NSW Health has published its Privacy Internal Review Guidelines to help staff navigate and comply with all legislative requirements in conducting a privacy internal review.
The new Guidelines replace GL2006_007 and apply across the whole of NSW Health.
There are three key principles:
60-day time limit
A privacy internal review must be completed as soon as practicable, and a time limit of 60 calendar days applies. The 60-day time limit starts from the receipt of the first written privacy complaint or request for privacy internal review. In exceptional circumstances, the agency may ask the applicant for an extension of time. (Sections 5.3 and 5.4)
NSW Privacy Commissioner
The NSW Privacy Commissioner must be notified of all applications for privacy internal review, provided with a draft investigation report for comment, and provided with the final report and covering letter to the applicant. (Sections 5.7 and 7.3)
NSW Civil and Administrative Tribunal
An individual who is dissatisfied with the outcome of the agency’s privacy internal review, can lodge an application for administrative review with the NSW Civil and Administrative Tribunal (NCAT). This must be lodged within 28 calendar days of receipt of the privacy internal review report from the NSW Health agency. (Section 7.1)
A copy of the Guidelines can be found on the NSW Health website.