Managing secure information and notifying us of information or data security incidents

Your organisation holds private information about clients and families who access the services you deliver on our behalf.

You’re required to comply with the requirements of relevant Commonwealth and NSW legislation and policy, as well as the provisions of your contract with us, in relation to privacy, information management and your information and communications technology (ICT) systems.

This means being aware of the privacy obligations for your organisation and its staff in relation to the collection, storage, use, disclosure and destruction of personal information under the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (HRIP Act). This includes the Mandatory Notification of Data Breach (MNDB) Scheme under Part 6A of the PPIP Act which took effect on 28 November 2023.

We expect your organisation to establish, maintain, enforce and continually improve policies, procedures and safeguards to protect the personal and confidential data held in your electronic and physical files against unauthorised access, use, disclosure, destruction, loss and alteration. This includes ensuring your staff, subcontractors and governing body are aware of their obligations in relation to information and data security, and are aware of the resources available to assist you.

If your organisation detects an actual or suspected information or data security incident, you’re required to notify DCJ and keep us informed of progress until its resolution.

These requirements:

• are in addition to any specific provisions for privacy and information security that may be specified in your contract with us
• apply to any organisation you’ve subcontracted to fulfil part or all of the services we have contracted your organisation to deliver.