Privacy and your rights
Our customers are entitled to expect that we will treat any information provided by a customer within the terms of relevant privacy responsibilities. For information about how the Department of Justice deals with the personal information of its customers, please visit the
Privacy Management Plan. For information about your right to privacy and the Privacy and Personal Information Protection Act, please visit the website of the
Version 2.0 December 2017
About this Policy
The Privacy and Personal Information Protection Act 1998 (PPIP Act) and the
Health Records and Information Privacy Act 2002 (HRIP Act) applies to NSW public sector agencies including local councils and universities.
The specific legal obligations of the Department when collecting and handling your personal information are outlined in the PPIP Act and the HRIP Act, the Codes of Practice and Privacy Regulations.
What is Personal Information?
Personal Information is defined in the PPIP Act as information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from that information or opinion. Personal Information includes, for example, names, addresses, telephone numbers, email addresses, dates of birth and passport numbers.
Under the PPIP Act / HRIP Act some of the types of information about an individual that are not considered personal information, include:
- when it relates to a person who has been dead for more than 30 years;
- when it is contained in a publicly available publication;
- information arising out of a Royal Commission or Special Commission of Inquiry;
- information contained in Cabinet documents; or
- the exercise of judicial functions by a court or tribunal.
What personal information do we collect?
Personal information is collected by the Department through:
- the Department's website;
- call centres - telephone enquiries;
- general e-mail enquiry accounts;
- correspondence received from members of the public;
- individuals signing up to mailing lists;
- individuals who register for events; and
- feedback forms.
Personal information we collect is handled in accordance with the PPIP Act and the HRIP Act. The types of personal information collected include:
- telephone numbers;
- email addresses;
- dates of birth;
- IP addresses; and
- Other personal information as specified in this Policy.
More detailed information about how the Divisions within the Department (Veterans Affairs, Juvenile Justice, Corrective Service NSW, Office for Police, Office of Emergency Management, Justice Services, Justice Strategy and Policy, Court and Tribunal Services, Corporate Services, Office of the Secretary) handle personal information is set out in the Department's
Privacy Management Plan.
Personal Information provided by you
The Department aims to collect personal information about you directly from you. This may occur when you:
- Contact us to ask for information;
- Contact us for assistance with or consideration of an application specific to your circumstances;
- Inform or notify the Department about an issue;
- Provide submissions to the Department;
- Make a complaint;
- Ask for access to information held by the Department; or
- Apply for a job with the Department / provide referee reports.
We may collect your personal information from third parties, for example, your legal or other authorised representative or respondents to a complaint or inquiry.
We may also collect personal information from publicly available sources, for example, to enable us to contact stakeholders who may be interested in our work or in participating in our consultation.
Some agencies in the Department are lawfully authorised to collect information about you from third parties such as law enforcement agencies, investigative agencies or other public sector or private sector organisations when authorised by law, enabled by a privacy or health code of practice, public interest direction or with the consent of the individual.
When an agency in the
Department collects personal information as part of its functions and activities, the agency will have its own privacy statement(s) and/or collection notices explaining how your personal information will be collected, used, stored and disclosed.
Automatic and Indirect collection of personal information
We use Google Analytics to collect data about your interaction with the Department's website. The sole purpose of collecting your data by using Google Analytics, is to improve your experience when using the Department's website. The types of data we collect include:
- your device's IP address (collected and stored in an anonymised format);
- device screen size;
- device type, operating system and browser information;
- geographic location (country only);
- referring domain and out link if applicable;
- search terms and pages visited;and
- date and time when website pages were accessed.
The collecting of the data noted above is combined with similar logged information. This combined information is used to improve the services provided by the Justice website. The Department will extract and publish this combined information about usage patterns from these records. For example, our usage reports will examine trends based on the following information – your server address, your top level domain name (for example .com, .gov, .au, .uk etc), the date and time of visit to the site, the pages accessed, documents downloaded, the previous site visited and the type of browser used and operating system
The Department will gather extensive information relating to access to our website in the following circumstances:
- unauthorised attempts to access information that is not published on the Department of Justice website pages;
- unauthorised tampering or interference with information published on the Department's website;
- unauthorised attempts to index the contents of the Department's website by other websites;
- attempts to intercept messages of other Department of Justice website users;
- communications that are defamatory, abusive, vilify individuals or groups or that give rise to a suspicion that a criminal offence is being committed; and
- attempts to compromise the security of the web server, breach the laws of the State of New South Wales or Commonwealth of Australia, or interfere with the enjoyment of the Department's website by other users.
On its websites the Department provides feedback facilities to allow users to provide input into the future development of its websites and comment on the provision of services.
Users are required to provide the Department with a name and an email address to enable a reply to any feedback. This information will only be used for the purpose for which it was provided. Your name and email address will not be added to any mailing list.
Storage and Security
We take steps to protect the security of the personal information we hold from both internal and external threats by:
- regularly assessing the risk of misuse, interference, loss, and unauthorised access, modification or disclosure of information;
- providing targeted privacy training to the various agencies in the Department;
- where appropriate, staff and service providers are required to sign confidentiality agreements regarding access to personal information held by the Department; and
- Agencies in the Department are encouraged to develop robust governance frameworks in relation to the handling of personal information.
Information collected by the Department is stored securely in accordance with State Archives requirements. More detailed information on security standards and practices is available in our
Privacy Management Plan.
Access by Departmental employees, contractors or other authorised parties to personal information held by the Department is determined by role and the need for access. Unauthorised access to and use of personal information is taken seriously as it constitutes a data breach and disciplinary or other action may be taken by the Department.
Personal Information is only retained as long as necessary and securely destroyed or de-identified once it is no longer required by law. Further information about records disposal authorities relevant to agencies in the Department is set out in the Department's
Privacy Management Plan and the State Records Authority.
Social Networking Services
We use social networking services such as Twitter, Facebook, LinkedIn and YouTube to communicate with the public about our work. When you communicate with us using these services we do not collect your personal information.
We will require your name, contact information and sufficient information relating to your inquiry in order to carry out most of our functions in order to provide you with a service.
Where possible we will allow you to interact with us anonymously or by using a pseudonym. For example, if you contact an enquiry line with a general question you will not be required to provide your name unless we need our personal information to adequately handle your question.
Use of Personal Information
The personal information you provide to the Department will be used for the primary purpose for which you provided it and any secondary purposes where it is directly related to that primary purpose. Detailed information in relation to the use of information collected by the agencies in the Department is detailed in the
Privacy Management Plan.
Disclosure of personal information
The Department will disclose your personal information in the following circumstances:
- where you have already been made aware of the disclosure to third parties;
- the disclosure is required to be made to an investigative or law enforcement agency (as defined in the PPIP Act)'
- the disclosure is authorised or required by law;
- the disclosure to a third party is necessary to prevent or lessen a serious and imminent threat to the life or health of you or another person; or
- with your consent.
More specific information about disclosure of information is contained in the Department's
Privacy Management Plan and privacy statements relevant to each agency's functions and activities.
To protect the personal information we disclose we may, where appropriate:
- enter into a contract or Memorandum of Understanding (MOU) requiring the service provider to only use or disclose the information for the purposes of the contract or MOU; and / or
- include special privacy requirements / clauses in the contract or MOU, where necessary.
Quality of personal information
To ensure the personal information we collect is accurate, up-to-date and complete we:
- record information in a consistent format;
- where necessary, confirm the accuracy of information we collect if the information is collected from a third party or a public source; and
- promptly add updated or new personal information to existing records.
We also take reasonable steps to review the quality of personal information before we use or disclose it to third parties as set out in the
Privacy Management Plan.
How can I access or amend my personal information
Under the PPIP Act and the HRIP Act you have a right to ask for access to personal information / health information we hold about you. You also have a right to ask that we correct that personal / health information if you believe it is incorrect.
You can ask for access to your personal information or for a correction to that personal information by contacting us. If you ask, we must give you access to your personal information unless there is a lawful reason preventing that access. We must take reasonable steps to correct personal information if we consider it is inaccurate or incorrect, unless a law prevents us from doing so. If we refuse to correct your personal information, you can ask us to associate with it (for example, attach or link) a statement that you believe the information is incorrect and why you hold this belief.
You also have the right under the
Government Information (Public Access) Act 2009 (GIPA) to request access to documents that we hold. Excluded information of some agencies, as set out in Schedule 2 of the GIPA Act ( e.g the Office of the Legal Services Commissioner, NSW Trustee and Guardian) cannot be accessed under the GIPA Act. Further information about accessing information under the GIPA Act is available on the Justice
Access to Information page.
Privacy Amendment (Notifiable Data Breaches) Act 2017 establishes a Notifiable Data Breaches (NDB) scheme which is due to commence on 22 February 2018. NDB applies to the Department as a tax file number recipient (TFN) as the Department holds Tax File Numbers for employment and other business related purposes. A TFN recipient is any person who is in possession or control of a record that contains TFN information
A Notifiable Data Breach is a data breach that is likely to result in serious harm to any person to whom the information relates. A data breach may occur where personal information held by the Department is lost or subject to unauthorised access or disclosure.
Further information in relation to the scheme is accessible through the following links:
A data breach or allegation of a breach relating to any agency within the Department will be promptly notified to the Office of the General Counsel, Department of Justice. The Office of the General Counsel will coordinate a response to deal with the incident/alleged breach. Responding to a data breach notification to the Office of the General Counsel may include targeted inquiries about the nature and extent of the breach, notification of affected individuals, notifying the NSW Privacy Commissioner and facilitating remedial action.
If you would like to make a complaint regarding an alleged breach of privacy by the Department of Justice you may do so in writing to the Office of the General Counsel, Department of Justice. Further information on how to lodge a complaint, the internal review application form and assistance on how to complete an internal review application form is available through the following link:
Any comments or enquiries regarding this Policy and any concerns or complaints about the information handling practices of the Department of Justice can be addressed to the Office of the General Counsel, Department of Justice:
Open Government Information and Privacy Unit
Telephone: (02) 8346 1329
Alternatively, complaints or concerns about your privacy may be directed to the NSW Privacy Commissioner:
Phone: 1800 472 679
Mailing address: Level 17, 201 Elizabeth Street Sydney 2000
This Policy is reviewed annually and was last reviewed in December 2017.
Any further enquiries should be directed to:
Open Government Information and Privacy
Telephone: (02) 8346 1294