The person has authorised collection of the information from someone else.
  • The person is under 16 years of age – in which case we may also collect personal information from the persons parent or guardian.
  • In the case of health information, it would be unreasonable or impracticable to collect information from an individual.
  • When collecting health information about an individual from a third party, we take reasonable steps to ensure that the individual is aware of the notification matters above.

Storage and security

Revenue NSW takes reasonable security safeguards to protect personal and health information from loss, unauthorised access, use, modification, or disclosure and against other misuse. We will ensure personal and health information is stored securely, not kept longer than necessary, and disposed of appropriately.

We maintain security measures, including technical, physical and administrative actions, to protect information from unauthorised access and misuse.

Examples of how we secure and retain personal information include:

  • Maintaining and continually improving information security management systems that comply with ISO/IEC 27001:2022 standard.
  • Aligning our obligations under the Cyber Security Policy.
  • Adopting best practice in electronic and paper records management and
  • complying with our obligations under the State Records Act 1998 (NSW), including keeping information for only as long as necessary
  • Providing mandatory information security awareness training to Revenue NSW staff.

Accuracy

Before using personal or health information we take reasonable steps to ensure that the information is relevant, accurate, up-to-date, complete, and not misleading. We ensure the accuracy of the information by collecting it directly from individuals wherever practicable.

Transparency

We will tell you what personal information about you is being stored, why it is being used and any rights you have to access it. You can make enquiries at any time to find out if we hold personal or health information about you.

Access

Once we have confirmed your identity, you may access your personal and health information without unreasonable delay or expense. We will only refuse access where authorised by law, and we will provide written reasons, if requested.

Amendment

Once we have confirmed your identity, you may update or amend your personal or health information held by us to ensure it is accurate, relevant, up-to-date, complete, and not misleading. We encourage you to help us keep any information we hold about you accurate, up-to-date, and complete by contacting us with updated information.

If the information we hold is accurate, relevant, up-to-date, complete and not misleading but a person still insists on an amendment, we can decline to do so. However, you may be able to add a statement to our records. For example, it may be appropriate to attach a statement, instead of amending information, for a disputed medical diagnosis or a person with a criminal record maintaining their innocence.

Advice on access and amendment

If you are a member of the public, you can contact Revenue NSW you wish to access it and/or seek to have it amended. In some cases, you may be able to access your own personal information by accessing an online account or website.


If you do not know which business unit to contact regarding your request or your request has been denied, refer to 'contact us' on the NSW.gov.au website for guidance.  If you are a Revenue NSW staff member, you can access and, in many cases, amend your personal information contained in enterprise resources planning systems and other systems provided to undertake your work. If you require access to your personal information beyond business systems or wish to amend your personal or health information, contact your HR Business Partner.


Employees must access their personal information in customer-facing systems in the same way as members of the public.

Use

When we talk about ‘use’ of personal and health information, it refers to the way we handle and share information within Revenue NSW to perform our functions. This includes providing information to contractors engaged by Revenue NSW to manage information on our behalf in circumstances where Revenue NSW retains control over the handling and use of the information.

Generally, we only use personal and health information for the purpose for which it was collected. The purpose should be set out in the privacy notice at the time of collection.

We may use personal and health information:

  • for the primary purpose for which it was collected,
  • for a directly related secondary purpose,
  • another purpose where it is reasonably necessary to prevent or lessen a serious and imminent threat to life or health,
  • another purpose for which the person has consented,
  • another purpose where permitted by law.

Disclosure

We can generally disclose personal and health information when the person has consented to the disclosure; the disclosure was advised in a privacy collection notice at the time of collection; the disclosure is directly related to the purpose for which it was collected, and the individual would reasonably expect us to disclose the information for that purpose; or the disclosure is necessary to prevent or lesson a serious or imminent threat to life, health or safety.

Revenue NSW may disclose this information to permitted statutory or regulatory bodies both State and Federal, other public/private entities, for law administration and enforcement, or as required or permitted by law.

Revenue NSW may disclose information to the authority who issued the fine or debt, including NSW Police, Local Councils and Transport for NSW as permitted by law, to administer the process of debt recovery.

Health information and identifiers

In relation to health information, we generally do not identify individuals by using unique identifiers to carry out our functions. We may collect identifiers from third parties.

Identifiers are used to uniquely identify an individual and their health records. An identifier does not need to use a person’s name as they are designed to be unique to a specific individual (for example, a customer number, unique patient number, tax file number or drivers licence number).