Image description: lighthouse on headland

Data protection

At the Audit Office, data protection is one of our highest priorities. Our approach is both proactive and adaptive to the changing environment in which we operate.

The Auditor-General for New South Wales reports to the New South Wales Parliament and is responsible for audits and related services, principally conducted under the Government Sector Audit Act 1983 and the Local Government Act 1993. These audits aim to help Parliament hold government accountable for its use of public resources.

Data is a fundamental foundation to auditing, and we rely on access to data to deliver our mandate. The acts under which we operate provide the Audit Office with the legislative right to access information that relates to our audit or audit-related services. To avoid breaching the secrecy provisions outlined in the acts, we must ensure that information accessed in the course of our work remains confidential and is only used for authorised purposes. We take our role in protecting data seriously and here we outline our approach to protecting your data

Privacy management

The Audit Office is committed to properly managing personal and health information collected to protect the privacy of individuals. Personal information is information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. 

Personal information covers: 

  • a written record (including electronic records) which may include names, addresses or other details about an individual(s)
  • photographs, images, video or audio footage 
  • fingerprints, blood or DNA samples. 

Health information is more specific and covers information or an opinion about a person’s physical or mental health. It can also include information about:

  • a health service provided, or to be provided, to an individual
  • an individual’s express wishes about the future provision of health services to him or her
  • other personal information collected in connection with the donation of human tissue
  • genetic information that is or could be predictive of the health of an individual or their relatives of descendants.

The Audit Office complies with the Information Protection Principles (IPPs) of the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Privacy Principles of the Health Records and Information Privacy Act 2002. These acts describe the responsibilities of public sector agencies in the collection, retention and security, accuracy, use and disclosure of personal and health information.

Under section 33 of the PPIP Act, the Audit Office is required to have a Privacy Management Plan which explains how the Audit Office implements the Information Protection Principles and Health Privacy Principles. We also have a Privacy Policy relating directly to the use of our website.

Access and amendment of personal information 

To access or amend personal information held by the Audit Office, contact the Privacy Officer using the contact details below.

Review rights and privacy complaints 

If you have a concern about how the Audit Office has dealt with your privacy or the privacy of another individual(s), you can, in the first instance, contact the Privacy Officer informally with details of the complaint.

Under the PPIP Act, you may also formally request an internal review in respect of a privacy issue. An internal review can be requested by filling out the internal review form on the IPC website. It is not compulsory to complete the form, however an application for an internal review must:

  • be in writing
  • be addressed to the Audit Office of New South Wales
  • include a return address within Australia for correspondence
  • be lodged within six months of the date you first became aware of the breach.

The Audit office will acknowledge receipt of a request for an internal review within seven days. We will complete all internal reviews within 60 days. The Privacy Officer will keep the applicant up to date with progress of the internal review and will advise as soon as practicable if the review is likely to take more than 60 days. 

Within 14 days of completing the review, the Audit Office will notify the applicant in writing (email or letter) about the findings of the review, action proposed to be taken and the right of the applicant to further review.

Upon receiving an application for a review, the Audit Office will notify the NSW Privacy Commissioner of the application, keep them informed about the review and its outcome.

If the Audit Office has not completed the review within 60 days or the applicant disagrees with the outcome of the internal review or is not satisfied with the action the Audit Office has taken, they have the right to apply to the NSW Civil and Administrative Tribunal for a review of the conduct. Further information about making an application to the tribunal can be found on the NSW Civil and Administrative Tribunal website.

Privacy complaints can also be made directly to the NSW Privacy Commissioner

Data breaches

The Data Breach Management Policy sets out how the Audit Office manages data breaches, which includes breaches of personal information. This policy outlines the Audit Office’s approach to responding to all types of data breaches, including cyber incidents. In particular, it covers our approach to responding to ‘eligible data breaches’ and complying with the Mandatory Notification of Data Breach (MNDB) Scheme under the PPIP Act. 

Audit Office Public Notifications

Under the PPIP Act, public notifications must be provided when it is not reasonably practicable to notify any or all individuals affected by an eligible data breach. 

There are no public notifications at this time. 

The Audit Office Register of Public Notifications is found below. The Audit Office must retain and publish notifications of eligible data breaches for a period of 12 months. 

Register of Public Notifications

Privacy Officer 

The Privacy Officer for the Audit Office is responsible for the Privacy Management Plan and associated policies and procedures that help the Audit Office meet its obligations under the Privacy Act.

The Privacy Officer can be contacted:

Via this website: using the General enquiry form
By email:
By phone:        02 9275 7100
In writing:         Privacy Officer, Audit Office of NSW, GPO Box 12, Sydney NSW 2001