The office of NSW Attorney-General Brad Hazzard has confirmed the government’s intentions to update the state’s privacy legislation to make it clear where agencies and healthcare providers stand when it comes to storing data offshore, particularly as part of cloud computing arrangements.
The NSW Privacy Commissioner, Elizabeth Coombs, finalised her draft code of practice for offshore data hosting and handed it to the Attorney-General in May this year, after a number of aborted attempts by her predecessors.
That same month, she acknowledged before a parliamentary committee that the guidance was about 13 years overdue, but said putting it together had proved to be “a more drawn-out process than we originally anticipated”.
Hazzard, however, has decided to take the guidance a step further and address the issue of transborder movement of personal data in a new version of the NSW Privacy and Personal Information Protection Act 1998, which applies to state government bodies and custodians of health data about NSW citizens.
A spokesperson for the Attorney-General told iTnews she could not yet detail what the changes would likely entail.
“The government is currently consulting on potential legislative arrangements,” she said. “Following this consultation, the government will progress the reforms.”
Previously, the State Records Act outlawed the storage of public sector documents outside of NSW altogether, until this was amended with a ‘general authority’ allowing the movement of records into remote cloud environments.
The government’s cloud policy explains that out-of-state storage is now permitted in cases where “an appropriate risk assessment has been made and where the records are managed in accordance with all the requirements applicable to State records under the State Records Act” - including active monitoring of the service provider’s obligations.
Coombs has enthusiastically welcomed the Attorney-General’s plans to make the government's stance more transparent and legally binding.
“This is extremely positive news, bringing NSW in line with the Commonwealth, Queensland and Victoria, and recognises the need for protection of the personal information of NSW citizens in the global information economy,” she told iTnews.
“During the early stage of my term as Privacy Commissioner it was raised as a priority with me by stakeholders, as NSW currently has no statutory instrument in place to regulate the appropriate movement of information across borders.”