NSW Privacy Commissioner Dr Elizabeth Coombs has revealed that she plans to release a set guidelines for hosting state government data outside NSW borders as a priority in 2014.
New privacy rules came into effect across the country yesterday, setting certain conditions for private sector organisations and federal government agencies looking send personal information offshore.
However, the new rules do not affect state agencies bound by their own versions of privacy legislation, such as the Privacy and Personal Information Protection Act 1998 in NSW.
Coombs acknowledged that a state-specific transborder code of practice is about 13 years overdue.
“When the Act was first introduced some 14 years ago it would appear—as one reads it and looks back through the files—that it was envisaged that a code would be introduced within 12 months of the enactment of the legislation,” she told a parliamentary committee recently.
“For a variety of reasons, that did not occur,” she said, adding that she has been able to identify two past attempts to develop the guidance by previous commissioners.
With some empathy, she conceded that work so far had proved to be “a more drawn-out process than we originally anticipated”.
“I am anticipating, if all goes well, to be able to submit [the guidance] the next couple of months,” she said.
Once the privacy commissioner finishes her draft however, it will need to be endorsed by the NSW Attorney-General Greg Smith before officially taking effect.
The code of practice will acknowledge a push by the state’s public sector to take advantage of on-demand cloud hosting arrangements, many of which can be supported by data centres in far flung corners of the world.
“At present there is no clear guidance to public sector agencies on their responsibilities in this area,” said Dr Coombs. “The feedback that I have received is that agencies want clarity and certainty in this area and they are expecting guidance in the form of the development of a Code of Practice.”
Some NSW government agencies have taken the plunge already. The Department of Trade and Investment, Regional Infrastructure and Services adopted a software-as-a-service ERP solution based in SAP facilities in Germany. To meet its privacy obligations, however, personal payroll data has remained in the state.
The code of practice will apply to the disclosure of privacy-sensitive data to Australian Government, and other states and territories as well as overseas.
Early hints suggest that requirements may not be as onerous as those faced by federal agencies, thanks to rules passed down by the Attorney-General’s Department last year.
“Our intention is not to implement more heavy reporting or compliance requirements but to provide clarity and certainty in the simplest and clearest terms possible,” said Dr Coombs.