Q&A with Elizabeth Coombs on privacy #iam_2016 May 3, 2016

EC HeadshotTo celebrate Information Awareness Month 2016 we are publishing a series of Q&As with colleagues who have an interest in good records and information management. First up we have a Q&A with Dr Elizabeth Coombs about privacy and information governance.

Dr Coombs is the NSW Privacy Commissioner. In this role she promotes privacy, prepares reports recommending legislative, administrative or other action in the interests of privacy, and conducts inquiries and investigations into privacy related matters. The Privacy Commissioner administers the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (HRIP Act).

In this post, Dr Coombs answers questions about privacy-related legislation, privacy considerations when establishing information governance frameworks, and the benefits of having a privacy framework in NSW.

1. In New South Wales, we have two laws which specifically regulate the collection, use and disclosure of personal information, the Privacy & Personal Information Protection Act 1998 (PPIP Act) and the Health Records & Information Privacy Act 2002 (HRIP Act). What other legal requirements are there for the protection, use and disclosure of personal information?

There are other pieces of legislation that need to be considered for example the State Records Act 1998. As an agency officer you would need to look internally to your governance and legislation. Family and Community Services in certain circumstances should also give consideration to other such Acts as Children’s Court Act 1987, Guardianship Act 1987 and Children and Young Persons (Care and Protection) Act 1998 etc as well as the requirements of the State Records Act 1998. The Local Government (Councils) in some circumstances should consider the Local Government Act 1993 along with the Swimming Pools (Amendment) Act 2012 or Public Health Act 2010 etc along with the State Records Act 1998.

2. May 2016 is Information and Privacy Awareness Month with a focus on information governance. Good information governance frameworks ensure that organisational records and information are managed appropriately, and increasingly utilise “by-design” approaches to do so. What are your top tips for incorporating privacy into by-design approaches to records and information management?

Information privacy is an important element of privacy. Go to our Privacy Governance Framework; the framework has been created to help agencies to better understand privacy risks and opportunities, and to address their roles and responsibilities in relation to privacy management of information. Sadly, it has not been possible to have this Framework updated for health privacy in time for Privacy Awareness Month.

3. Increasingly organisations are using cloud-based service offerings. What are the key privacy requirements that should be considered in contractual arrangements?

If an agency is considering using cloud-based services, for example storage, I suggest that they familiarise themselves with the Department of Finance, Services and Innovation’s ICT Strategy and also their Cloud Policy.

Also under s19(2) of the PPIP Act you are required to evaluate the laws in the region where your information is stored to ensure the same standard as NSW.

4. What do you think are the key benefits of having a well-articulated privacy framework in NSW Government?

It makes clear the rights and responsibilities of all involved – the citizen as well as those of the public and private sector organisation. So adherence to good privacy management gains trust and is an important part of good service delivery.

5. Government data and information are valuable assets, which can be re-used for beneficial research and analytics purposes. What do you think are the key privacy considerations for re-using government data and information for research and analytics purposes?

The key and primary question is ‘does the research require personal or health information?’ There is the potential to seriously impinge on privacy rights through re-purposing information, however if used in a privacy respectful manner there is the potential to enhance this information asset of NSW. Used appropriately, it can assist in determining where the need for greater resources within our community.

In addition, major issues in this space are consent and de-identification of data in ways where the data cannot be re-identified or remains permanently anonymous.


Thank you to Dr Coombs for taking the time to answer these questions! For more information about the role of the Privacy Commissioner and privacy in NSW, go to the Information and Privacy Commission website.


Image credits: Information and Privacy Commission
Leave a Reply

You must be logged in to post a comment.