Support Centre

New South Wales


Law: Privacy and Personal Information Protection Act 1998 No. 133 ('the Act'). Please note that the Act only applies to public bodies. Private organisations are subject to the federal Privacy Act 1988.

Regulator: Information and Privacy Commission ('IPC')

Summary: There is no separate, territorial level private sector data protection law in New South Wales. Alongside the Act, which regulates the use of personal information by public bodies, the Health Records and Information Privacy Act 2002 ('the HRIP') sets out requirements for the handling of health information. The IPC works to ensure compliance with both the Act and the HRIP. There have been suggestions from the IPC that the scope of the Act should be amended to include certain service providers working with public bodies, in a similar manner to legislation in Queensland. While such proposals have not been enacted, a notable recent event was Evans v Health Administration Corporation [2019] NSWSC 1781. In this case, the Supreme Court of New South Wales delivered a judgment that included a Deed of Settlement following a class action lawsuit related to a breach of medical records. Although a bill was proposed to introduce civil remedies for serious violations of privacy, it lapsed in 2016.


The New South Wales ('NSW') Government passed the Privacy and Personal Information Protection Amendment Act 2022 (NSW) ('the PPIP Amendment Act') on the 28 November 2022, creating a wave of reforms to NSW public sector privacy laws. The changes come into force on the 28 December 2023. NSW public sector agencies and State-Owned Corporations ('SOCs') have a 12-month transition period to understand their new obligations and build new processes to comply. Katherine Sainty and Lily O Brien, from Sainty Law, detail what the reforms consist of and who they apply to.