NSW Government Agency Privacy Issues - What to Do?

Australia's #1 for Law
Join 150,000 Australians every month. Ask a question, respond to a question and better understand the law today!
FREE - Join Now


Well-Known Member
26 November 2016
I have a privacy complaint against a government agency. The details of the actual complaint are not relevant here, but the matter relates to alleged breaches in the Health Records and Information Privacy (HRIP) Act by the agency.

Although I won't go into the reasons why I believe this to be the case, I allege that the agency breached section 70(1)(a)(iii) of the HRIP Act, which states:

A person must not, by threat, intimidation or misrepresentation, persuade or attempt to persuade an individual to refrain from making or pursuing an application under Part 5 of the PPIP Act with respect to the alleged contravention of a Health Privacy Principle or a health privacy code of practice.

Basically I think the agency convinced me into withdrawing an internal review application based on a misrepresentation. About 6 months later, when new information came to light, on multiple occasions, they refused to conduct an internal review by claiming that I had no reasonable grounds to request an internal review. Many months later, I would come to learn that the agency had no discretionary power in refusing to conduct an internal review.

The irony here is that the privacy complaint is extremely serious. In fact, I think the person making these claims may have done so deliberately and the agency has told me that this person is now on extended leave from their position for the next 12 months. I think this is their way of saying that they've been fired.

I also believe that the agency breached section 70(2)(a) of the HRIP Act, which states:

A person must not, by threat, intimidation or false representation, require another person to give a consent under this Act.

Here, I am alleging that the agency tried to trick me into agreeing to do something, with the intention of getting me to grant them consent for something else. Yes, you read correctly. I have never encountered anything like this before, and I am extremely disturbed by it -- more so than the original privacy complaint.

I note that the maximum penalty for breaching section 70 is 100 penalty units and that Section 74 of the HRIP Act states:

Proceedings for an offence against this Act are to be dealt with summarily before a Local Court.

My questions are as follows:

1. I intend to take the privacy complaint relating to breaches in Health Privacy Principles to the NCAT. In the process of dealing with this complaint, would the Tribunal refer the above breaches to another body e.g. NSW Ombudsman? I ask because I don't believe that the NCAT has jurisdiction over these breaches, only breaches in the Health Privacy Principles.

2. Supposing the agency is found to have breached section 70 of the HRIP Act, who "gets" the civil penalty for the breach? Does one government agency get fined by another government agency, or would I, as the aggrieved be awarded that civil penalty?

3. I believe that the agency breached section 70 on at least 6 discrete occasions. Would its possible liability be 6 x 100 penalty units? Or would they all counted as one breach, if it was handled as a single complaint?

Any help would be great. And references or relevant case law would be divine.


Active Member
20 February 2018
Hi There. I am not a lawyer and this is only from memory... You can apply to NCAT to accept a late application. I think you 6 months from finding out about the breach to request an internal review,
If you are dissatisfied with the outcome of an internal review or if it is not completed within 60 days, you have 28 days to seek an external review by the NSW Civil and Administrative Tribunal (NCAT). You can only apply to NCAT if you have made an application in writing to the organisation for an internal review.
If you put it in writing requesting an internal review now and provide your reasons for the request being late, the organisation can consider a late request.

The NSW Privacy Commissioner has an oversight role in the internal review, and can appear at the NCAT in an independent capacity.
There is a plenty of information on the Information and Privacy Commission NSW website which explains. Put privacy breach into the search.

No you dont get the penalty. You can apply for compensation to be awarded by NCAT but you need to prove the harm the privacy breach has had.

Perhaps you should contact the Information and Privacy Commission. You can also contact HCCC and the Ombudsmen about your complaints.

Hope this helps
  • Like
Reactions: zena*


Well-Known Member
11 November 2019
Best thing I can offer is DO NOT WASTE YOUR TIME, HEALTH and WELL BEING trying to deal with privacy commissioner, ombudsman or foi. They will run you in loops for years, delay the process and then making you start all over again. Unfortunately, they are there for perception and to frustrate, not do their job.

Trust me, i have been there.