1. Home
2. About us
3. Publications
4. Privacy
5. FRNSW Privacy Policy

FRNSW Privacy Policy

Contents

• 1. Purpose
• 2. Scope and application
• 3. Personal and Health Information Life Cycle
• 4. Legal and policy framework
  • 4.1. Legal framework
  • 4.2. Policy framework
• 5. Policy principles
• 6. Privacy Management Plan
• 7. Privacy Collection Notice
• 8. Privacy - Website and Analytics
  • 8.1. Cookies
  • 8.2. Website analytics
  • 8.3. How do we use the information collected?
  • 8.4. What exceptions are there to this rule?
  • 8.5. Email addresses
  • 8.6. Address auto-complete
  • 8.7. Security
• 9. Roles and responsibilities
  • 9.1. All Staff, Volunteers and Contractors
  • 9.2. Manager ICT Security & Risk (CISO)
  • 9.3. Privacy Contact Officer 
• 10. Support
• 11. Monitoring and review
• 12. Further Information

1. Purpose

This policy provides the framework under which Fire and Rescue NSW (FRNSW) manages Personal and Health Information. This policy is the external Privacy Policy for members of the public. FRNSW has an internal privacy policy that explicitly applies to staff, volunteers and contractors of FRNSW.

2. Scope and application

FRNSW is the NSW government agency responsible for the provision of fire, rescue and hazmat services in cities and towns across New South Wales (NSW).

We are committed to protecting your privacy and the confidentiality of the Personal and Health Information that we collect in the course of providing our services.

When people interact with us, our website or our services, we may, in some circumstances, collect, use and share information about them, including their Personal and Health Information.

This policy is to be utilised and referred to by stakeholders outside of FRNSW and applies to all people who deal with us including, members of the community who use our services. FRNSW also has an Internal Privacy Policy to be referred to by internal stakeholders (including FRNSW’s staff, volunteers and contractors).

Personal Information is defined in section 4 of the Privacy and Personal Information Protection Act 1998 (NSW) PPIP Act as information or an opinion about an individual whose identity is apparent or could be reasonably determined from the information or opinion.

Common examples of Personal Information include a person’s name, address, phone number or date of birth, Tax File Number (TFN), bank account details, fingerprints, or a photograph or video of the person. It includes recorded and non- recorded information.

There are 13 exclusions to the definition of Personal Information set out in subsections 4(3) and 4A of the PPIP Act. Some of these exclusions include:

• information about an individual who has been dead for more than 30 years;
• information about an individual that is contained in a publicly available publication; and
• information about an individual’s suitability for employment as a public sector official.

For more information on these exclusions please refer to subsections 4(3) and 4A of the PPIP Act or contact the Privacy Contact Officer.

Health Information is defined in section 6 of the Health Records and Information Privacy Act 2002 (HRIP Act) (NSW). The HRIP Act defines Health Information as, subject to some exclusions, being a subset of Personal Information as follows:

• personal information that is information or an opinion about:
• the physical or mental health or a disability (at any time) of an individual, or
• an individual’s express wishes about the future provision of health services to him or her, or
• a health service provided, or to be provided, to an individual, or
• other personal information collected to provide, or in providing, a health service, or
• other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances, or
• other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of a genetic relative of the individual, or
• healthcare identifiers.

For ease of reference, this policy refers to personal information and health information collectively as ‘Personal and Health Information’.

It is the responsibility of everyone working for, or with, FRNSW to protect the privacy of individuals and to handle their Personal and Health Information in accordance with the PPIP Act and the HRIP Act.

This policy sets out:

• the way Personal and Health Information must be handled at FRNSW;
• the main reasons we may collect Personal and Health Information;
• how we protect Personal and Health Information; and
• how your Personal and Health Information can be accessed,
• in order to comply with relevant legislation, including the PPIP Act and the HRIP Act.

We may update this policy to reflect changes in how we deliver our services or changes to the law.

In addition to this policy, when collecting Personal and Health Information from individuals we may issue Privacy Collection Notices in order to provide individuals with further information on how we intend to collect, use, disclose and retain any Personal and Health Information provided. Annexure A of the Privacy Management Plan contains further information about how Privacy Collection Notices may be issued by FRNSW, as well as links to some of the Privacy Collection Notices used by FRNSW. We may issue Privacy Collection Notices to external stakeholders in person, via email or through our website or recruitment portal.

3. Personal and Health Information Life Cycle

Personal and Health Information passes through FRNSW at each stage of the information life cycle.

The following sections provide a visual representation of what measures we need to take at each stage of the information life cycle, from collection through to disposal or de-identification.

4. Legal and policy framework

4.1. Legal framework

FRNSW must meet the requirements of:

• the PPIP Act;
• the HRIP Act;
• the Privacy Act 1988 (Cth) (Privacy Act); and
• the Privacy (Tax File Number) Rule 2015 (Cth) (TFN Rule), (collectively for this policy, ‘Privacy Laws’).

These pieces of legislation establish principles for the management of Personal and Health Information, and they set out our obligations in relation to the collection, retention, security, access, use and disclosure of Personal and Health Information.

The Telecommunications Act 1997 (Cth) regulates the management of telephone calls to FRNSW including triple zero calls.

The Telecommunications (Interception and Access) Act 1979 (Cth) provides for certain organisations to authorise disclosure of information through intercepting telecommunications data.

The Fire and Rescue NSW Regulation 2023 (NSW) is a regulation made under the Fire and Rescue NSW Act 1989 (NSW) that apply to all permanent and retained firefighters employed by FRNSW.

There are certain exemptions within the above laws, for example to allow sharing of information between government agencies for law enforcement or investigative purposes. In addition other legislation provides certain other exemptions, for example the State Records Act 1998 (NSW).

4.2. Policy framework

FRNSW has developed a Privacy Management Plan (PDF) to be read in conjunction with this document. FRNSW’s Privacy Management Plan specifies how this policy will be implemented at FRNSW in order to comply with FRNSW’s obligations under Privacy Laws. These two documents describe how Personal and Health Information is to be managed at FRNSW.

The Privacy Management Plan (PDF) provides information on FRNSW’s management of data breaches and voluntary notifications.

FRNSW’s Cyber Security Incident Response Plan outlines the steps to be taken in the event of a cyber security incident or event. Where a cyber security event or incident results in a data breach, FRNSW’s Data Breach Policy (PDF) and Data Breach Response Plan outlines the actions that should be undertaken in the event of an actual or suspected data breach.

5. Policy principles

5.1. Information Protection and Health Privacy Principles

The PPIP Act sets out 12 Information Protection Principles (IPPs). The HRIP Act sets out 15 Health Privacy Principles (HPPs). FRNSW follows these principles for collecting, storing, using and disclosing Personal and Health Information.

Specific application of these principles are built into the policies and procedures of each area of FRNSW that collects, stores, uses or discloses Personal and Health Information. These principles are also considered in the development of systems and projects.

The principles are:

5.1.1. Collection of information must be:

Lawful - FRNSW will only collect Personal or Health Information for a lawful purpose. The information must be directly related to FRNSW’s activities and necessary for that purpose.

Relevant - FRNSW will ensure that the Personal and Health Information it collects is relevant, not excessive, accurate and up to date. FRNSW will not unnecessarily intrude into the personal affairs of the individual.

Direct - FRNSW will collect Personal and Health Information directly from the person concerned, and only from third parties when authorised to do so.

Open - FRNSW will take reasonable steps to inform people their Personal and Health Information is being collected, what it will be used for and to whom it will be disclosed. We will also inform people how they can see and correct the information. This principle may be applied differently in an emergency.

5.1.2. Storage of information must be:

Secure - FRNSW will ensure that Personal and Health Information is stored in a manner that reasonably protects it from misuse and loss and from unauthorised access, modification or disclosure.

When your Personal and Health Information is no longer needed for the purpose for which it was obtained, we will take reasonable steps to destroy or permanently de- identify your Personal and Health Information.

5.1.3. Access to information must be:

Transparent - FRNSW will take reasonable steps to explain to people what Personal and / or Health Information it holds, why it is being used and any rights they have to access and amend it.

Accessible - FRNSW will allow people to access their Personal and /or Health Information without unreasonable delay or expense.

Correct - FRNSW will allow people to update, correct or amend their Personal and / or Health Information where necessary.

5.1.4. Use of information must be:

Accurate - FRNSW will take reasonable steps to ensure that Personal and Health Information is relevant and accurate before using it. If you find that the information we have is not up to date or is inaccurate, please advise us as soon as practicable so we can update our records and ensure we can continue to provide quality services to you.

Limited - FRNSW will only use Personal or Health Information for the purpose for which it was collected, or a directly related purpose that the person would expect. We may use Personal and Health Information without consent in order to deal with a serious and imminent threat to any person’s health or safety.

5.1.5. Disclosure of the information, must be:

Restricted - during an emergency FRNSW may disclose Personal and Health Information in order to deal with a serious and imminent threat to any person’s health or safety. FRNSW may also disclose personal or health information to a third party who has lawful authority to access the information and for the purpose which it was collected, or a directly related purpose that the person would reasonably expect.

Apart from the above, FRNSW will only disclose Personal or Health Information with consent.

Sensitive information - FRNSW will not disclose Sensitive Personal Information; for example, information about a person’s ethnic or racial origin, political opinions, religious or philosophical beliefs or trade union membership without consent or lawful authority.

5.2. Additional principles related to health information:

Identification - FRNSW allocates unique numbers to its employees and volunteers in order to manage their records effectively. FRNSW may use unique identifiers for Health Information.

Anonymous - FRNSW will allow people to remain anonymous regarding Health Information, where this is lawful and practicable.

Transfers - FRNSW does not normally transfer Health Information outside NSW, however, if there is a requirement to do so, we will make sure that substantially similar privacy laws apply in the receiving jurisdiction.

Linking health records - if FRNSW becomes a party to a health records linkage system (as defined in the HRIP Act), we will obtain express consent from individuals for their information to be included.

6. Privacy Management Plan

Under the PPIP Act, FRNSW is required to have a Privacy Management Plan which explains our practices and procedures in relation to the handling of Personal and Health information collected by FRNSW to carry out our functions and services.

FRNSW’s Privacy Management Plan:

• Contains examples of the types of Personal and Health Information we collect and the reason we collect it (see section 3.3 of the Privacy Management Plan).
• Outlines how we protect Personal and Health Information, including how we dispose of Personal and Health Information (see section 4.2 of the Privacy Management Plan).
• Outlines how we share Personal and Health Information (see section 4.5 of the Privacy Management Plan).
• How to access and correct Personal and Health Information held by FRNSW (see section 7 of the Privacy Management Plan).
• How to make a complaint (see section 8 of the Privacy Management Plan).

7. Privacy Collection Notice

Under section 10 of the PPIP Act, when FRNSW collects personal information from an individual, such as their name, address, telephone number or email address, FRNSW must make the individual aware of:

• the purposes for which the information is being collected;
• the intended recipients of the information;
• whether the supply of the information is required by law or is voluntary;
• any consequences for the individual if the information (or any part of it) is not provided;
• ways the individual can access and correct the information; and
• the name and address of the unit that is collecting the information and the unit that is to hold the information.

Personal information, such as a person’s name, telephone number, address and location may be recorded when individuals call the Triple Zero (000) emergency number. Individuals making these calls will not be provided with the above- mentioned notice when reporting an emergency incident.

FRNSW may collect personal information in relation to emergency incidents. Where this information is collected, this Privacy Collection Notice – Emergency Incidents must be populated.

All data received, including any recording of the emergency call, will be managed according to the FRNSW Privacy Management Plan.

8. Privacy - Website and Analytics

8.1. Cookies

A cookie is a small piece of data that a website can send to your browser (which may then store it on your computer) that is designed to save your preferences or keep track of information you have previously selected. A cookie cannot retrieve any data from your hard drive, pass on computer viruses or capture your email address.

Cookies can be either ‘persistent’ or ‘session’ based. Persistent cookies are stored on your computer, contain an expiration date, and may be used to track your browsing behaviour upon return to the issuing web site. Session cookies are short- lived, are used only during a browsing session, and expire when you quit your browser.

Most browsers are set by default to accept cookies, however you can configure your computer to determine how you would prefer to interact with cookies across the internet. You may wish to set your browser to notify you when you receive a cookie, giving you the chance to decide whether or not to allow each cookie on to your hard drive, or to block cookies altogether. However, if you decide to not accept cookies set by this web site, some of FRNSW web pages may not display properly or you may not be permitted to access certain information. You may also set your browser so that the cookies set by this web site are destroyed when your browser shuts down and no personal information is maintained which might identify you should you visit our web site at a later date. In this way, the persistent cookies set by this web site will effectively function as session cookies. There are several techniques available for managing cookies in various browsers. Please see the help section of your browser.

8.2. Website analytics

8.2.1. Website visit information

The website makes a record of the user's visits and logs anonymous information for statistical purposes, such as the IP address of the user's computer, the top-level domain name of the user (such as .com or .au), the date and time of the user's visit, what pages on the site were accessed, what search terms were used, etc. This information is only collected for statistical and debugging purposes; that is, the information is only used in order to make the web site function better.

No attempt will be made to identify the user except in the very unlikely event that an investigation is necessary, where a law enforcement agency alone would have the power to inspect the records of the Internet Service Provider to obtain this information.

8.2.2. Google Analytics

The FRNSW website uses Google Analytics, a reporting service provided by Google, Inc. (Google) and its subsidiaries. Google Analytics uses "cookies" to help us analyse how users use the site. The information generated by the cookie about your use of the site (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the site, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.

Google may also transfer this information to third parties, where required to do so by law or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser. By using this website, you consent to the processing of data about you by Google in the manner described in Google's Privacy Policy and for the purposes set out above. You can opt out of Google Analytics if you disable or refuse the cookie, disable JavaScript, or use the opt-out service provided by Google.

In addition, this website has implemented Google Analytics' Demographics and Interest Reporting feature. This allows us to collect data relating to the demographics and interests of visitors to the website. We collect such data to analyse how visitors engage with our website and to make improvements. FRNSW will not merge personally identifiable information with non-personally identifiable information collected via Google Analytics tracking code without your consent. Data collected via the Google Analytics Demographics and Interest Reporting feature is stored on Google’s servers and is accessible by Google. You can opt-out of Google Analytics for Display Advertising in https://adssettings.google.com or use the Google Analytics Opt-out service.

8.2.3. Web beacons or pixel tags

FRNSW, or a third party engaged by FRNSW, may use web beacons on some pages on this website. A web beacon (also known as a web bug, pixel tag or clear GIF) is a graphic image (usually transparent and 1 pixel x 1 pixel in size) placed on a web page which is used to better understand the usage patterns of visitors to the page.

When the HTML code for the web beacon points to a site to retrieve the image, at the same time it can pass along information such as the IP address of the computer that retrieved the image, the time the web beacon was viewed and for how long, the type of browser that retrieved the image and previously set cookie values. Web beacons do not give any extra information away.

Web beacons work in conjunction with cookies and are usually used to assess the effectiveness of campaigns. This enables FRNSW to improve future campaigns. Reconfiguring the browser's cookie settings, as discussed above, can prevent web beacons from tracking the user's activity. The web beacon may still record an anonymous visit from your IP address, but unique information will not be recorded.

FRNSW also collects non-personally identifiable information through social networking service Facebook Pixel. This allows us to collect data relating to the demographics and interests of visitors to the website. We collect such data to analyse how visitors engage with our website and to make improvements. FRNSW will not merge personally identifiable information with non-personally identifiable information collected via Facebook Pixel tracking code without your consent. Data collected via Facebook Pixel is stored on Facebook's servers and is accessible by Facebook.

8.2.4. Social media

FRNSW also uses interfaces with social media sites such as Facebook, LinkedIn, X and others. If you choose to "like" or "share" information from this website through these services, you should review the privacy policy of that service. If you are a member of a social media site, the interfaces may allow the social media site to connect your visits to this site with other Personal Information.

8.3. How do we use the information collected?

To improve the website and the services provided by FRNSW, we will extract and publish aggregated information about usage patterns from these records.

FRNSW will not disclose or publish information that identifies individual machines, or identifies sub-groupings of addresses, without consent or otherwise in accordance with the PPIP Act and the HRIP Act.

8.4. What exceptions are there to this rule?

FRNSW will collect, use and disclose more extensive information than stated above in the following circumstances:

• unauthorised attempts to access files which are not published FRNSW pages;
• unauthorised tampering or interference with files published on the FRNSW website;
• unauthorised attempts to index the contents of the FRNSW website by other websites;
• attempts to intercept messages of other FRNSW website users;
• communications which are defamatory, abusive, vilify individuals or groups or which give rise to a suspicion that an offence is being committed; and
• attempts to otherwise compromise the security of the web server, breach the laws of the State of New South Wales or Commonwealth of Australia, or interfere with the enjoyment of the FRNSW website by other users.

FRNSW reserves the right to make disclosures to relevant authorities where the use of the FRNSW website raises a suspicion that an offence is being, or has been, committed.

In the unlikely event of an investigation, FRNSW will provide access to data to any law enforcement agency that may exercise a warrant to inspect our logs.

8.5. Email addresses

FRNSW will only record your email address if you send us a message. Your email address will only be used or disclosed for the purpose for which you have provided it and it will not be added to a mailing list or used or disclosed for any other purpose without your consent.

Users are advised that there are inherent risks in transmitting information across the Internet.

8.6. Address auto-complete (Safety Visits request page)

This section refers to the address auto-complete functionality on the Safety Visits request page and how the submitted information is collected and stored.

8.6.1. The purposes for which the information is being collected

The address entered into this field returns information about your address that we use to pre-populate the Safety Visits form. This information is provided by Google Maps.

8.6.2. The intended recipients of the information

FRNSW only stores the returned auto-complete address when the Safety Visit request form is submitted.

8.7. Security

There are risks associated with the transmission of information over the internet and you should therefore make your own assessment of the risks in the provision of your information to FRNSW internet sites.

9. Roles and responsibilities

9.1. All Staff, Volunteers and Contractors

All staff, volunteers and contractors must be familiar with the external Privacy Policy, the internal Privacy Policy and the FRNSW Privacy Management Plan and manage Personal and Health Information in accordance with these documents.

9.2. Manager ICT Security & Risk (CISO)

The CISO is responsible for ensuring that cyber security has been incorporated in the design of the application and in the handling of Personal and Health Information, by ensuring sufficient security and access controls. Any deviation from policy creates an exposure to threats and must be signed-off by a control exception.

9.3. Privacy Contact Officer

FRNSW’s Privacy Contact Officer is responsible for:

• investigating and responding to privacy enquiries;
• conducting reviews of privacy complaints;
• providing advice on privacy legislation and personal information;
• liaising with the NSW Privacy Commissioner, implementing any instructions or requests from the Privacy Commissioner and undertaking any reporting required by the PPIP Act;
• notification and communication under the NBD Scheme to the Australian Privacy Commissioner at the Office of the Australian Information Commissioner (OAIC); and
• privacy breach notifications to the NSW Privacy Commissioner.

10. Support

The Information and Privacy Commission (IPC) provides information about how to lodge a privacy complaint. This information is available on the Information and Privacy Commission’s website at www.ipc.nsw.gov.au.

11. Monitoring and review

The Operational Improvement and Assurance Branch will monitor and review legislative changes to State and Federal privacy laws and any other laws relating to privacy to determine if there are any implications for FRNSW. Where privacy matters are determined by the courts and are of relevance to FRNSW, these will be captured and circulated to appropriate staff, volunteers and contractors.

The role of the Privacy Contact Officer sits within the Audit and Assurance Team. The Privacy Contact Officer will also monitor external and internal information on privacy and health information matters. Where regular issues are raised, the Privacy Contact Officer will undertake reviews of information collection or distribution systems to determine if there are sufficient security and access controls. The Privacy Contact Officer is responsible for ensuring that any internal reporting obligations in respect of privacy are complied with and that any legislative changes to State and Federal privacy laws are appropriately reflected within FRNSW’s policies and procedures and/or communicated to staff, volunteers and contractors.

12. Further Information

Public Registers - Part 6 of the PPIP Act prescribes special rules for Personal and Health Information held on public registers. These rules regulate when personal or health information contained in a public register can be disclosed. FRNSW does not maintain any public registers for the purposes of the PPIP Act or the HRIP Act.

Privacy codes of practice – The PPIP Act and the HRIP Act allow agencies to develop a privacy code of practice where they intend to depart from the Privacy Principles contained in the Acts. FRNSW does not intend to depart from the Privacy Principles and as such has not developed a privacy code of practice.

If you have any enquiries about our privacy policies, contact us by writing to the following address:

Privacy Contact Officer 
Fire and Rescue NSW
Locked Mail Bag 12
Greenacre NSW 2190

or by email to PrivacyOfficer@fire.nsw.gov.au.