Privacy and personal information

Crown land managers (CLMs) may regularly deal with personal information about board members, employees and volunteers. You may also collect or hold information about visitors to the reserve, such as surf club members, rifle range users or caravan park guests.

As such, you need to be aware of your responsibilities under the Privacy & Personal Information Protection Act 1998 (PPIP Act), and how to deal with issues concerning your handling of private information.

Privacy obligations govern how you:

  • collect and handle personal information relating to individuals
  • deal with complaints about the way you have handled personal information.

As a CLM, you will be mostly concerned with the personal information of individuals and its:

  • collection
  • storage
  • access
  • use
  • disclosure.

Gathering images through surveillance for security purposes may also be an issue for some CLMs.

An individual may complain if they feel you have misused their personal information or breached their privacy.

Personal Information

Personal information is essentially any information or opinions about a person where that person’s identity is apparent or can be fairly easily worked out. Personal information can include a person’s name, address, family life, sexual preferences, financial information, fingerprints and photos.

There are some kinds of information that are not considered personal information, for example information about someone who has been dead for more than 30 years, information about someone that is contained in a publicly available publication, or information or an opinion about a person’s suitability for employment as a public sector official. Health information is generally excluded because it is covered by the Health Records and Information Privacy Act 2002.

Information protection principles

You need to comply with the PPIP Act’s information protection principles which describe what CLMs must do when collecting, storing, using and disclosing personal information.

In essence, you should collect only the information you need and make sure it is stored securely and only for as long as it's needed. You should also ensure the person involved: understands what information you’re collecting; consents to you collecting the information; understands why you’re collecting it and who (if anyone) it will be shared with.

The 12 information protection principles

Collection of personal information:

  1. Lawful – Only collect personal information for a lawful purpose. Only collect the information if it is directly related to the CLMs activities and necessary for that purpose.
  2. Direct – Only collect information directly from the person concerned, unless they have given consent otherwise.
  3. Open – Individuals are to be told what information is being collected, why it is being collected, how it will be stored and who will be using it. The individual must be advised how they can view and correct this information, if they wish.
  4. Relevant – Ensure that the information collected is relevant, accurate, up-to-date and that the amount collected is not excessive. Ensure that the collection does not unreasonably intrude into the personal affairs of the individual.


  1. Secure – Ensure that personal information is stored securely, not kept any longer than necessary, and disposed of appropriately. Information should be protected from unauthorised access, use or disclosure. Retention period and disposal schedules are determined by the State Records Act 1998.


  1. Transparent – Explain to the individual what personal information  is being stored, why it is being collected and any rights they have to access it.
  2. Accessible – Allow people to access their personal information without unreasonable delay or expense.
  3. Correct – Allow people to update, correct or amend their personal information where necessary.


  1. Accurate – Ensure that personal information is relevant and accurate before using it.
  2. Limited – Only use personal information for the purpose for which it was collected, a directly related purpose, or a purpose to which the individual has given consent. However, personal information can be used without consent in order to deal with a serious and imminent threat to any person’s health or safety.


  1. Restricted – Only disclose personal information if the person has given their consent or if they were informed at the time of collection that it would be disclosed in this way. Only disclose the information for a related purpose if the person concerned is not likely to object.
  2. Safeguarded – Do not disclose sensitive personal information, for example information about a person’s ethnic or racial origin, political opinions, religious or philosophical beliefs, health or sexual activities or trade union membership. Sensitive information can only be disclosed without consent in order to deal with a serious and imminent threat to any person’s health or safety, or if required by law, for instance, by a subpoena.

Review rights and complaints

Internal review

People have the right to seek an internal review under the PPIP Act if they think a CLM has breached the PPIP Act or Health Records and Information Privacy Act 2002 relating to their own personal information. People cannot seek an internal review for a breach of someone else’s privacy, unless they are authorised representatives of that other person.

Internal review requirements and processes

People must apply for an internal review within six months of when they first become aware of the breach.

Under the PPIP Act, an application for internal review must:

  • be in writing
  • be addressed to the department
  • specify an address in Australia to which the review decision can be sent.

If a CLM receives a request for internal review, you must immediately forward that request to the department.

A breach of privacy must be notified to the NSW Privacy Commissioner. This is done by the department's Director, Governance and Information Unit.

Other ways to resolve privacy concerns

It makes sense to encourage people to try to resolve privacy issues informally before going through the formal review process, or to at least first discuss the matter with the department.

A person can also raise concerns by:

Relevant legislation

Further guidance

NSW Information and Privacy Commission

GPO Box 7011, Sydney. NSW 2001

Tel: 1800 472 679


Contact the department for more information.

Sign up for our eNewsletter to receive updates.