Letter to the Attorney-General
The Hon Kyam Maher MLC
Attorney-General
This annual report will be presented to Parliament to meet the statutory reporting requirements of the Proclamation of the Privacy Committee of South Australia and the requirements of Premier and Cabinet Circular PC013 Annual Reporting.
This report is verified to be accurate for the purposes of annual reporting to the Parliament of South Australia.
Submitted on behalf of the Privacy Committee of South Australia by:
Stephanie Coleman
Presiding Member, Privacy Committee of South Australia
From the Presiding Member
The focus of the Privacy Committee of South Australia (Privacy Committee) is on the operation of the Government’s Information Privacy Principles Instruction (IPPI). Through a set of ten information privacy principles, the IPPI describes the ways in which state government agencies can collect, store, use and disclose personal information in their possession.
The IPPI is binding for public sector agencies and establishes the principal officer of each agency must ensure the principles are implemented, maintained and observed for, and in respect of, all personal information for which their agency is responsible.
Over the last few years, notifications to the Privacy Committee have continued to increase.
Most of the Privacy Committee’s business this reporting year related to personal information breach notifications. Breaches occurring due to human error continue to dominate, however this year has seen a surge in breaches caused by malicious, deliberate, or criminal activity, predominantly through unauthorised system access by employees Breaches caused by malicious, deliberate, or criminal activity have increased fourfold, with reported unauthorised system access increasing by almost ten times.
During 2023-24 the Privacy Committee continued to meet online and conduct urgent business out of session.
Stephanie Coleman
Presiding Member
Privacy Committee of South Australia
Overview: about the Privacy Committee
The Privacy Committee of South Australia (Privacy Committee) was established by Proclamation in the Government Gazette on 6 July 1989 and most recently updated on 11 June 2009. The functions of the Privacy Committee, as described in the Proclamation, are:
- (a) to advise the Minister as to the need for, or desirability of, legislation or administrative action to protect individual privacy and for that purpose to keep itself informed as to developments in relation to the protection of individual privacy in other jurisdictions
- (b) to make recommendations to the Government or to any person or body as to the measures that should be taken by the Government or that person or body to improve its protection of individual privacy
- (c) to make publicly available information as to methods of protecting individual privacy and measures that can be taken to improve existing protection
- (d) to keep itself informed as to the extent to which the Administrative Scheme of Information Privacy Principles are being implemented
- (g) to refer written complaints concerning violations of individual privacy received by it (other than complaints from employees of the Crown, or agencies or instrumentalities of the Crown, in relation to their employment) to the appropriate authority
- (h) such other functions as are determined by the Minister.
The Privacy Committee may, under clause 4 of the Proclamation, ‘exempt a person or body from one or more of the Information Privacy Principles on such conditions as the Committee thinks fit’.
Clause 1(2) of the Proclamation establishes its membership. The Privacy Committee is to consist of six members appointed by the Minister. Of the six members:
- three are nominated by the Minister [the Attorney-General] (one of whom must not be a public sector employee, and one must have expertise in information and records management)
- one is to be nominated by the Attorney-General
- one is to be nominated by the Minister responsible for the administration of the Health Care Act 2008, and
- one is to be nominated by the Commissioner for Public [Sector] Employment.
Members of the Privacy Committee during the 2023-24 reporting year were:
| Presiding Member | |
|---|---|
| Stephanie Coleman, Director, State Records of South Australia, Attorney-General’s Department | appointed to 31 Jan 2026 |
| Members, in alphabetical order | |
|---|---|
| Deslie Billich, non-public sector employee | appointed to 30 Jan 2028 |
| Abbie Eggers, Manager, Business Services, Department of Human Services | appointed to 30 Jan 2028 |
| Nathan Morelli, non-public sector employee | appointed to 31 Jan 2026 |
| Prue Reid, Executive Director, Corporate Affairs, Department for Health and Wellbeing | appointed to 30 Jan 2028 |
| Samuel Whitten, Executive Solicitor, Commercial Environment and Native Title Section in the Crown Solicitor’s Office | appointed to 31 Jan 2026 |
Changes to the Privacy Committee
During 2023-24, the terms of Deslie Billich, Prue Reid and Abbie Eggers expired 30 January 2024. All three members were approved for a further term, with an expiry of 30 January 2028.
Executive support to the Privacy Committee
Executive support to the Privacy Committee is delivered within the resources of State Records of South Australia. This is in line with other State Records activities including research and policy advice, web hosting and responses to enquiries for both agencies and the public.
The Privacy Committee reports to the Hon Kyam Maher MLC as Attorney-General. The Attorney-General is also responsible for other information management regulation including the State Records Act 1997 and the Freedom of Information Act 1991.
South Australia’s Information Privacy Principles Instruction (IPPI) was introduced in July 1989 by means of Cabinet Administrative Instruction 1/89, issued as Premier & Cabinet Circular No. 12 (external site) (PDF) (external site) (PDF) (external site) (PDF) (external site) (PDF). The IPPI includes a set of ten Information Privacy Principles (IPPs) that regulate the way South Australian public sector agencies collect, use, store and disclose personal information.
The Committee’s performance
The Privacy Committee schedules eight meetings each year. An extraordinary meeting was also held on 15 August 2023.
The number of meetings attended by each member during 2023-2024 was Stephanie Coleman (9), Deslie Billich (6), Abbie Eggers (8), Nathan Morelli (6), Prudence Reid (6) and Samuel Whitten (9).
Financial performance | The Privacy Committee does not administer a budget. |
|---|---|
Consultants disclosure | The Privacy Committee has not engaged any consultants. |
Contractors disclosure | The Privacy Committee has not engaged any contractors. |
Reporting required under any other act or regulation
Exemptions from the IPPI
Clause 4 of the Proclamation provides the Privacy Committee may exempt a person or body from one or more of the Information Privacy Principles (IPPs) on such conditions as the Committee sees fit.
The Annual Report must include details of any exemptions granted during the year to which the report relates.
One new exemption and nine extensions were sought during the reporting year. These include:
- An existing exemption for the Department for Energy and Mining’s Office of the Technical Regulator concerning personal information contained in on-site sanitary plumbing drawings was extended for seven months.
- Extensions to a range of exemptions granted between 2015 and 2022 to agencies associated with SA NT Datalink, extended to 31 December 2024.
Exemptions | 2023-24 | 2022-23 | 2021-22 |
New | 1 | 2 | 1 |
Extended | 9 | 8 | 9 |
Total | 10 | 10 | 10 |
The full text of these exemptions is included in the Appendix.
Privacy Committee business
The Privacy Committee has a function to “refer written complaints concerning violations of individual privacy received by it (other than complaints from employees of the Crown, or agencies or instrumentalities of the Crown, in relation to their employment) to the appropriate authority”.
In 2023-24 the Privacy Committee received three complaints.
2023-24 | 2022-23 | 2021-22 |
3 | 3 | 1 |
Of the three complaints received during 2023-24, two are closed and one (received in June 2024) remains ongoing as at 30 June 2024.
Since 2018, state government agencies have been required to comply with the Personal Information Data Breaches Guideline (external site) (PDF) (external site) (PDF) (external site) (PDF) (external site) (PDF)developed to provide advice on how to deal with unauthorised access to personal information (privacy breaches). One action within the Guideline is to notify the Privacy Committee so that it can:
- keep itself informed as to the extent to which the Information Privacy Principles are being implemented, and
- make recommendations of the measures that should be taken by the government to improve its protection of individual privacy.
The Privacy Committee received 195 notifications during the 2023-24 reporting year.
2023-24 | 2022-23 | 2021-22 |
195 | 140 | 101 |
Since the introduction of the notification scheme the number of breach notifications has increased each year. The increase can be attributed to a strong reporting culture from the health sector who submit the largest number of breaches. Improved awareness to notify the Privacy Committee by other sectors has also contributed to the number of notifications.
While human error still dominates the cause of breaches, a surge in unauthorised system access (mainly employees accessing information inappropriately) has seen malicious, deliberate, or criminal activity increase significantly.
The Privacy Committee reviews each breach it receives and provides agencies with suggestions for improvements to process and practices where necessary.
Affected parties by cause of breach
No. of Individuals | Accident | Procedure or System | Malicious, Deliberate or Criminal | Unclear | Total |
0 to 2 | 83 | 27 | 21 | 4 | 69% |
3 to 9 | 7 | 2 | 1 | 1 | 6% |
10 to 30 | 4 | 4 | 1 | 3 | 6% |
31 to 100 | 2 | 2 | 1 | 0 | 3% |
101 to 1000 | 0 | 1 | 0 | 0 | 1% |
Over 1000 | 2 | 2 | 4 | 0 | 4% |
Unclear | 7 | 5 | 10 | 1 | 12% |
Total | 54% | 22% | 19% | 5% | 100.00% |
The Privacy Committee strongly encourages agencies to advise affected parties of a breach unless there is a significant reason not to do so. This ensures affected parties are aware of any possible implications and builds trust through transparency and accountability by the agency.
State Records continues to support the Privacy Committee by reviewing the notifications process to ensure it is delivering the required benefits. A review of the governments Personal Information Data Breach Guideline with a revised draft being released for agency consultation during 2023-24. The review is intended to:
- clarify what characterises a breach and how to respond
- facilitate the assessment of risk to affected parties, and
- ensure the guideline meets the Privacy Committees expectations for breach notifications.
State Records also continues to educate agencies on the importance of only collecting the personal information needed to perform a service and to avoid retaining it longer than legally required, thereby minimising the risk of harm should a breach occur.
Principal officers of state government agencies have the responsibility to ensure the IPPI is implemented, maintained, and observed for, and in respect of, all personal information for which their agency is responsible.
Advice is provided to state government agencies to help them comply with the IPPI and ensure privacy is considered in the development of new projects and initiatives. Policy and other guidance materials are issued to support agencies.
State Records also developed and published a new training course, “Handling Personal Information”. This course is aimed at improving privacy awareness for government staff who handle personal information, by helping them:
- identify personal information, recognise it’s value and the consequence of inappropriate disclosure
- identify, avoid and respond to an information privacy breach and complaint, and
- identify legislation and policies that apply to their work.
The Privacy Committee is represented by the Presiding Member on Privacy Authorities Australia (PAA). State Records staff participate in three PAA working groups on policy, complaints and enforcement, and communications.
Appendix: Exemptions from the IPPI granted 2022-23
Clause 4 of the Proclamation provides the Committee may exempt a person or body from one or more of the Information Privacy Principles (IPPs) on such conditions as the Committee sees fit.
All exemptions require:
- the security of the personal information to be managed in line with the South Australian Protective Security Management Framework (in compliance with Premier and Cabinet Circular 30) and the agency’s security management systems and practices, and
- destruction or retention of the personal information must be undertaken in accordance with a disposal authority under the State Records Act 1997.
The following exemptions were granted during 2023-2024.
Exemptions
This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and third party providers.
It is an exemption from compliance with principles 2 and 8, allowing SA Health DLU to collect and use personal information for a purpose that was not the purpose of the collection of that information.
The personal information to be collected and used from NT Department of the Attorney General & Justice, and is limited to:
NT Births Register | 1/1/1868 – 31/07/2023 | Registration Number, Name and previously known names, DOB, Place of Birth, Sex, Aboriginal Torres Strait Islander Indicator, Multiple Birth Plurality Order, Multiple Birth Plurality Total, Birth Weight (grams) + For Mother and Father separately: Address and Postcode, Name and Mothers Maiden Name, DOB, Place of Birth, Occupation, Aboriginal Torres Strait Islander Indicator + Date of Marriage, Place of Marriage, Marriage type (traditional/legal) + Previous children of this relationship: Names, Sex, DOB, living indicator) |
NT Deaths Register | 1/1/1870 – 31/07/2023 | Registration Number, Full Name and previously known names, DOB, Date of Death, Age at Death, Place of Death, Place of Birth, Sex, Aboriginal Torres Strait Islander Indicator, Residential Address and Postcode. |
Integrated Justice Information System incl. IOMS for adults | 1/1/1997* – 2/4/2019 | Data for linkage provided from 1992, research data only available from 1997. IJIS Identifier, DOB, Sex, Name and previously known names, Indigenous Status, Address and Postcode (at time of birth, last known and time stamp). |
The personal information to be collected and used from NT Police, Fire and Emergency Services, and is limited to:
Police Real-time OnIine Management Information System | 1/7/2014 – 26/11/2019 | Person Identifier, Name, DOB, Gender, Race, Current Address and Postcode, Location Identifier (internal identifier for address number), Date of Address (most recent link), Date of extract. |
The personal information to be collected and used from NT Department of Health, and is limited to:
Client Master Index (CMI) | 1/1/1991 – 27/07/2023 | Hospital Record Number (HRN), Alternate HRN flag, Primary HRN, DOB, Deceased Flag, Sex, Names, previous names and aliases, Indigenous Status, Address and Postcode. |
Inpatient Activity | 1/7/2000 – 30/06/2022 | Based on date of discharge HRN, Discharge date, episode number. |
Perinatal Trends (incl. DPH from 2014) | 1/1/1986 – 31/12/2021 | Peri Identifier +
For Baby: Unique baby identifier, link to the CMI, Establishment of Birth (e.g. Royal Darwin Hospital), DOB, Aboriginal Status, Living Status of baby at birth, Sex, Birth Weight (grams), Number of births from pregnancy (plural), Order of Birth (sequence in which delivered). |
Immunisation Register [HISTORIC - DECOMMISSIONED] | 1/1/1991 – 30/6/2018 | HRN, Names, previous names and aliases, DOB, Sex, Indigenous Status, Address and Postcode at time of immunisation, Immunisation Event Date. |
NT Cancer Register | 1/1/1991 – 31/12/2020 | Patient identifier, Current HRN, Expired or Duplicate HRNs, Names and aliases, Address and Postcode at time of diagnosis, Current Address and Postcode, Country of Birth, Indigenous Status, Sex, DOB, Estimated DOB (y/n), NT BDM Death Registration Number, Date of Death if notified. Tumour record number, date of diagnosis. |
Primary Health Care Collection | 1/7/2008 – 30/06/2022 | HRN, Event Id, Date of Medical Event. |
Emergency Department Activity Collection | 1/7/2000 – 30/06/2022 | HRN, episode Id, attendance date. |
Hospital Pharmacy | 1/7/2006 – present | No data transferred. The agreement allows for the release of project specific linkage keys and HRNs for HREC approved projects. |
Hearing Health Data Collection - Remote Urban | 1/1/2008 - 31/12/2019 1/1/2014 – 31/12/19 | Remote: HRN, Names, DOB, Sex, Ethnicity, Community, Secondary Community, Deceased, Deceased Date, Date stamp. Urban: Client Id (historical), HRN, Names, DOB, Ethnicity, Address and Postcode, Mailing Address and Postcode, Date stamp. |
NT Rheumatic Heart Disease Register | 1997 – 22/1/2018 | HRN, Names and preferred names, DOB, Sex, Aboriginal Status, deceased indicator, Date of Death, Primary health Care Clinic, Region of Clinic, Date stamp. |
NT Notifiable Diseases System | 1/1/1999 – 31/12/2020 | Notification identifier, HRN, Sex, Names, DOB, Address, Residential Location, Residential Postcode, Indigenous Status, Date stamp. |
BreastScreenNT | 28/11/1994 – 31/12/2017 | Client Identifier, Names, Postal Address, Residential Address and Postcode, DOB, Maiden Name, Country of Birth, Aboriginal Torres Strait islander status, Appointment date, Appointment Reference Number. |
CervicalScreenNT [HISTORIC COLLECTION] | 11/3/1996 – 31/11/2017 | Client ID, HRN, Names, previous names and Aliases, DOB, Address and Postcode, Client State, Aboriginal Torres Strait islander status, Year of Death, Date of test, Unique results identifier. |
Mental Health Activity Collection - Acute Inpatient (via Inpatient Activity) - Community CCIS | 1/7/2004 – 30/6/2022 1/7/2004 – 30/6/2022 | HRN, Discharge date, Episode number HRN, Event Start Date, Event Identifier |
Hospital Admission Trends | 1/1/1992 – 30/06/2022 | HRN, Indigenous Status, DOB, Sex, Locality Code, State, separation date of inpatient event. Episode number. |
The personal information to be collected and used from Territory Families, Housing and Communities, and is limited to:
Child Protection | 1/7/1998 – 30/6/2021 | HRN Child protection Flag sits alongside the HRN in the CMI Dataset for the purposes of identifying the person exists in the Child Protection Dataset. |
Integrated Offender Management System (Juveniles) | 1/1/1997 – 2/4/2019 | IJIS Identifier, DOB, Sex, Name and previously known names, Indigenous Status, Address and Residential Postcode (at time of birth, last known and time stamp). |
The personal information to be collected and used from NT Department of Housing, and is limited to:
Tenancy Management System (Urban) | 1/1/1991 – 30/6/2014 | For Primary Client: Primary Client Number, Group Number, Application Number, Client Name and previously known names, Sex, DOB, Ethnic Origin, Address and Postcode. For Accompanying Members: Accompanying Client Number, Relationship to Primary Client, Association Type, Name and previously known names, Sex, DOB, Ethnic Origin. |
The personal information to be collected and used from NT Department of Education, and is limited to:
Student Activity; Attendance; Enrolments; Assessment of Student Competencies | 1/1/2005 –31/12/2021 | Master Student ID, Student ID, Name(s), DOB, Gender, Address and Postcode, Indigenous Status, Census Year (e.g. 2021), Year Level (e.g. Year 9). |
NAPLAN (NTG, Catholic Ed & Christian Schools) | 1/1/2008 –31/12/2021 | Student ID, Name, DOB, Gender, Assessment Year Level (3,5,7,9), Calendar Year |
The personal information to be collected and used from Menzies School of Health Research, and is limited to:
Ear Health Clinical Database (BIGDATA) | 1/1/1992 – 31/12/2018 | BIGDATA_id, Participant Identifier, NTG Public Hospital Record Number (HRN*), DOB, Sex, Name, Community Location, State, date of collection. *HRN agreement from NT Dept of Health to receive this field from 1991, this links to the Primary HRN, Alternate HRN, DOB, Death timestamp, Sex, Names, Indigenous Status, Address and Postcode. |
The personal information to be collected and used from Central Australian Aboriginal Congress, and is limited to:
Communicare: Congress Urban Medical Clinics Congress Remote auspiced: - Amoonguna Health Service - Mutitjulu Health Service - Santa Teresa (Mpwelarre) Health Service - Utju (Areyonga) Health | 1//1/2008 – 21/6/2021 (start dates vary for CAAC Remote) | Patient ID, HRN, Names, Previous Names and Aliases, Sex, DOB, Indigenous Status, Primary Address, Previous Addressed and dates, Date of Death, Date of extract. |
The personal information to be collected and used from Katherine West Health Board, Miwatj Aboriginal Health Corporation, Ngaanyatjarra Health Service (WA) and Danila Dilba Health Service, and is limited to:
Communicare | 1/1/2010 – 30/06/2021 | Site Identifier, patient identifier, HRN, Previous Names and Aliases, Sex, DOB, Indigenous Status, Primary Address, Previous Addressed and years resident, Date of Death, Date of last contact, Date of extract. |
The personal information to be collected and used from Australia and New Zealand Dialysis and Transplant Registry, and is limited to:
ANZData (SA and NT) | 1/1/1963 – 31/12/2022 | Patient ID, Record Date, Initial and subsequent hospital/unit identifiers, Initial and subsequent state/territory, Names (including maiden, previous aliases, and nick names) m DOB, Date of Death, Gender, Racial Origin, Country of Birth, initial and subsequent postcodes |
The personal information to be collected and used from Commonwealth of Australia acting through the Department for Education, and is limited to:
Australian Early Development Census (Cwth) (national collection) | 2009 - 2021 | Year, Student Identifier, Name, DOB, Sex, School Identifier, School Name, Address, State of residence, Country of Birth, Place of Birth |
The personal information to be collected and used from Australian Coordinating Registry, QLD BDM, and is limited to:
ACR COD-URF National Cause of Death Unit Record File for SA and NT | 2006 – 2022 | This links to Births and Deaths Data via a Registration Number and Mortality Identifier providing additional information on cause of death for researchers. Information collected but not used in the Master Linkage File: Registration Identifier, Mortality Identifier, Birth Day, Birth Month Not received since 2021. Is not included in the Master Linkage File. |
The personal information used from these datasets will enable existing operations to continue once SA NT DataLink has transitioned to an agency that falls within the full scope of application of the IPPI.
All other Principles continue to apply.
SA NT DataLink and these third parties remain responsible for the secure transfer and storage of personal information in line with the IPPs.
This exemption is granted from 15 December 2023 to 31 December 2024.
Extensions
SA NT DataLink Data Linkage Unit within SA Health and associated agencies
Extensions A to H were approved 2 December 2022, granted from 1 January 2023 to 31 December 2023. All were approved on the condition that:
- The information is only to be used for the creation of Master Linkage Keys in the further development of the Master Linkage File as part of the SA NT Data Linkage System. The exemption is provided on the condition that the personal information is only to be accessed by officers of SA Health within the Data Linkage Unit.
- This exemption is conditional on SA NT DataLink having a current Joint Venture Consortium Agreement in place.
Extension approved 25 June 2024, back-dated to 1 June 2024.
This exemption applies to both the Department for Energy and Mining (DEM) and the Department for Infrastructure and Transport (DIT), concerning personal information contained in drawn representations of the underground on-site sanitary plumbing work within a specific property (also described as historical as-constructed sanitary drainage drawings) held by the Office of the Technical Regulator within DEM.
The personal information consists of the name of persons who currently or previously owned a property, the address of that property, the name and contact details of the plumber who undertook the plumbing work to install the sanitary drains on the property and the location of the sanitary drains on the property.
This is an exemption from Principles 6 and 9 in relation to the drawings. This is also an exemption from Principle 10 for the purpose of disclosing the drawings:
- between DEM and DIT for the purpose of creating online access to the drawings by the public, and
- to the public.
All other Principles continue to apply.
This exemption is granted on the condition that:
- where possible, the name of the property owner and name and contact details of the plumber are deleted from the sanitary drain drawings prior to release to DIT or the public, and
- the process is maintained that allows a person to apply to have the sanitary drain drawing of a property that he or she owns, or lives in, suppressed from access by the public.
DEM and DIT remain responsible for the secure transfer of personal information in line with the IPPs.
This extension is granted from 1 June 2024 to 31 December 2024.
Exemption extensions A to H were approved 2 December 2022, granted from 1 January 2023 to 31 December 2023. All were approved on the condition that:
- the information is only to be used for the creation of Master Linkage Keys in the further development of the Master Linkage File as part of the SA NT Data Linkage System. The exemption is provided on the condition that the personal information is only to be accessed by officers of SA Health within the Data Linkage Unit.
- the exemption is conditional on SA NT DataLink having a current Joint Venture Consortium Agreement in place.
Exemption A
This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and Consumer and Business Services (CBS) in the Attorney General’s Department. It is an exemption from compliance with:
- Principle 10, allowing CBS to disclose personal information to the SA NT DataLink, and
- Principle 8, allowing SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information – namely in the establishment of the Master Linkage File as part of the Data Linkage System.
The personal information to be used is from South Australian births and deaths datasets, and is limited to:
Death Dataset: Unique record identifier (registration number); names (all names where available including surnames, surnames at birth, given names and given names at birth); date of birth; date of death; age at death; place of birth; place of death; sex; Aboriginality and/or Torres Strait Islander indicator; full residential address, including geocodes, where available; correction indicator (if a record previously reported is being re-reported due to a correction in the register); father/co-parent (type, surnames, surnames at birth, given names, occupation); and mother (type, surnames, surnames at birth, given names, occupation). The personal information to be used from the deaths dataset is limited to death records created after 1/1/1990.
Birth Dataset: Unique record identifier (registration number); Names (all names where available including surnames, surnames at birth, given names and given names at birth); Full residential address, including geocodes where available; Sex; Date of birth; Place of birth; Mother’s Aboriginal indicator; Mother’s Torres Strait Islander indicator; Father’s/Co-parent’s Aboriginal indicator; Father’s/Co-parent’s Torres Strait Islander indicator; Mother’s date of birth; Father’s/Co-parent’s date of birth; Birth weight (in grams); Plurality – order (only available for multiple births e.g. twins); Plurality – total (only available for multiple births e.g. twins); Mother’s occupation title; Father’s/Co-parent’s occupation title; correction indicator (if a record previously reported is being re-reported due to a correction in the register); marriage type; date of marriage; place of marriage; and previous children of this relationship (given names, sex, date of birth, living indicator).
The personal information to be used from the births dataset is limited to birth records created after 1/1/1944. The disclosure will include any of the above information provided for other family members that is included in these records.
All other Principles continue to apply.
SA Health and CBS remain responsible for the secure transfer and storage of personal information in line with the IPPs.
This extension is granted from 1 January 2023 to 31 December 2023.
Exemption B
This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the Department for Child Protection (DCP). It is an exemption from compliance with:
- Principle 10, permitting DCP to disclose personal information to the Data Linkage Unit within SA NT DataLink, and
- Principle 8, allowing SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information – namely to support the linkage with DCP data on Alternative Care, Care and Protection Orders, and Child Protection.
The personal information is limited to: Record identifier; Names – all names including nicknames, aliases and aka; Date of birth; Sex; Aboriginality, Torres Strait Islander indicator; Cultural group; Full address including geocodes where available; Client File Number (85 File Number for Client Information System (CIS) records within the Justice Information System (JIS) – a flag indicating that this child was under the Guardianship of the Minister); and any of the above information provided for other family members and included in these records, i.e. full name and date of birth of the mother and father of the child or young person.
All other Principles continue to apply.
SA Health and DCP remain responsible for the secure transfer and storage of personal information in line with the IPPs.
This extension is granted from 1 January 2023 to 31 December 2023.
Exemption C
This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the Department for Human Services (DHS) Youth Justice branch. It is an exemption from compliance with:
- Principle 10, permitting DHS Youth Justice to disclose personal information to the Data Linkage Unit within SA NT DataLink, and
- Principle 8, allowing the SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information – namely the creation of master linkage keys as part of the SA NT Data Linkage System by the Data Linkage Unit.
The personal information is limited to: Unique record identifier (i.e. episode reference number); Unique person identifier where available; Given name(s) (including all ‘akas’, aliases and nicknames); Date of birth; Sex; Aboriginality and/or Torres Strait Islander indicator; Country of birth; Full address including geocodes where available; and the full name and date of birth of the mother and father of the child or young person where available.
All other Principles continue to apply.
SA Health and DHS remain responsible for the secure transfer and storage of personal information in line with the IPPs.
This extension is granted from 1 January 2023 to 31 December 2023.
Exemption D
This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the Department for Education (DE). It is an exemption from compliance with:
- Principle 10, permitting DE to disclose personal information to the Data Linkage Unit within SA NT DataLink, and
- Principle 8, allowing SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information.
The personal information to be used is from the DE Public Schools Enrolment dataset, including preschools and is limited to: Record Identifier; Personal Identifier; Names; Date of Birth; Sex; Aboriginality, Torres Strait Islander Indicator; Country of Birth; Full address including Geocodes if available; Parent / Guardian Identifier; Date Enrolled; Date Left; Destination School; Census year; Census term; 85 File Number; and any of the above information provided for other family members and included in these records including family code.
All other Principles continue to apply.
SA Health DLU and DE remain responsible for the secure transfer and storage of personal information in line with the IPPs.
This extension is granted from 1 January 2023 to 31 December 2023.
Exemption E
This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the Department for Education (DE). It is an exemption from compliance with:
- Principle 10, permitting DE to disclose personal information to the Data Linkage Unit within SA NT DataLink for the purpose of enabling a more complete understanding of the early childhood sector and pathways in child health and development when developing policy, research and strategic plans, and
- Principle 8, allowing SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information – namely for SA NT DataLink for the purposes of data linkage.
The personal information to be used is from DE preschool enrolment census data for non-government and private schools. The personal information to be used was initially for the period between 2012 and 2017, representing approximately 110,000 students, with annual updates being sought, with an expectation that each update is to include approximately 18,500 new students.
The personal information includes linkage variables of: Record identifier; Personal identifier; Names – all names including nicknames, aliases and aka; Date of birth; Sex; Aboriginality, Torres Strait Islander Indicator; Country of birth; Full address including geocodes if available; Site name; Site ID; and Census year.
All other Principles continue to apply.
SA Health DLU and DE remain responsible for the secure transfer and storage of personal information in line with the IPPs.
This extension is granted from 1 January 2023 to 31 December 2023.
Exemption F
This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the Electoral Commission of South Australia (ECSA). It is an exemption from compliance with:
- Principle 10, permitting ECSA to disclose personal information to the Data Linkage Unit within SA NT DataLink, and
- Principles 2 and 8, allowing SA Health DLU to collect and use personal information for a purpose that was not the purpose of the collection of that information.
The personal information to be used is from the ECSA South Australian Electoral Roll dataset and is limited to: Elector Number; Title; Family Name; Given Names; Date of Birth; Country of Birth (3 character code); Sex; Address Line 1, 2 and 3 (including State and postcode); and any of the above information provided for other family members and included in these records.
Excluded from the dataset is information relating to ‘silent electors’ and those individuals who have sought to be ‘provisionally enrolled’.
All other Principles continue to apply.
SA Health DLU and ECSA remain responsible for the secure transfer and storage of personal information in line with the IPPs.
This extension is granted from 1 January 2023 to 31 December 2023.
Exemption G
This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the South Australian Housing Authority (SAHA). It is an exemption from compliance with:
- Principle 10, permitting SAHA to disclose personal information from the Housing SA dataset and the Homelessness to Home (H2H) dataset to the Data Linkage Unit within SA NT DataLink, and
- Principle 8, allowing SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information – namely for the creation of master linkage keys as part of the establishment of the Data Linkage System.
The personal information from the Housing SA dataset is limited to: Unique Person Identifier; System Date; Names, all names including nicknames, aliases and aka; Date of Birth; Sex; Title; Aboriginality and/or Torres Strait Islander identifier; Country of Birth; Full address including geocodes if available; and any of the above information provided for other family members and included in these records.
The personal information from the Homelessness to Home (H2H) dataset is limited to: H2H customer number; Housing SA customer number; Given names; Surname; Date of birth; Sex; Aboriginality and/or Torres Strait Islander indicator; Country of birth; Full address details, including past addresses where available; System date; and any of the above information provided for other family members and included in these records.
All other Principles continue to apply.
SA Health DLU and SAHA remain responsible for the secure transfer and storage of personal information in line with the IPPs.
This extension is granted from 1 January 2023 to 31 December 2023.
Exemption H
This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the Department for Correctional Services (DCS). It is an exemption from compliance with:
- Principle 10, permitting DCS to disclose personal information to the Data Linkage Unit within SA NT DataLink, and
- Principle 8, allowing SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information – namely to enable researchers and policy analysist to develop and disseminate a more comprehensive understanding of health, education and justice system pathways and outcomes.
The personal information to be disclosed by DCS relates to individuals who have been sentenced to a period of supervision, either in a custodial setting or in the community and is limited to: DCS IDs; JIS PIN; Entry and exit dates; Surnames (including previous names and maiden names); Given Name(s) (all including “aka’s”, aliases and nicknames); Date of Birth (DD/MM/YYYY); Sex; Residential address and postcodes (including previous addresses); and Aboriginal and Torres Strait Islander indicator.
All other Principles continue to apply.
SA Health and DCS remain responsible for the secure transfer and storage of personal information in line with the IPPs.
This extension is granted from 1 January 2023 to 31 December 2023.