Steps in a privacy matter

Step by step guide to applying to NCAT for the review of a decision about privacy of personal or health information.

Step 1: Check that NCAT can review the conduct 
Step 2: Consider whether you want a lawyer or agent to represent you 
Step 3: Apply to NCAT to have the conduct reviewed 
Step 4: Lodge the application form by the deadline 
Step 5: Receive a letter from NCAT 
Step 6: Take part in the case conference 
Step 7: Prepare your case for hearing 
Step 8: Take part in the hearing 
Step 9: Receive NCAT's decision  
Step 10: Consider appealing the decision if you are not satisfied  

Step 1: Check that NCAT can review the conduct

NCAT cannot review any conduct until you have applied to the agency or body concerned for an internal review of the conduct.

When applying for an internal review, you need to identify the conduct as clearly as you can; you need to say when and where the conduct occurred, who was involved and what they did. Unless the agency or body gives you an extension, you have 6 months from when you first became aware of the conduct to apply for an internal review.

The agency or body concerned must tell the NSW Privacy Commissioner about your application for internal review. The agency or body must take into account any material submitted by the Privacy Commissioner before making a decision.

Following an internal review, the agency or body may:

  • take no further action
  • apologise
  • take remedial action including paying compensation
  • undertake that the conduct will not occur again
  • take action to ensure that the conduct does not occur again.

For more information visit the NSW Information and Privacy Commission website.

To check whether NCAT can review the conduct, seek legal advice, or check the Privacy and Personal Information Act 1998 or the Health Records and Information Privacy Act 2002.

Step 2: Consider whether you want a lawyer or agent to represent you

You can either present your own case at NCAT or have a lawyer or non-lawyer agent represent you. You will usually need to be present to give your instructions to your lawyer or agent.

Your lawyer or agent needs to fill out a Notice of Representation and submit it to the registry in person or by post. If a non-lawyer agent is representing you, you also need to sign the Notice before it is submitted. In both cases, you have to send a copy of the Notice to the government department which made the original decision.

Your agent needs to ask for permission from the Tribunal Member the next time the case is listed. You should be present with the agent in case the Tribunal does not allow the agent to appear for you. A lawyer does not need to ask for permission from the member.

Step 3: Apply to NCAT to have the conduct reviewed

If you are not satisfied with the response from the agency or body following an internal review or if you have not received an internal review decision 60 days after applying, you may apply to the Tribunal for a review of the conduct. To apply to NCAT, you must be affected by the alleged breach of privacy. You cannot apply on behalf of another person.

You need to fill out an application for review if the matter is about the actions of a public sector agency and include the following information on your form:

  • your name, address and telephone number
  • the name of the agency or body that engaged in the conduct
  • the date the internal review decision was made
  • a copy of the internal review decision (this is normally the letter sent to you by the government agency)
  • a brief outline of why you think the conduct contravenes an Information Protection Principle or a Health Privacy Principle or a code of conduct that applies to the agency or body.

If you have asked NCAT to review the conduct of more than one agency, and that conduct is related, both applications can be heard together if they raise some of the same issues.

Step 4: Lodge the application form by the deadline

In most cases you need to lodge your application to NCAT within 28 days from when you are notified of the internal review decision.

Please post or bring your application to an NCAT registry. You cannot fax the application or lodge it via the internet.

If you want to lodge an application but the time allowed has expired, you have to ask for an extension. You will need to give a reason why you were not able to lodge the application within the time allowed. It will be up to NCAT whether or not to accept a late application.

A fee applies for most applications to NCAT. Check the Fees and charges schedule to see which fee applies to you. 

Step 5: Receive a letter from NCAT

You will receive a letter from NCAT telling you that your application has been received. You will also be given a date to attend a 'case conference'. 

Step 6: Take part in the case conference

A case conference is a preliminary session held at NCAT. A Tribunal Member will talk to you and a representative from the agency about the options for resolving your case. The Privacy Commissioner is also entitled to come to the case conference and make submissions to the Tribunal.

Before attending the case conference, you should identify the Information Protection Principles or the Health Privacy Principles that you say have been breached. A breach can also be about a contravention of a Code of Practice that applies to the agency or the disclosure of personal information that is kept in a public register.

At the case conference, the Tribunal Member will explore three options for resolving the dispute. These options are:

  1. direct negotiation among the parties 
  2. mediation by a mediator provided by the Tribunal 
  3. hearing 

Following the case conference, if the matter is suitable for mediation, it will be listed for mediation by a Tribunal Member or specialist mediator.

After that, applications which require further procedural directions will be listed in a Directions Hearing List.  A Member who has not conducted the mediation will be allocated to hear the matter.​​

NCAT will make directions about what you and the agency or body have to do to prepare the matter for hearing. Those directions will usually include filing and serving statements from yourself and other witnesses and making legal submissions.

If you want the Tribunal to issue a summons for a person to produce documents or attend the Tribunal and give evidence, you should ask the Member at the case conference to approve the issuing of a summons. The Summons Procedural Direction [PDF, 57kB] has more information about how to issue a summons. ​

Step 7: Prepare your case for hearing

The Tribunal Member will tell you and the other party when you should file written material which supports your case. The material may include statements and evidence, submissions and references to cases or legislation which you will rely on. Read more about how to prepare a statement or affidavit.

Step 8: Take part in the hearing

NCAT's hearings are less formal than court hearings. In most cases, the application will be heard by a single Tribunal Member.

The Privacy Commissioner has the right to attend and be heard at the hearing.

When the Tribunal is reviewing privacy related conduct, the respondent (an employee on behalf of the government agency) will usually give his or her evidence first. After the agency has given its evidence, the applicant will present his or her evidence and explain his or her understanding of the law. In these cases the Tribunal’s role is to decide whether the administrator made the correct decision. 

In some cases, the Tribunal Member will be able to give you their decision at the end of the hearing. However, in most cases the member will need time to consider the case and will give the decision at a later date. You will usually receive the decision within two months. Complex matters may take longer.

Step 9: Receive NCAT's decision

You will receive a letter telling you of the decision that NCAT has made. You will be notified by phone before the reasons are published. You will receive a copy of the written decision, as well as information about your appeal rights. The decision will also be available on the Caselaw website​.

NCAT can make various decisions including:

  • not to take any action
  • awarding compensation (damages) of up to $40,000 for any financial loss, or psychological or physical harm, because of the conduct of the agency or body
  • requiring the agency or body to stop any conduct or action which contravenes an information protection principle or a health privacy principle
  • requiring the performance of an information protection principle or a health privacy principle
  • correcting personal information that has been disclosed.

For more information, see the orders specified in section 55 of the Privacy and Personal Information Act 1998 for privacy matters, or the orders specified in section 54 of the Health Records and Information Privacy Act 2002 for health record related privacy matters.

NCAT does not generally order one party to pay for the other party’s lawyer.​

Step 10: Consider appealing the decision if you are not satisfied

You may have the right of appeal to the Appeal Panel of NCAT. Learn more about appealing a decision.

In some instances there is also a right of appeal to the NSW Supreme Court. If you are not sure of your appeal rights, you should seek legal advice.