Privacy Impact Assessments - City of Sydney Bylaw

Technology and Data New South Wales 4 Minutes Read · published February 11, 2026 Flag of New South Wales

Sydney, New South Wales council projects that handle personal information should consider Privacy Impact Assessments (PIAs) early in project design to meet legal and best-practice obligations. This guide explains when a PIA is expected, who enforces privacy obligations for City of Sydney projects, common compliance steps and how to report concerns. It summarises official resources, practical action steps for council officers and contractors, and the appeals and complaint pathways relevant to local government in NSW.

When a PIA is required

Council projects that collect, store, share or analyse personal or sensitive personal information should assess privacy risks before deployment. Many projects that introduce new systems, third-party data sharing, biometric or location tracking, or large-scale data analytics typically need a PIA. The City of Sydney outlines its privacy responsibilities on its privacy page City of Sydney privacy[1]. The NSW Information and Privacy Commission (IPC) provides an official PIA template and guidance for NSW public sector agencies IPC PIA template[2].

Start a PIA at project inception — retrospective assessments are harder and less effective.

Conducting a PIA

  • Initiate assessment during business case or requirements phase.
  • Document data flows, categories of personal information and lawful bases for processing.
  • Assess mitigation options: minimisation, retention limits, anonymisation and access controls.
  • Use the IPC PIA template to record risks and decisions IPC PIA template[3].
  • Include stakeholder and legal review, and update records when designs change.
PIAs are a risk-management tool and should be retained with project records.

Penalties & Enforcement

Privacy enforcement relevant to City of Sydney projects may involve internal council remedies and external review by the NSW Information and Privacy Commission (IPC). The City of Sydney states its privacy obligations and contact route on its official privacy page City of Sydney privacy[1]. The IPC handles complaints and oversight for NSW public sector privacy matters Make a privacy complaint[2].

  • Fine amounts: not specified on the cited pages.
  • Escalation for repeat or continuing offences: not specified on the cited pages.
  • Non-monetary sanctions: orders, recommendations, directions to amend practices, and publicity of findings are powers exercised by the IPC or through court action where available; specific orders or penalties are not listed on the City page.
  • Enforcer and contact: City of Sydney Privacy Officer for internal matters; NSW IPC for external complaints IPC complaints[3].
  • Appeals/review routes: internal review via council procedures, then formal complaint to the NSW IPC; statutory time limits for complaints are not specified on the cited pages.
  • Defences/discretion: councils may rely on lawful bases and documented mitigations recorded in a PIA; explicit statutory defences are not specified on the cited pages.
If you suspect a serious privacy breach, report it promptly to the City privacy contact and the IPC.

Applications & Forms

The NSW IPC provides a PIA template and resources for agencies to document assessments IPC PIA template[2]. The City of Sydney does not publish a separate PIA application form on its public privacy page; use the IPC template or internal council project documentation and follow council procurement and IT security submission channels.

Where no city form exists, attach the IPC PIA template to project approvals and records.

Action steps

  • Assign a project privacy lead and complete the PIA template early.
  • Record decisions, mitigations and retention schedules in project documentation.
  • Seek internal legal and IT security sign-off before procurement or go-live.
  • Report suspected breaches to the City of Sydney Privacy Officer; escalate to the IPC if unresolved.

FAQ

Who must complete a PIA for a City of Sydney project?
Project leads for initiatives that collect or handle personal information should complete a PIA; consult the City privacy contact and use the IPC template.
Does the City of Sydney publish a mandatory PIA form?
The City does not publish a distinct mandatory PIA form on its public privacy page; the NSW IPC template is the recommended resource.
How do I report a privacy breach?
Report to the City of Sydney Privacy Officer and, if needed, lodge a complaint with the NSW Information and Privacy Commission.

How-To

  1. Confirm whether your project will handle personal or sensitive data and document the rationale.
  2. Download and complete the IPC PIA template or use council-adopted equivalent to map data flows and risks.
  3. Identify and document mitigations: minimisation, access controls, retention and disposal.
  4. Circulate the completed PIA to legal, IT security and relevant stakeholders for review and approval.
  5. Attach the approved PIA to procurement and project governance records, and review if design changes occur.

Key Takeaways

  • Use the IPC PIA template as the standard documentation tool for NSW public sector projects.
  • Start PIAs early and retain them with project records to support lawful processing decisions.

Help and Support / Resources

  1. [1] City of Sydney - Privacy
  2. [2] NSW Information and Privacy Commission - Privacy Impact Assessment template
  3. [3] NSW Information and Privacy Commission - Making a privacy complaint

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data