Privacy Management Plan
Plan statement and key principles
This plan has been developed by ILGA to demonstrate and ensure that our organisation applies the correct procedures to manage the personal information of our stakeholders and staff.
Executive Summary
All NSW Government agencies are required to have a privacy management plan under section 33 of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).
The PPIP Act and Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) contain principles on how to collect, store, access, amend, use and disclose personal and health information. The PPIP Act covers personal information other than health information and requires us to comply with 12 information protection principles (IPPs). The HRIP Act covers health information which includes information about a person’s health/disability and health/disability services provided to them. There are 15 health privacy principles (HPPs) with which we must also comply.
The purpose of this Plan is to:
- demonstrate to the people of New South Wales how ILGA upholds and respects the privacy of its staff and all those who deal with ILGA
- explain how we manage personal information in line with the PPIP Act and health information in line with the HRIP Act
- provide guidance and training for ILGA staff in dealing with personal and health information. This helps to ensure that we comply with the PPIP Act and HRIP Act (together, the Acts).
This Plan indicates that ILGA takes the privacy of its staff and the people of NSW seriously and we will protect privacy with the use of this Plan as a reference and guidance tool.
1. Introduction
This Plan has been developed by ILGA as per section 33 of the PPIP Act.
This Plan identifies:
- the types of personal and health information (as defined at 2.3) that ILGA holds or is responsible for
- the policies and practices used by ILGA to comply with the Acts
- how details of those policies and practices are made known to staff of ILGA and all engaged by ILGA
- how ILGA conducts Internal Reviews under section 53 of the PPIP Act.
This Plan applies to all ILGA staff, agents, contractors and volunteers.
1.1. The role and functions of ILGA
ILGA is a statutory decision-maker responsible for a range of liquor, registered club, gaming machine and music festival regulatory functions, including determining licensing and disciplinary matters under the gaming and liquor legislation and music festivals legislation.
ILGA has the functions conferred or imposed on it under gaming and liquor legislation. This includes the following Acts and the regulations and other instruments made under those Acts:
- Liquor Act 2007
- Gaming Machines Act 2001
- Registered Clubs Act 1976
- Gaming Machine Tax Act 2001
- Gaming and Liquor Administration Act 2007
- Music Festivals Act 2019.
The Authority performs functions under this legislation, including:
- determining licensing and gaming applications, in particular for contentious matters,
- determining the subject status of a music festival and approving safety management plans
- issuing various orders including requiring licensed premises to close for a period of time and banning persons from entering licensed premises for a period of time
- determining disciplinary and remedial action to be taken against licensees and others, and
- reviewing certain delegated decisions made on its behalf by Liquor & Gaming NSW and certain decisions made by the Secretary, Department of Creative Industries, Tourism, Hospitality and Sport (DCITHS, the Department).
ILGA takes the privacy of its staff and the people of NSW seriously and we will protect privacy with the use of this Plan as a reference and guidance tool.
2. Personal and Health Information
2.1. Definitions
Collection is the method by which ILGA acquires the information. This can be completed by any means including a written form; a verbal conversation; an online form; or taking a picture or video.
Disclosure is how ILGA provides the personal or health information to an individual or body outside ILGA. This includes the sharing of personal or health information with other public service agencies.
Personal information is information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion (section 4 of the PPIP Act).
Health information is any personal information that is information or an opinion about a person’s physical or mental health or disability or the provision of health services to them, including an individual’s express wishes about the future provision of health services to them. It also includes genetic information that is or could be predictive of the health of a person or their genetic relative as well as any personal information that was collected to provide, or in providing, a health service, or in connect with donation of body parts, organs or body substances (section 6 of the HRIP Act).
2.2. Exclusions from the definition
Both the Acts exclude from the definition of personal and health information, information which:
- relates to a person who has been dead for more than 30 years; or
- is contained in a publicly available publication; or
- refers to a person’s suitability for employment as a public sector official.
2.2.1. Information in a publicly available publication
The definitions exclude information about named or identifiable people which is published in newspapers, books or the internet, broadcast on radio or television, posted on social media (such as Facebook or Twitter) or made known at a public event. Because such information is publicly available, it cannot be protected from use or further disclosure.
2.2.2. Employment-related information
Information referring to suitability for employment as an ILGA member of staff (such as selection reports and references for appointment or promotions, or disciplinary records) is excluded from the definitions and therefore from the provisions of the Acts.
Such information is still stored, secured, used and disclosed by ILGA with the same care as if it were protected by the Acts.
Other employee-related personal information is protected by the Acts. For example, records or information about work activities, such as video or photographs of staff in their workplace, are protected and may only be used in compliance with the Acts’ provisions.
Other examples of work-related personal and health information are staff training records, leave applications and attendance records. All these are within the scope of the definitions and are protected by the Acts.
2.3. Types of personal and health information held by ILGA
2.3.1. Employee records
Employee records for staff of ILGA are held by DEIT due to a Service Delivery Agreement between ILGA and DEIT.
An employee of ILGA may access their own file under the supervision of the People & Culture (P&C) staff at DEIT.
2.3.2. Information collected relating to conflict of interest
ILGA staff are required to disclose any actual, potential, or perceived conflicts of interest as part of the onboarding process. This information is reviewed and updated regularly, and as any conflicts arise or change.
2.3.3. Contact Details
ILGA may hold contact details of various third parties, including but not limited to:
- businesses and individuals that have made applications to ILGA;
- businesses individuals that have made submissions in relation to applications made to ILGA;
- businesses and individuals that have made an enquiry, complaint or suggestion through ILGA’s website or via email to ILGA; and
- businesses and individuals attending ILGA meetings and conferences;
- businesses and individuals that are suppliers on ILGA contracts;
- individuals that have made an informal request for information to ILGA; and
- individuals that have made formal access applications under the GIPA Act.
ILGA uses the contact details for the purposes for which they were collected. ILGA does not use this information to contact people for secondary purposes. For example, where contact details have been provided as part of an enquiry made to ILGA, those contact details will only be used in managing and responding to that enquiry and will not be used for any other purpose unless the individual concerned has expressly consented to that secondary use.
2.3.4. Correspondence records
ILGA may hold the following correspondence records:
- contact details of people who have written to or emailed ILGA or its responsible Minister;
- details of the nature of their correspondence, which can include sensitive personal information about matters such as ethnicity, religion, health conditions, sexuality;
- copies of replies to correspondence; and
- records of to whom, if anyone, their correspondence was referred.
This information is only used for the purpose of communicating a reply to the correspondent either from ILGA or the relevant Minister’s Office. Once a matter has been progressed and processed, it is closed and filed accordingly on ILGA’s Content Management system.
3. The Privacy Principles
3.1. Applying the privacy principles in NSW
ILGA is guided by the principles in sections 8 to 19 of the PPIP Act and Schedule 1 of the HRIP Act:
- Sections 8 to 19 of the PPIP Act require public sector agencies to comply with 12 information protection principles (IPPs) when dealing with personal information. The IPPs govern the collection, retention, accuracy, use and disclosure of personal information, including rights of access and correction.
- Schedule 1 of the HRIP Act provides a similar set of privacy standards for health information. There are 15 health privacy principles (HPPs), and they are largely the same as the IPPs, however without an equivalent to IPP 12 (Sensitive) and with other additional obligations and standards instead.
See Appendix 1 for an overview of the 12 IPPs and 15 HPPs.
3.1.1. Collecting personal or health information (covered by IPPs 1-4 and HPPs 1-4)
ILGA will only collect personal or health information if it is:
- for a lawful purpose that is directly related to one of our functions; and
- reasonably necessary for ILGA to have the information.
ILGA will ensure that when personal and health information is collected from an individual, either verbally or in written forms, the individual will be advised accordingly. This will be in the form of a collection notice that will include the purpose of the collection; any intended recipients of the information (where applicable); their right to access and correct the information; and the details of any agency that is collecting or holding the information on ILGA’s behalf (if applicable).
ILGA also advises individuals if the collection is voluntary or if it is lawfully required and informs individuals of any penalties or other possible consequences for not complying with ILGA’s request.
When collecting personal or health information from an individual, ILGA endeavours to ensure that the information is relevant, accurate, up to date and complete for the purposes for which it is being collected. ILGA will also endeavour to ensure that the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual, having regard to the purposes for which it is being collected.
3.1.2. Storing personal and health information (covered by IPP 5 and HPP 5)
ILGA takes reasonable security safeguards against the loss, unauthorised access, use, modification and disclosure of personal information.
ILGA has in place information security policies which provide guidance to staff around the handling and storage of personal information. This includes the use of unique user accounts and passwords to access our computer systems. Our staff do not give out passwords to anyone or let anyone else use their computer login.
ILGA’s security measures further include the use of restricted drives and authorised access.
Personal information is kept for no longer than is necessary and is disposed of in a secure manner once no longer required, in accordance with government requirements.
3.1.3. Accessing and amending personal or health information (covered by IPPs 6-8 and HPPs 6-8)
People have the right to access, amend and update personal information that ILGA holds about them. Generally, requests by an individual to access or amend their personal or health information can be made on an informal basis. ILGA does not charge any fees to access or amend personal or health information.
A request to access or amend any personal information held by ILGA can made in writing to ILGA (see below – 10. Further Information and Contacts) and should:
- include the person’s name and contact details (postal address, telephone number and email address if applicable);
- explain what the person is seeking, such as whether the person is enquiring about the personal information held about them, or whether the person is wishing to access and amend that information; and
- if the person is seeking to access or amend their information,
- explain what personal or health information the person wants to access or amend; and
- explain how the person wants to access or amend it.
ILGA will endeavour to ensure that all personal and health information is accurate, complete and current.
If ILGA disagrees with the person about whether the information needs changing, we must instead allow the person to add a statement to our records.
3.1.4. Using personal and health information (covered by IPP 9-10 and HPP 9-10)
ILGA will only use personal or health information for the purposes for which it was collected or for other directly related purposes. At the time ILGA collects personal or health information from an individual, they will notify the individual of the primary purpose for which the information is collected. If there is a need to use the information for another purpose, ILGA would ask for consent.
ILGA will also take reasonable steps to check the accuracy and relevance of personal or health information before using it. This means that if some time has passed since the information was collected, or there is any other reason to have concerns about the adequacy of the information, ILGA will take reasonable steps to check that it is still accurate, up-to-date, relevant, complete and not misleading.
3.1.5. Disclosing personal or health information (covered by IPPs 11-12 and HPP 11)
ILGA will only disclose personal or health information if:
- at the time ILGA collected their information, the person was given a privacy notice to inform them their information would or might be disclosed to the proposed recipient, and that disclosure is directly related to the purpose for which the information was collected,
- the person concerned has consented to the proposed disclosure, or
- an exemption applies (see section 3.2.6 for more information).
In addition to the above, ILGA can also disclose personal information (but not health information) if the person was notified of the disclosure at the time of collection – even if the purpose of that disclosure is not directly related to the purpose of collection. Notification of the disclosure is not enough in the case of health information unless the purpose of that disclosure is also directly related to the purpose of collection.
If an individual’s personal or health information is disclosed to other NSW public sector agencies, those agencies can only use information for the purpose for which it was disclosed to them. The information continues to be covered by the Acts.
3.1.6. Exemptions
There are a number of exemptions to the IPPs that limit their coverage in a number of ways including:
- exchanges of information which are reasonably necessary for the purpose of referring inquiries between agencies (section 27A(b)(ii) of the PPIP Act);
- disclosure relating to law enforcement and related matters (section 23 of the PPIP Act);
- disclosure that would detrimentally affect complaint-handling or investigative functions (section 24 of the PPIP Act); and
- where non-compliance is lawfully authorised or required or otherwise lawfully permitted (section 25 of the PPIP Act).
Some additional exceptions apply to the collection, use and disclosure of health information, including for compassionate reasons, research training and the management of health services. Information about which exceptions apply to each HPP can be found in Schedule 1 of the HRIP Act.
3.2. Liability and offences
It is important that all ILGA staff understand the IPPs and the HPPs. Part 8 of the PPIP Act and HRIP Act contain criminal offences applicable to ILGA’s staff who use or disclose personal or health information without authority. For example, there are criminal offences relating to:
- the corrupt disclosure and use of personal and health information by public sector officials; and
- offering to supply personal or health information that has been disclosed unlawfully.
ILGA staff receive compulsory privacy training to ensure they are aware of their responsibilities in handling personal information appropriately.
4. Code of Practice and PPIP section 41 Directions
Under the PIPP Act, Privacy Codes of Practice can be developed by agencies that provide for the modification of the application of one or more IPPs to particular activities or categories of information.
This is undertaken to take account of particular circumstances relating to legitimate use of personal information by agencies that might otherwise be in contradiction to the IPPs under the PPIP Act.
The Information and Privacy Commission can also prepare Codes of Practice common to a number of agencies. All Codes are approved by the NSW Attorney-General.
In addition, under section 41 of the PPIP Act the Privacy Commissioner may make a direction to waive or modify the requirement for an agency to comply with an IPP.
4.1. Privacy Code of Practice for the Public Service Commission
The NSW Public Service Commission has developed a Privacy Code of Practice for the Public Service Commission to allow analysis and reporting about employment characteristics. ILGA provides personal information to the NSW Public Service Commission for this purpose. Confidentiality and privacy arrangements underpin the workforce profile.
5. Public Registers
Under section 3(1) of the PIPP Act, a Public Register is defined as ‘a register of personal information that is required by law to be, or is made, publicly available or open to public inspection (whether or not on payment of a fee).’
The PPIP Act requires that a public sector agency responsible for keeping a Public Register must not disclose any personal information contained in it unless the agency is satisfied that it is to be used for a purpose relating to the purpose of the register.
When collating personal information required for any Public Registers, ILGA will only disclose this personal information where it is satisfied that the disclosure is for a purpose which relates to the register.
6. Internal Review
Where ILGA engages in certain conduct that adversely and unduly impacts an individual, that individual is entitled to seek internal review of the conduct. Conduct involving or claimed to involve any of the following is reviewable:
- the contravention by ILGA of an IPP or HPP that applies to ILGA;
- the contravention by ILGA of a health or privacy code of conduct that applies to ILGA; and
- the disclosure by ILGA of personal information kept on a Public Register.
ILGA encourages individuals to try to resolve privacy issues informally with ILGA before going through the internal review process.
An individual should remember that they have six months from when they become aware of the conduct to seek an internal review. The six-month timeframe continues to apply even if attempts are being made to resolve privacy concerns informally.
6.1 Request for Internal Review
An individual who considers they have been unduly impacted by ILGA’s conduct can contact ILGA to try and resolve the issue informally. Alternatively, or if no information resolution can be reached, individuals can also make a complaint to ILGA under section 53 of the PPIP Act and request a formal internal review of ILGA’s conduct in relation to the privacy matter (Internal Review).
Applications for Internal Review must:
- be in writing addressed to ILGA;
- include a return address in Australia; and
- be lodged with ILGA within six months of the time the applicant first became aware of the conduct which is the subject of the application.
The form for applying for a review of conduct under section 53 of the PPIP Act is at Appendix 2.
Requests for review must specify the alleged conduct by ILGA which has resulted in a breach of the IPPs/HPPs or Code of practice applicable to ILGA or disclosure of personal information from Public Registers held by ILGA.
Applicants who are not satisfied with the findings of the review or the action taken by ILGA in relation to the Internal Review, have the right to appeal to the NSW Civil and Administration Tribunal (NCAT) under section 55 of the PPIP Act.
6.2 Internal Review Process
The ILGA Legal team is responsible for receiving, allocating and overseeing Internal Reviews in relation to privacy matters. The ILGA Legal team will receive all correspondence and enquiries regarding the Acts, including any Internal Review requests. The ILGA Legal team is also responsible for monitoring, recording and reporting on the progress of all Internal Review applications received.
Under section 54(1) of the PPIP Act, ILGA is required to notify the NSW Privacy Commissioner of the receipt of an Internal Review application and keep the NSW Privacy Commissioner informed of the progress reports of the Internal Review. In addition, the NSW Privacy Commissioner is entitled to make submissions to ILGA in relation to the application for Internal Review (section 54(2) of the PPIP Act).
Under section 53(6) of the PPIP Act, an Internal Review must be completed within 60 days of the receipt of the application.
When ILGA receives an Internal Review application, the ILGA Legal team will send:
- an acknowledgment letter to the applicant and advise that if the Internal Review is not completed within 60 days, they have a right to seek a review of the conduct by NCAT; and
- a letter to the NSW Privacy Commissioner notifying them of the Internal Review application and provide a copy of the application.
Internal Reviews will generally be conducted by a delegated officer with no involvement in the matter giving rise to the complaint of breach of privacy (the Reviewing Officer). The Reviewing Officer may seek legal or other assistance in conducting the review.
The Reviewing Officer responsible for completing the final determination must gather information and review the evidence to determine whether the alleged conduct occurred, and if so, whether it constituted a breach of the relevant privacy legislation. The Reviewing Officer must consider any relevant material submitted by the applicant or the NSW Privacy Commissioner.
The Reviewing Officer should prepare a draft report containing their findings and recommended actions. Before completing the Internal Review, the Reviewing Officer should send the draft report to the NSW Privacy Commissioner to invite any submissions.
In finalising the report, the Reviewing Officer will take into consideration any comments or recommendations provided by the Privacy Commissioner.
Following completion of the review, ILGA may do any one or more of the following:
- take no further action on the matter;
- make a formal apology to the applicant;
- take appropriate remedial action, which may include the payment of monetary compensation to the applicant;
- undertake that the conduct will not occur again; and/or
- implement administrative measures to ensure that the conduct will not occur again.
Under section 53(8) of the PPIP Act, as soon as practicable, or in any event within 14 days, after the completion of the Internal Review, ILGA must inform the applicant of the:
- findings of the review (and the reasons for those findings); and
- action proposed to be taken by ILGA (and the reasons for taking that action); and
- right of the person to have those findings, and ILGA’s proposed action, administratively reviewed by NCAT.
ILGA follows the model of the Internal Review process provided by the NSW Information and Privacy Commission (Appendix 3).
6.3 Extensions of time for lodgement
While the PPIP Act allows six months to apply for an internal review from the time the applicant first becomes aware of the conduct, ILGA may accept late applications. Possible acceptable reasons for delay may be:
- the applicant’s ill-health or other reasons relating to capacity, or
- the applicant only recently becoming aware of his or her right to seek an internal review, or the applicant reasonably believing that he or she would suffer ill-effects as a result of making an application at an earlier time.
However, late applications that cannot be investigated in a meaningful way because of their delay will be declined. In these cases, witnesses may no longer be available, documents may have been destroyed, and memories may have faded.
Final decisions on the acceptance of late applications will only be made by the Director of OILGA, or under his or her delegation. Where the decision is made not to accept an application because of delay, the reason will be explained in a letter to the applicant.
7. External Review
External review processes are also available through the Privacy Commissioner and NCAT.
7.1. Complaints to the Privacy Commissioner
Any individual who considers his or her privacy has been breached can make a complaint to the Privacy Commissioner under section 45 of the PPIP Act and this complaint can be made without going through the Internal Review process of ILGA. The complaint must be made within 6 months (or such later time as the Privacy Commissioner may allow) from the time the individual first became aware of the conduct or matter the subject of the complaint.
However, the Privacy Commissioner can decide not to deal with the complaint if it would be more appropriately dealt with as an Internal Review by ILGA (section 46(3)(e) of the PPIP Act).
7.2. Administrative Review by NCAT
If the applicant is not satisfied with the outcome of ILGA’s Internal Review, they may apply to NCAT to review the decision. If ILGA has not completed the Internal Review within 60 days, the applicant can also take the matter to NCAT.
A person must seek an Internal Review before they have the right to seek an external review with NCAT (section 55(1) of the PPIP Act).
To seek review by NCAT, the individual must apply within 28 days from the date of the Internal Review decision or within 28 days of the Internal Review not being completed within 60 days.
NCAT has the power to make binding decisions on an external review (section 55(2) of the PPIP Act). For more information including current forms and fees, please contact NCAT:
Website: https://www.ncat.nsw.gov.au/
Phone: 1300 006 228
Post: PO Box K1026, Haymarket NSW 1240
Visit: NSW Civil and Administrative Tribunal
Administrative and Equal Opportunity Division
Level 10 John Maddison Tower
86-90 Goulburn Street
Sydney NSW 2000
8. Data breaches
Data breaches may cause significant disruption, damage to individuals whose personal information has been affected, and compromise ILGA’s ability to serve the public and its stakeholders. Good data breach management will assist in minimising these all of these harms and reduce the likelihood and severity of future data breaches.
The ILGA Data Breach Policy (Policy) outlines the procedures and practices ILGA must follow in relation to detecting, responding to, managing, assessing data breaches and if relevant, notifying and reporting ‘eligible data breaches’ in accordance with the Mandatory Notification of Data Breach Schedule (the MNDB Scheme) under Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).
The MNDB Scheme requires ILGA to notify the Privacy Commissioner and affected individuals of certain data breaches being those the cause ‘serious harm’.
What is a data breach?
A data breach is an incident in which there has been unauthorised access to, unauthorised disclosure of, or loss of, personal information held by (or on behalf of) ILGA or any accidental or unlawful destruction or alteration of personal information held by (or on behalf of) ILGA.
Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of potential and actual harms (including serious harm) to individuals and agencies.
What is an eligible data breach?
If there are reasonable grounds to believe that the data breach has resulted in, or is likely to result in, serious harm to one or more of the individuals to whom the information relates, the data breach is an ‘eligible data breach’.
‘Serious harm’ occurs where the harm arising from the eligible data breach has, or may, result in a real and substantial detrimental effect to the individual. The effect on the individual must be more than mere irritation, annoyance or inconvenience. Harm to individual includes serious physical, psychological, emotional, financial or reputational harm.
Assessment of the likelihood of serious harm from a data breach is an objective test. That is ‘likely to result’ means the risk of serious harm to an individual is more probable than not.
If a data breach is assessed as an eligible data breach, then, in accordance with procedures and the MNDB Scheme, ILGA will notify the Privacy Commissioner and affected individuals where required.
Data breach response and reporting
ILGA will consider a number of factors in assessing a data breach including the NSW Privacy Commissioner’s statutory guidelines. In summary, ILGA will engage the following steps in response to all data breaches:
- Step 1: Contain the data breach and conduct a preliminary assessment
- Step 2: Evaluate and mitigate the risks associated with the data breach
- Step 3: Notify and communicate
- Step 4: Prevent future data breaches
- Step 5: Record keeping requirements
ILGA will maintain an internal register of all eligible date breaches impacting ILGA and maintain a public notification register on the ILGA website.
For further detailed guidance on these steps and how ILGA will respond to data breaches, refer to the Policy.
9. Promoting the Plan
9.1. Executive and Governance
ILGA is committed to transparency in relation to compliance with the Acts. ILGA reinforces transparency and compliance with the Acts by:
- endorsing this Plan and making it publicly available;
- reviewing and updating the Plan every three years; and
- reporting on privacy issues in the ILGA’s Annual Report in line with the Annual Reports (Departments) Act 1985 (NSW).
9.2. Staff Awareness
To ensure that ILGA staff are aware of their rights and obligations under the Act, ILGA will:
- publish this Plan and additional material on the ILGA website;
- provide training as required on this Plan to raise awareness and appreciation of the privacy requirements; and
- schedule an annual review and update of this Plan, or more frequent reviews and updates if needed.
10. Further information and contacts
For further information about this Plan, the personal and health information ILGA holds, or if you have any concerns, please contact ILGA:
Independent Liquor and Gaming Authority
McKell Building 2-24 Rawson Place
Sydney NSW 2000
Email: office@ilga.nsw.gov.au
For more information on privacy rights and obligations in New South Wales, please contact the NSW Privacy Commissioner at:
NSW Information and Privacy Commission
Level 17, 201 Elizabeth Street
Sydney NSW 2000
Phone: 1800 472 679
Web: www.ipc.nsw.gov.au
Email: ipcinfo@ipc.nsw.gov.au
Variation
The Office of ILGA will coordinate a review of this Plan on an annual basis.