The Privacy and Personal Information Protection Act, 1998 (PPIPA) provides protection for personal information and the privacy of individuals in general. To achieve this PPIPA introduces a set of privacy principles that regulate the way Council deals with personal information.
Shoalhaven City Council is committed to protecting the privacy of our customers, business contacts, Councillors, employees, contractors and volunteers. The Privacy Management Plan details how Shoalhaven City Council manages the personal and health information it collects, stores, accesses, uses and discloses in the course of its business activities.
Privacy Management Plan
The Privacy and Personal Information Protection Act 1998 [PPIPA] requires all public sector agencies to prepare, implement and review their Privacy Management Plan at least every three years. This policy outlines how Shoalhaven City Council complies with the legislative requirements of the PPIPA, the Health Records and Information Privacy Act 2002 [HRIPA] and the Privacy Code of Practice for Local Government
It is designed to inform the community and educate staff on access to personal information and to introduce Council policies and procedures to maximise compliance with the PPIPA and the HRIPA.
Council's Privacy Management Plan (PDF 2.3 mb)
Privacy code of practice for Local Government
A Privacy Code of Practice (for Local Government)
was approved by the Attorney General and is binding on all local government authorities. The Code modifies the privacy principles and the public register provisions of the Privacy Act and enables Councils to fulfil their statutory duties whilst still complying with the Act.
What is personal information?
Personal information is defined as:
"information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. This information can be on a database and does not necessarily have to be recorded in a material form"
What is not personal information?
Personal information does not include information about an individual that is contained in a publicly available publication. Personal information, once it is contained in a publicly available publication, ceases to be covered by the PPIPA.
Where the Council is requested to provide access or make a disclosure and that information has already been published, then the Council will rely on the provisions of the relevant Act that authorises Council to hold that information and not the PPIPA (for example, a formal or informal request under the Government Information (Public Access) Act 2009 [GIPAA].
In accordance with GIPAA, when inviting public submissions Council will advise people that their submission, including any personal information in the submission, may be made publicly available.
How is personal information protected?
Information is protected by a number of information protection principles contained within the Act. In general terms, the principles apply to the way material is collected, stored, used and disclosed. A summary of the information protection principles appears at the end of this page. It should be noted that the privacy legislation relates to personal information only.
What is a public register?
A public register is defined as "a register of personal information that is required by law to be, or is made, publicly available or open to public inspection (whether or not on payment of a fee)".
Council holds public registers under the LGA, including:
- Land Register
- Records of Approvals
- Register of Disclosures of Interests
- this is purely indicative. Council may, by virtue of its own practice, hold other public registers, to which PPIPA applies.
Council holds public registers under the Environmental Planning and Assessment Act 1979 [EPA]:
- Register of consents and certificates
- Record of building certificates
Council holds a public register under the Protection of the Environment Operations Act 1997 [POEO]:
- Public register of licences
Council holds a public register under the Impounding Act 1993 [IA]:
The register required to be kept under the Companion Animals Act, 1998 is not considered to be a public register in terms of the PPIP Act.
Request for information held on a public register?
Requests for access, copying or the sale of the whole or a substantial part of a public register held by Council will not always fit within the purpose of a particular register. Council will be guided by the Code in this respect and will make an assessment as to the minimum amount of personal information that is required to be disclosed.
Where council officers have doubt as to the intended use of the information, an applicant may be requested to provide a statutory declaration so that Council may satisfy itself as to the intended use of the information. Council will make its assessment as to the minimum amount of personal information that is required to be disclosed with regard to any request.
Statutory Declaration - Access to Public Register
What is a legitimate purpose?
According to the Information & Privacy Commission NSW most public concern about privacy breaches from councils relate to personal information disclosed from the rate record.
The primary purpose of rate record is to record the value of a parcel of land and record rate liability in respect of that land. The secondary purpose includes recording the owner or lessee of each parcel of land. Due to the emphasis on local government processes and information being open and accountable, it is considered that a secondary purpose for which all public registers are held includes the provision of access to members of the public. Of course only the minimum amount of personal information should be disclosed in regard to any request.
Use by Council
Legitimate Council use would include:
- levying of rates on a property
- taking out easements over properties
- bushfire hazard & noxious weed control
- law enforcement
- notification of development proposals
- administrative purposes
Use by government agencies
Applications for personal information from a register (bulk listings etc) should be in writing and proposed use should be clearly stated. The use should always relate to activities associated with the functions of that agency. (eg DUAP, Waterways, National Parks & Forestry). Other government agencies such as Centrelink and Veterans Affairs will be provided with information where there is a legal requirement to do so.
One of the main reasons for including public register provisions in privacy legislation was to provide a means of addressing widespread public concerns over the commercial sale of council information. It was generally felt that the information was being used for a reason that had no clear relationship to the reasons for which it was collected. The use of information for marketing purposes therefore needs to be distinguished from legitimate professional use by valuers and real estate agents.
With regard to the sale of bulk data (rate record and building/development statistics), Council has taken steps to remove all personal information (names & mailing addresses) from lists and subscribers have been advised accordingly. Lists containing property information only, will continue to be made available for inspection or purchase.
Land transfer notices have traditionally been made available for the inspection of valuers. It is recognised that the names of vendors and purchasers are required in order that valuers can establish whether the price reflects an arms length sale or not. Whilst councils are not the only source of this information this is considered to be a legitimate use and Council will therefore allow this access to continue.
Legitimate uses would include those relating to;
- possible sale of a property (prospective purchasers)
- dividing fences
- conveyancing matters
- proposals for use of land (agistment, parking)
- notifications of backyard burning
- contact with property owners re complaints (drainage, trees, noise etc)
- matters involving the safety of a person
- matters where it is considered that the person would want to be contacted
- A person wishing to access their own details from a public register need only to prove their identity to Council.
Whilst inappropriate uses are more difficult to define, examples could include;
- where the information was to be used for marketing purposes
- where it is reasonable to assume that the applicant is contemplating a violent act against the person who is the subject of the enquiry
- where the information is to be used for private debt recovery purposes
- where the person named on the register is unlikely to agree to the release of the information for the reason given (apart from those legitimate uses mentioned above)
Can a person apply to have their details removed from a public register?
The Act gives people a right to have their personal details hidden or removed from a public register where they can show that the safety or well-being of any person might be affected if the information was to remain on the record. Council must suppress the information unless it is satisfied that the public interest in maintaining public access to the information outweighs any individual interest.
An application for suppression should be made in writing and addressed to the General Manager. It must contain sufficient detail to allow for the proper assessment of the application and supporting documentation may be required.
What can an individual do if personal information is collected or used wrongly?
A number of legal remedies are available to people who feel they have had their privacy breached. The aggrieved person may lodge a complaint with the Privacy Commissioner or apply to Council for a review of the conduct which is the subject of the complaint.
There are five possible things an agency can do about a complaint. It can:
- offer a remedy such as compensation;
- promise that the behaviour will not occur again;
- change its operations to make sure that the behaviour will not occur again;
- or do nothing.
If the complainant is not satisfied with the Council's findings or what Council proposes to do, they can appeal to the Administrative Decisions Tribunal. One of the more significant orders the Administrative Decisions Tribunal can make is awarding damages of up to $40,000 to the person making the complaint, where that person has suffered financial loss or was physically or psychologically injured.
The Act details offences for corruptly dealing with personal information. Harsh penalties (up to a maximum of $11,000 and 2 years in prison) can be given if public sector officials, including former public sector officials, deliberately disclose, or offer to supply personal information outside of their lawful powers. Penalties also apply to any other persons who induce or attempt to induce a public sector official to act in this way (eg bribes and other such conduct).
Information protection principles
The information protection principles are summarised as follows:-
Principle 1 - Collection of information for lawful purposes
- personal information must not be collected unless for a lawful purpose which is directly related to function or activity of the agency and collection is reasonably necessary for that purpose
- collection of personal information must not be by any unlawful means
Principle 2 - Collection of information directly from the individual
- personal information must be collected directly from the individual unless that person has authorised collection from someone else
- in the case of a person under 16 years of age, collection may be from a parent or guardian
Principle 3 - Requirements when collecting information
If collected from an individual reasonable steps must be taken to ensure that, before collection or soon after, the individual is aware of:
- the collection of the information
- purpose of collection
- intended recipients of the information
- whether supply of information was required by law or voluntary
- existence of rights of access to and/or correction of information name & address of agency collecting and the agency that is holding the information
Principle 4 - Other requirements relating to collection of personal information
- collection must be relevant, not excessive, accurate & up to date and complete
- collection does not intrude, to an unreasonable extent, on the personal affairs of an individual
Principle 5 - Retention & security
In holding information Council must ensure that:-
- it is not kept for longer than necessary for lawful use
- it is disposed of securely and lawfully
- reasonable steps are taken to protect against loss, unauthorised access, use, modification or disclosure & all other misuse
- reasonable steps are taken to protect against misuse outside Council (consultants, contractors)
Principle 6 - Information about personal information held by Council
Council must take such steps as are reasonable to enable any person to ascertain:
- whether personal information is held by Council, generally
- whether personal information is held about that person and if so, the nature of information, purpose of use & entitlement to access
Principle 7 - Access to personal information held by Council
Council must provide access to information to an individual to whom the information relates
Principle 8 - Alteration of personal information
Personal information of the individual concerned must be amended on request so as to ensure accuracy
Principle 9 - Accuracy of information
Personal information must not be used unless, prior to use, reasonable steps have been taken to ensure its accuracy
Principle 10 - Limits of use of information
Personal information must not be used for any purpose other than the purpose for which it was collected unless:
- the individual consents to the use the other purpose relates to the original purpose for collection
- use of information would prevent or lessen a serious & imminent threat to life or health of the individual.
For Further information about Privacy please contact:
Shoalhaven City Council
Information and Privacy Officer
PO Box 42
NOWRA NSW 2541
Telephone: (02) 4429 3111
Information & Privacy Commission NSW
GPO Box 7011
SYDNEY NSW 2001
Freecall: 1800 472 679
Website : www.ipc.nsw.gov.au
Administrative Decisions Tribunal
John Maddison Tower
86-90 Goulburn Street
SYDNEY NSW 2000
Phone: (02) 9377 5711
Fax: (02) 9377 5723