Module 2: Legal and Policy Context

The GIPA Act facilitates public access to NSW Government information. It does this by authorising and encouraging the release of information by NSW Government agencies, giving members of the public the right to request access to government information, and by ensuring government information is only restricted where there is an overriding public interest against disclosing the information. 

The PPIP Act provides principles for the protection of personal information, and the protection of the privacy of individuals generally. Under the Act, all personal information that is made, kept or collected by government organisations must be created and managed in accordance with the Information Protection Principles under the PPIP Act. The Information and Privacy Commission website has an overview of NSW privacy legislation. 

The HRIP Act protects the privacy of an individual’s health information held by the public and private sectors, enables individuals to gain access to their information, and provides an accessible framework for the resolution of complaints regarding the handling of health information. The 15 Health Privacy Principles are legal obligations that agencies must abide by when collecting, holding, using and disclosing a person’s health information. 

The State Records Act sets out the rules for the creation, capture, control, use, maintenance and disposal of all records and information in line with whole-of-government records and information management policies. State Records NSW has developed the Records and Information Management Policy checklist that helps agencies ensure their internal strategies are consistent with whole-of government information management policy. 

The Data Sharing Act enables the sharing of data between NSW Government agencies, and with the Data Analytics Centre (DAC). The Act encourages and facilitates data sharing, outlines safeguards for sharing data, states that data sharing must be legally compliant, ensures data involving personal information is protected, and allows the responsible Minister to direct agencies to provide data to the DAC under certain circumstances. 

Data should be open to the extent that its management, release and characteristics meet the objectives of openness, accountability, fairness and effectiveness set out in the Government Information (Public Access) Act 2009 (NSW). Under the GIPA Act, there is a presumption in favour of the disclosure of information, unless there is an overriding public interest against disclosure. 

The Policy sets out six open data principles that all government data must be: 

1. Open by default, protected where required;
2. Prioritised, discoverable and usable;
3. Primary and timely;
4. Well managed, trusted and authoritative;
5. Free of charge where appropriate; and
6. Subject to public input.

The Policy sets out mandatory requirements that all agencies must comply with to ensure that cyber security risks to data, information, and systems are managed and data is kept secure. These include: implementing cyber security and governance; building and supporting a cyber security culture across the agency; managing cyber security risks and reporting against the Cyber Security Policy Requirements.

The NSW Government Data Strategy outlines a collaborative, coordinated, consistent, and safe approach to using and sharing data and insights across government to inform decisions and actions that achieve the best possible outcomes for the people and businesses of NSW. The Strategy complements the NSW Beyond Digital Strategy, which guides NSW Government in using data and insights to understand customer needs and enhance services, providing a better and more targeted experience in line with customer commitments. The NSW Government Data Strategy will further develop the government's maturity in using data for better community outcomes. It focuses on harnessing the power of data to shape the future, delivering on government priorities, responding to emerging issues, and most importantly, delivering the experience and services that the people and businesses of NSW expect, while maintaining the privacy, security, and ethical standards that are expected. 

The Guidelines set out the NSW Government’s approach to classifying, labelling and handling sensitive information. The classification of information created, owned and managed by the NSW Government is a mandatory requirement under the NSW Cyber Security Policy. The Guidelines are consistent with the Australian Government security classification system. 

Additional legal, regulatory and policy requirements may apply in specific agency or business domains. All organisations should identify the specific requirements that apply to their environment.