Law: Privacy and Personal Information Protection Act 1998 No. 133 ('the Act'). Please note that the Act only applies to public bodies. Private organisations are subject to the federal Privacy Act 1988.

Regulator: Information and Privacy Commission ('IPC')

Summary: There is no separate, territorial level private sector data protection law in New South Wales. Alongside the Act, which regulates the use of personal information by public bodies, the Health Records and Information Privacy Act 2002 ('the HRIP') sets out requirements for the handling of health information. The IPC works to ensure compliance with both the Act and the HRIP. There have been suggestions from the IPC that the scope of the Act should be amended to include certain service providers working with public bodies, in a similar manner to legislation in Queensland. While such proposals have not been enacted, a notable recent event was Evans v Health Administration Corporation [2019] NSWSC 1781. In this case, the Supreme Court of New South Wales delivered a judgment that included a Deed of Settlement following a class action lawsuit related to a breach of medical records. Although a bill was proposed to introduce civil remedies for serious violations of privacy, it lapsed in 2016.