Privacy of personal information

NCAT reviews decisions about the privacy of personal information or health records and information.

Privacy of personal information cases are managed through NCAT's Administrative and Equal Opportunity Division.

NCAT reviews conduct by a government agency where an applicant alleges that there has been:

  • a contravention of the Information Protection Principles under the Privacy and Personal Information Protection Act 1998
  • a contravention of the Health Privacy Principles under the Health Records and Information Privacy Act 2002
  • a contravention of a Code of Practice that applies to the agency
  • disclosure of personal information that is kept in a public register.

NCAT can also hold an inquiry into a complaint about a private sector person but only if you have first complained to the Privacy Commissioner and a report has been prepared.

How to apply

Download and complete an Administrative review application form (PDF , 70.3 KB) and lodge your application at any NCAT Registry Office.

If you want NCAT to hold an inquiry into a complaint about a private sector person you should complete a General application form (PDF , 62.3 KB).

Fees

Fees are payable for administrative review applications. View the fees and charges schedule or apply for a fee waiver.

Time limits

You must apply to NCAT within 28 days of receiving the decision from the government agency or department.

If you apply outside of the time limit, you can request a time extension as part of your application. NCAT will not always agree to a request for a time extension.

Privacy of your information

When you apply to NCAT, your name will not be used in any public document created by NCAT. This includes the daily hearing list and the published reasons for decision. You will be referred to by some initials so that your privacy is maintained. For more information refer to the Guideline on Confidentiality, privacy and publication (PDF , 181.2 KB).

Orders NCAT can make

NCAT can make various decisions including:

  • not to take any action
  • awarding compensation (damages) of up to $40,000 for any financial loss, or psychological or physical harm, because of the conduct of the agency or body
  • requiring the agency or body to stop any conduct or action which contravenes an information protection principle or a health privacy principle
  • requiring the performance of an information protection principle or a health privacy principle
  • correcting personal information that has been disclosed.

For more information, see the orders specified in section 55 of the Privacy and Personal Information Act 1998 for privacy matters, or the orders specified in section 54 of the Health Records and Information Privacy Act 2002 for health record related privacy matters.

NCAT does not generally order one party to pay for the other party’s lawyer.​


Steps in a privacy of personal information case

Step by step guide to a review of a decision about privacy of personal or health information.

Show All
Hide All

NCAT cannot review any conduct until you have applied to the agency or body concerned for an internal review of the conduct.


When applying for an internal review, you need to identify the conduct as clearly as you can; you need to say when and where the conduct occurred, who was involved and what they did. Unless the agency or body gives you an extension, you have 6 months from when you first became aware of the conduct to apply for an internal review.


The agency or body concerned must tell the NSW Privacy Commissioner about your application for internal review. The agency or body must take into account any material submitted by the Privacy Commissioner before making a decision.


Following an internal review, the agency or body may:

  • take no further action
  • apologise
  • take remedial action including paying compensation
  • undertake that the conduct will not occur again
  • take action to ensure that the conduct does not occur again.

For more information visit the NSW Information and Privacy Commission website.

 

To check whether NCAT can review the conduct, seek legal advice, or check the Privacy and Personal Information Act 1998 or the Health Records and Information Privacy Act 2002.

You can either present your own case at NCAT or have a lawyer or non-lawyer agent represent you. You will usually need to be present to give your instructions to your lawyer or agent.


Your lawyer or agent needs to fill out a Notice of Representation and submit it to the registry in person or by post. If a non-lawyer agent is representing you, you also need to sign the Notice before it is submitted. In both cases, you have to send a copy of the Notice to the government department which made the original decision.


Your agent needs to ask for permission from the Tribunal Member the next time the case is listed. You should be present with the agent in case the Tribunal does not allow the agent to appear for you. A lawyer does not need to ask for permission from the member.

If you are not satisfied with the response from the agency or body following an internal review or if you have not received an internal review decision 60 days after applying, you may apply to the Tribunal for a review of the conduct. To apply to NCAT, you must be affected by the alleged breach of privacy. You cannot apply on behalf of another person.


You need to fill out an application for review if the matter is about the actions of a public sector agency and include the following information on your form:

  • your name, address and telephone number
  • the name of the agency or body that engaged in the conduct
  • the date the internal review decision was made
  • a copy of the internal review decision (this is normally the letter sent to you by the government agency)
  • a brief outline of why you think the conduct contravenes an Information Protection Principle or a Health Privacy Principle or a code of conduct that applies to the agency or body.

If you have asked NCAT to review the conduct of more than one agency, and that conduct is related, both applications can be heard together if they raise some of the same issues


In most cases you need to lodge your application to NCAT within 28 days from when you are notified of the internal review decision.


Please post or bring your application to an NCAT registry. You cannot fax the application or lodge it via the internet.


If you want to lodge an application but the time allowed has expired, you have to ask for an extension. You will need to give a reason why you were not able to lodge the application within the time allowed. It will be up to NCAT whether or not to accept a late application.


A fee applies for most applications to NCAT. Check the Fees and charges schedule to see which fee applies to you.

You will receive a letter from NCAT telling you that your application has been received. You will also be given a date to attend a 'case conference'.


A case conference is a preliminary session held at NCAT. A Tribunal Member will talk to you and a representative from the agency about the options for resolving your case. The Privacy Commissioner is also entitled to come to the case conference and make submissions to the Tribunal.


Before attending the case conference, you should identify the Information Protection Principles or the Health Privacy Principles that you say have been breached. A breach can also be about a contravention of a Code of Practice that applies to the agency or the disclosure of personal information that is kept in a public register.


At the case conference, the Tribunal Member will explore three options for resolving the dispute. These options are:

  • direct negotiation among the parties
  • mediation by a mediator provided by the Tribunal
  • hearing

Following the case conference, if the matter is suitable for mediation, it will be listed for mediation by a Tribunal Member or specialist mediator.


After that, applications which require further procedural directions will be listed in a Directions Hearing List.  A Member who has not conducted the mediation will be allocated to hear the matter.​​


NCAT will make directions about what you and the agency or body have to do to prepare the matter for hearing. Those directions will usually include filing and serving statements from yourself and other witnesses and making legal submissions.


If you want the Tribunal to issue a summons for a person to produce documents or attend the Tribunal and give evidence, you should ask the Member at the case conference to approve the issuing of a summons. The Summons Procedural Direction has more information about how to issue a summons. ​

The Tribunal Member will tell you and the other party when you should file written material which supports your case. The material may include statements and evidence, submissions and references to cases or legislation which you will rely on. Read more about how to prepare a statement or affidavit.

NCAT's hearings are less formal than court hearings. In most cases, the application will be heard by a single Tribunal Member.


The Privacy Commissioner has the right to attend and be heard at the hearing.


When the Tribunal is reviewing privacy related conduct, the respondent (an employee on behalf of the government agency) will usually give his or her evidence first. After the agency has given its evidence, the applicant will present his or her evidence and explain his or her understanding of the law. In these cases the Tribunal’s role is to decide whether the administrator made the correct decision.


In some cases, the Tribunal Member will be able to give you their decision at the end of the hearing. However, in most cases the member will need time to consider the case and will give the decision at a later date. You will usually receive the decision within two months. Complex matters may take longer.

You will receive a letter telling you of the decision that NCAT has made. You will be notified by phone before the reasons are published. You will receive a copy of the written decision, as well as information about your appeal rights. The decision will also be available on the Caselaw website​.


NCAT can make various decisions including:

  • not to take any action
  • awarding compensation (damages) of up to $40,000 for any financial loss, or psychological or physical harm, because of the conduct of the agency or body
  • requiring the agency or body to stop any conduct or action which contravenes an information protection principle or a health privacy principle
  • requiring the performance of an information protection principle or a health privacy principle
  • correcting personal information that has been disclosed.

For more information, see the orders specified in section 55 of the Privacy and Personal Information Act 1998 for privacy matters, or the orders specified in section 54 of the Health Records and Information Privacy Act 2002 for health record related privacy matters.


NCAT does not generally order one party to pay for the other party’s lawyer.​


Right of appeal


If you are not satisfied with NCAT's decision you may have the right of appeal to the Appeal Panel, if you can establish that the Tribunal went wrong either in the procedure it followed, or the way it applied the law to the facts of your case. Learn more about appeals.


In some instances there is also a right of appeal to the NSW Supreme Court. If you are not sure of your appeal rights you should seek legal advice.​

Organisations that can help

NCAT cannot provide legal advice. Find out how we can and cannot assist. Below are some organisations that can provide help or advice about your case.


Last updated:

11 Aug 2023

Was this content useful?
We will use your rating to help improve the site.
Please don't include personal or financial information here
Please don't include personal or financial information here
Top Return to top of page Top