Image description: lighthouse on headland

Privacy management

The Audit Office is committed to properly managing personal and health information collected to protect the privacy of individuals. Personal information is information that relates to an identifiable person as well as information that could identify an individual. 

Personal information covers: 

  • a written record (including electronic records) which may include names, addresses or other details about an individual(s)
  • photographs, images, video or audio footage 
  • fingerprints, blood or DNA samples. 

Health information is more specific and covers information or an opinion about a person’s physical or mental health. It can also include information about:

  • a health service provided, or to be provided, to an individual
  • an individual’s express wishes about the future provision of health services to him or her
  • other personal information collected in connection with the donation of human tissue
  • genetic information that is or could be predictive of the health of an individual or their relatives of descendants.

The Audit Office complies with the Information Protection Principles (IPPs) of the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Privacy Principles of the Health Records and Information Privacy Act 2002. These acts describe the responsibilities of public sector agencies in the collection, retention and security, accuracy, use and disclosure of personal and health information.

Under section 33 of the PPIP Act, the Audit Office is required to have a Privacy Management Plan which explains how the Audit Office implements the Information Protection Principles and Health Privacy Principles. We also have a Privacy Policy relating directly to the use of our website.

Access and amendment of personal information 

To access or amend personal information held by the Audit Office, contact the Privacy Contact Officer using the contact details below.

Review rights and privacy complaints 

If you have a concern about how the Audit Office has dealt with your privacy or the privacy of another individual(s), you can, in the first instance, contact the Privacy Contact Officer informally with details of the complaint.

Under the PPIP Act, you may also formally request an internal review in respect of a privacy issue. An internal review can be requested by filling out the internal review form on the IPC website. It is not compulsory to complete the form, however an application for an internal review must:

  • be in writing
  • be addressed to the Audit Office of New South Wales
  • include a return address within Australia for correspondence
  • be lodged within six months of the date you first became aware of the breach.

The Audit office will acknowledge receipt of a request for an internal review within seven days. We will complete all internal reviews within 60 days. The Privacy Contact Officer will keep the applicant up to date with progress of the internal review and will advise as soon as practicable if the review is likely to take more than 60 days. 

Within 14 days of completing the review, the Audit Office will notify the applicant in writing (email or letter) about the findings of the review, action proposed to be taken and the right of the applicant to further review.

Upon receiving an application for a review, the Audit Office will notify the NSW Privacy Commissioner of the application, keep them informed about the review and its outcome.

If the Audit Office has not completed the review within 60 days or the applicant disagrees with the outcome of the internal review or is not satisfied with the action the Audit Office has taken, they have the right to apply to the NSW Civil and Administrative Tribunal for a review of the conduct. Further information about making an application to the tribunal can be found on the NSW Civil and Administrative Tribunal website.

Privacy complaints can also be made directly to the NSW Privacy Commissioner

Data breaches

The Data Breach Management Policy sets out how the Audit Office manages data breaches, which includes breaches of personal information.

Privacy Contact Officer 

The Privacy Contact Officer for the Audit Office is responsible for the Privacy Management Plan and associated policies and procedures that help the Audit Office meet its obligations under the Privacy Act.

The Privacy Contact Officer can be contacted:

Via this website: using the General enquiry form
By email:         governance@audit.nsw.gov.au
By phone:        02 9275 7100
In writing:         Privacy Contact Officer, Audit Office of NSW, GPO Box 12, Sydney NSW 2001