NSW Privacy Commissioner renews call for data offshoring rules

NSW Privacy Commissioner Dr Elizabeth Coombs has repeated her call for the state government to shore up privacy legislation governing the public sector with explicit provisions for how personal data should be protected interstate and overseas.

Last year then-Attorney General Brad Hazzard told the Information and Privacy Commission (IPC) he wanted a legislative amendment to address offshore data hosting obligations.

But after the portfolio moved to under new state A-G Gabrielle Upton this month, the matter appears to have fallen off the agenda.

Coombs wants data offshoring provisions added to the NSW Privacy and Personal Information Protection (PIPP) Act, which governs how state government entities treat information they hold about NSW's 7.4 million residents.

She argued this would bring it in line with the Commonwealth Privacy Act and a number of other states.

“Citizens should be able to expect that their information is protected to the same high level in all jurisdictions,” she told iTnews.

State-based legislation “should be consistent and align with the Commonwealth primary regime," she said.

The federal Privacy Act makes it clear that Australian-based entities will still be held accountable for the treatment of information that is hosted in another country.

It is up to organisations covered by the Act to make sure that local laws and vendor practices align with their Australian privacy obligations.

Data offshoring governance has had a frustrated history in NSW.

“Back in 1998 when the legislation was first introduced it was expected that 12 months later a code of practice would be introduced to govern information movement out of NSW,” Coombs said.

“For a variety of reasons this was never completed."

But Coombs said her calls have been received well by new Attorney-General Upton.

Legislative change will not occur quickly, however, as the new minister needs to digest information on the issue including a 12 month assessment of the PIPP Act’s usefulness (pdf) handed down by the IPC earlier this week.

“Changes like this do take time," Coombs said.

“If decision makers are fully informed and interested in why these changes need to take place, the approach will be far more positive in the long run.”

The IPC report reiterated calls for the state government to fill several other gaps in the law, like a loophole which means state-owned corporations (SOCs) such as energy companies and water providers are not beholden to any privacy laws.

When the PIPP Act was first passed in 1998, SOCs were excluded on the rationale that they needed to operate on a level playing field with their commercial peers.

But since then, all non-state government organisations with a turnover beyond $3 million have come under the Commonwealth Act.

Coombs pointed out that NSW-owned corporations “hold very considerable amounts of customer information”.

“Some of them, such as Sydney Water, have made very strong and constructive efforts to apply the PIPP Act to their operations," she said.

"But their legislative status still means that if SOC customers make a complaint about the way their information has been treated and they are not happy with the response, they have no recourse for external review.”