Module 2: Legal and Policy Context

The GIPA Act facilitates public access to NSW Government information. It does this by authorising and encouraging the release of information by NSW Government agencies, giving members of the public the right to request access to government information, and by ensuring government information is only restricted where there is an overriding public interest against disclosing the information.

The PPIP Act  provides for the protection of personal information, and the protection of the privacy of individuals generally. Under the Act, all personal information that is made, kept or collected by government organisations must be created and managed in accordance with the Information Protection Principles under the PPIP Act. The Information and Privacy Commission website has an overview of NSW privacy legislation.

The HRIP Act protects health records and information by protecting the privacy of an individual’s health information held by the public and private sectors, enables individuals to gain access to their information and provides an accessible framework for the resolution of complaints regarding the handling of health information. The 15 Health Privacy Principles are legal obligations that agencies must abide by when collecting, holding, using and disclosing a person’s health information. 

The State Records Act sets out the rules for the creation, capture, control, use, maintenance and disposal of all records and information in line with whole-of-government records and information management policies. The NSW State Archives & Records Authority has developed the  Records and Information Management Policy checklist that helps agencies ensure their internal strategies are consistent with whole-of government information management policy. 

The Data Sharing Act  enables the sharing of data between NSW Government agencies, and with the Data Analytics Centre (DAC). The Act encourages and facilitates data sharing, outlines safeguards for sharing data, states that data sharing must be legally compliant, ensures data involving personal information is protected, and allows the responsible Minister to direct agencies to provide data to the DAC under certain circumstances.

Data should be open to the extent that its management, release and characteristics meet the objectives of openness, accountability, fairness and effectiveness set out in the Government Information (Public Access) Act 2009 (NSW). Under the GIPA Act, there is a presumption in favour of the disclosure of information, unless there is an overriding public interest against disclosure.

The Policy sets out six open data principles that all government data must be:

1. Open by default, protected where required;
2. Prioritised, discoverable and usable;
3. Primary and timely;
4. Well managed, trusted and authoritative;
5. Free of charge where appropriate; and
6. Subject to public input.

The Policy sets out mandatory requirements that all agencies must comply with to ensure that cyber security risks to data, information, and systems are managed and data is kept secure. These include: implementing cyber security and governance; building and supporting a cyber security culture across the agency; managing cyber security risks and reporting against the Cyber Security Policy Requirements. 

The Policy defines a set of principles for the management and maintenance of the State’s core data and information assets as well as outlining custodianship roles and responsibilities. Implementation of this policy and adherence to its principles facilitate compliance with the NSW Information Management Framework. 

The Framework sets out the core characteristics of ‘information’ for the NSW Government, which includes data and records, as well as a shared whole-of-government direction for information management. It sets out the vision, principles, minimum requirements, governance and capabilities for effective information management across the public sector. The Data Governance Toolkit expands on the data governance-related components of the Framework.

The Guidelines set out the NSW Government’s approach to classifying, labelling and handling sensitive information. The classification of information created, owned and managed by the NSW Government is a mandatory requirement under the NSW Cyber Security Policy. The Guidelines are consistent with the Australian Government security classification system.