Review of Privacy Management Plan 2023

Share Review of Privacy Management Plan 2023 on Facebook Share Review of Privacy Management Plan 2023 on Twitter Share Review of Privacy Management Plan 2023 on Linkedin Email Review of Privacy Management Plan 2023 link

Consultation has concluded

People having a discussion beside a computer


The Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) requires all councils to prepare a Privacy Management Plan (Plan) outlining their practices to ensure compliance with the requirements of that Act, the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) and the Privacy Code of Practice for Local Government (December 2019).

In particular, the objective of this Plan is to:

  • Inform the community about how their personal information will be used, stored and accessed after it is collected by the Council; and
  • Ensure Council officials are aware of their obligations in relation to handling personal information and when they can and cannot disclose, use or collect it.

From 28 November 2023, Council will be required to comply with the mandatory notification provisions under Part 6A of the PPIP Act. This Part creates a Mandatory Notification of Data Breach (MNDB) Scheme which binds NSW public sector agencies to notify the Privacy Commissioner and affected individuals (where appropriate) of data breaches involving personal or health information likely to result in serious harm.

The most significant change since the last update is to include the provisions for the MNDB Scheme.

This ensures compliance with the new legislative requirements which require the Plan to include provisions relating to “the procedures and practices used by the agency to ensure compliance with the obligations and responsibilities set out in Part 6A for the MNDB scheme.”

Proposed changes

In addition, the following improvement changes are proposed:

  • Addition of clauses 16.10-16.11 – handling of sensitive information and an example of how Council is particularly careful with sensitive Personal Information;
  • Addition of clauses 16.12-16.16 – accessing adjoining property information – dividing fences;
  • Minor amendments to clause 24 (Rangers) to clarify Council’s practices;
  • Addition of clause 27 – handling of personal information by the governing body and the administration;
  • Expansion of clause 30.20 to allow for administrative changes to the Plan to occur without a Council resolution and examples of what constitutes an administrative change are provided; and
  • Minor wording changes to improve policy context and content; amendments to legislation references, abbreviations, job titles and removal of duplicates; update to the policy administration part and clarification of authorised functions in the policy authorisations part of the Plan.

View the document here.

How to make a submission

You can make a submission using the online form located below or clicking this link.

Should you intend to make a submission on the draft Plan in writing you, may do so by 5:00pm on Wednesday 15 November 2023 . Please quote “Privacy Management Plan 2023". Submissions should be addressed to The General Manager and can be submitted via:


The Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) requires all councils to prepare a Privacy Management Plan (Plan) outlining their practices to ensure compliance with the requirements of that Act, the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) and the Privacy Code of Practice for Local Government (December 2019).

In particular, the objective of this Plan is to:

  • Inform the community about how their personal information will be used, stored and accessed after it is collected by the Council; and
  • Ensure Council officials are aware of their obligations in relation to handling personal information and when they can and cannot disclose, use or collect it.

From 28 November 2023, Council will be required to comply with the mandatory notification provisions under Part 6A of the PPIP Act. This Part creates a Mandatory Notification of Data Breach (MNDB) Scheme which binds NSW public sector agencies to notify the Privacy Commissioner and affected individuals (where appropriate) of data breaches involving personal or health information likely to result in serious harm.

The most significant change since the last update is to include the provisions for the MNDB Scheme.

This ensures compliance with the new legislative requirements which require the Plan to include provisions relating to “the procedures and practices used by the agency to ensure compliance with the obligations and responsibilities set out in Part 6A for the MNDB scheme.”

Proposed changes

In addition, the following improvement changes are proposed:

  • Addition of clauses 16.10-16.11 – handling of sensitive information and an example of how Council is particularly careful with sensitive Personal Information;
  • Addition of clauses 16.12-16.16 – accessing adjoining property information – dividing fences;
  • Minor amendments to clause 24 (Rangers) to clarify Council’s practices;
  • Addition of clause 27 – handling of personal information by the governing body and the administration;
  • Expansion of clause 30.20 to allow for administrative changes to the Plan to occur without a Council resolution and examples of what constitutes an administrative change are provided; and
  • Minor wording changes to improve policy context and content; amendments to legislation references, abbreviations, job titles and removal of duplicates; update to the policy administration part and clarification of authorised functions in the policy authorisations part of the Plan.

View the document here.

How to make a submission

You can make a submission using the online form located below or clicking this link.

Should you intend to make a submission on the draft Plan in writing you, may do so by 5:00pm on Wednesday 15 November 2023 . Please quote “Privacy Management Plan 2023". Submissions should be addressed to The General Manager and can be submitted via: