Privacy of personal information

NCAT reviews decisions about the privacy of personal information or health records and information.

Privacy of personal information cases are managed through NCAT's Administrative and Equal Opportunity Division.

NCAT reviews conduct by a government agency where an applicant alleges that there has been:

  • a contravention of the Information Protection Principles under the Privacy and Personal Information Protection Act 1998
  • a contravention of the Health Privacy Principles under the Health Records and Information Privacy Act 2002
  • a contravention of a Code of Practice that applies to the agency
  • disclosure of personal information that is kept in a public register.

NCAT can also hold an inquiry into a complaint about a private sector person but only if you have first complained to the Privacy Commissioner and a report has been prepared.

How to apply

Download and complete an Administrative review application form (PDF , 70.3 KB) and lodge your application at any NCAT Registry Office.

If you want NCAT to hold an inquiry into a complaint about a private sector person you should complete a General application form (PDF , 62.3 KB).


Fees are payable for administrative review applications. View the fees and charges schedule or apply for a fee waiver.

Time limits

You must apply to NCAT within 40 working days of receiving the decision from the government agency or department.

If you apply outside of the time limit, you can request a time extension as part of your application. NCAT will not always agree to a request for a time extension.

Privacy of your information

When you apply to NCAT, your name will not be used in any public document created by NCAT. This includes the daily hearing list and the published reasons for decision. You will be referred to by some initials so that your privacy is maintained. For more information refer to the Guideline on Confidentiality, privacy and publication (PDF , 59.1 KB).

Orders NCAT can make

NCAT can make various decisions including:

  • not to take any action
  • awarding compensation (damages) of up to $40,000 for any financial loss, or psychological or physical harm, because of the conduct of the agency or body
  • requiring the agency or body to stop any conduct or action which contravenes an information protection principle or a health privacy principle
  • requiring the performance of an information protection principle or a health privacy principle
  • correcting personal information that has been disclosed.

For more information, see the orders specified in section 55 of the Privacy and Personal Information Act 1998 for privacy matters, or the orders specified in section 54 of the Health Records and Information Privacy Act 2002 for health record related privacy matters.

NCAT does not generally order one party to pay for the other party’s lawyer.​

Steps in a privacy of personal information case

Step by step guide to a review of a decision about privacy of personal or health information.

Show All
Hide All

NCAT cannot review any conduct until you have applied to the agency or body concerned for an internal review of the conduct.


When applying for an internal review, you need to identify the conduct as clearly as you can; you need to say when and where the conduct occurred, who was involved and what they did. Unless the agency or body gives you an extension, you have 6 months from when you first became aware of the conduct to apply for an internal review.


The agency or body concerned must tell the NSW Privacy Commissioner about your application for internal review. The agency or body must take into account any material submitted by the Privacy Commissioner before making a decision.


Following an internal review, the agency or body may:

  • take no further action
  • apologise
  • take remedial action including paying compensation
  • undertake that the conduct will not occur again
  • take action to ensure that the conduct does not occur again.


For more information visit the NSW Information and Privacy Commission website.


To check whether NCAT can review the conduct, seek legal advice, or check the Privacy and Personal Information Act 1998 or the Health Records and Information Privacy Act 2002.

You can either present your own case to NCAT or have a lawyer or non-lawyer agent represent you. You will usually need to attend the hearing to give your instructions to your lawyer or agent.


Your lawyer or agent needs complete a Notice of Representation and submit to NCAT in person or by post. If a non-lawyer agent is representing you, you also need to sign the notice before it is submitted. In both cases, you have to send a copy of the notice to the goverment agency or department.


Your agent needs to ask for permission to represent you from the Tribunal Member the next time the case is listed. You should attend with the agent in case NCAT does not allow the agent to appear for you. A lawyer does not need to ask for permission from the Member.

You will need to provide the following information on your application:

  • You will need to provide the following information on your application:
  • Your name, address and telephone number
  • The name of the government agency that made the decision you want reviewed
  • The date the decision and the internal review decision, if any, were made
  • A copy of the original decision and internal review decision, if any
  • A brief outline of why you think the decision is wrong.


If you have asked NCAT to review the conduct of more than one agency, and that conduct is related, both applications can be heard together if they raise some of the same issues.

You will receive a letter from NCAT with a date for you to attend a 'case conference'.


A case conference is a preliminary session held at NCAT. A Tribunal Member will talk to you and a representative from the agency about the options for resolving your case. The Privacy Commissioner is also entitled to come to the case conference and make submissions to the Tribunal.


Before attending the case conference, you should identify the Information Protection Principles or the Health Privacy Principles that you say have been breached. A breach can also be about a contravention of a Code of Practice that applies to the agency or the disclosure of personal information that is kept in a public register.


At the case conference, the Tribunal Member will explore three options for resolving the dispute. These options are:

  1. direct negotiation among the parties 
  2. mediation by a mediator provided by the Tribunal 
  3. hearing 


Following the case conference, if the matter is suitable for mediation, it will be listed for mediation by a Tribunal Member or specialist mediator.


After that, applications which require further procedural directions will be listed in a Directions Hearing List.  A Member who has not conducted the mediation will be allocated to hear the matter.​​


NCAT will make directions about what you and the agency or body have to do to prepare the matter for hearing. Those directions will usually include filing and serving statements from yourself and other witnesses and making legal submissions.


If you want NCAT to issue a summons for a person to produce documents or attend the Tribunal and give evidence, you should ask the Member at the case conference to approve the issuing of a summons.

The Tribunal Member will tell you and the other party when you should file written material which supports your case. The material may include statements and evidence, submissions and references to cases or legislation which you will rely on.

NCAT's hearings are less formal than court hearings. In most cases, the application will be heard by a single Tribunal Member.


The Privacy Commissioner has the right to attend and be heard at the hearing.


When the Tribunal is reviewing privacy related conduct, the respondent (an employee on behalf of the government agency) will usually give his or her evidence first. After the agency has given its evidence, the applicant will present his or her evidence and explain his or her understanding of the law. In these cases the Tribunal’s role is to decide whether the administrator made the correct decision. 


In some cases, the Tribunal Member will be able to give you their decision at the end of the hearing. However, in most cases the member will need time to consider the case and will give the decision at a later date. You will usually receive the decision within two months. Complex matters may take longer.

You will receive a letter telling you of the decision that NCAT has made. You will receive a copy of the written decision, as well as information about your appeal rights. The decision will also be available on the NSW Caselaw website .

Organisations that can help

NCAT cannot provide legal advice. Find out how we can and cannot assist. Below are some organisations that can provide help or advice about your case.

Return to top of page Back to top