NSW govt digital projects to face new privacy test

All IT projects bankrolled from the NSW government’s $1.6 billion digital restart fund will be subject to review by the state’s information and privacy commissioners by law, in a drastic escalation of privacy oversight.

Amendments to the Digital Restart Fund Bill, which recently passed through the state’s Parliament, will require the Minister for Customer Service to “obtain and have regard to” privacy advice for each project before approving payment from the fund.

Both the information commissioner and privacy commissioner will consider the effect the project might have on the protection of personal information under the Privacy and Personal Information Act and Health Records and Information Privacy Act.

The commissioners will similarly consider the effect on “access to government information under the Government Information (Public Access) Act” under the changes, which also make it possible for the minister to seek advice from others before awarding funding. 

The digital restart fund is the government’s answer to a contemporary IT funding model, and is being used to accelerate digital projects that remove legacy infrastructure and build common, reusable platforms.

Agencies will be able to access the funding - which was topped up with $1.6 billion in June after being established in last year’s budget - in up to $20 million hits based on their track record with IT projects.

In addition to privacy advice, the government will be required to produce a report that details payments from the fund, including “where money has been paid to fund all or part of the cost of a project”, in any given financial year.

The report will contain the name of the agency involved, project name, total cost and amount of funding siphoned from the fund, when the project is expected to be completed, as well as any further information to be determined by the Treasurer.

The changes were brought by the state’s opposition, and supported by the government, after concerns about the lack of assessment processes and assurance plans in the legislation were raised.

Labor MLC and shadow finance minister Daniel Mookhey last month said there was a need to guarantee that digital restart fund projects have built-in privacy and cyber security protections.

“The opposition is concerned that the bill lacks legislative safeguards to ensure that projects are independently assessed for their impacts of privacy,” he said.

He also said that the Information and Privacy Commission’s submission to the inquiry into the bill had called for it to require that the minister “take advice about privacy and information access controls and mechanisms embedded in the proposed project”.

“These amendments seek to give effect to these submissions by the Information Commissioner and Privacy Commissioner,” Mookhey said.

“The government may claim that this is unnecessary because any projects funded by the digital restart fund would be subject to the provisions of the Government Information (Public Access) Act, the Privacy and Personal Information Protection Act and, if relevant, the Health Records and Information Privacy Act.

“However, the Opposition believes strongly in the principle of privacy by design. We believe that information access and privacy rights should be considered at an early stage in a project's life and not treated as an afterthought when something has gone wrong.

“If the government is already assessing data and privacy issues as part of the digital restart fund process, it should have no objection to supporting this amendment and formalising privacy and information protections in this bill.”

Customer Service Minister Victor Dominello placed his support behind the amendments, which he said were “some excellent suggestions regarding the process of approval of money to be paid out of the digital restart fund”.

“Despite the amendments, the Department of Customer Services continues to work with the Information and Privacy Commission NSW and will still practice this process,” Dominello said.

“This will include a commitment to a privacy-by-design approach, which is in line with the digital restart policy that will accompany the legislation.”