NSW will finally get new privacy laws that govern how and when state-held information can be shared outside its boundaries, thanks to an amendment to the Privacy Act passed by parliament last week.
NSW Privacy Commissioner Dr Elizabeth Coombs has been chasing the new rules for a number of years now.
The legislation is aimed at addressing deficiencies in the Privacy and Personal Information Protection Act 1998 which meant personal information on NSW citizens was no longer protected once it moved outside state borders.
The state’s privacy legislation, which controls the use and disclosure of personal data held by public sector organisations, came into effect 17 years ago.
Guidelines for data sharing interstate and with Commonwealth were expected to follow soon after, but never materialised.
Ten years later, a legal spat between the NSW Department of Education and Training and one of its former teachers set a legal precedent that NSW government information is no longer protected once it leaves NSW, in the absence of the overdue code of practice.
The just-passed bill sought to close this gap by introducing a list of conditions on sharing information outside the NSW jurisdiction, including:
- Ensuring the recipient is subject to a law with equivalent privacy protections to NSW privacy law,
- Obtaining the “express consent” (as opposed to implied consent) of the individual identified in the data, and
- Taking “reasonable steps” to ensure the data will be handled by the recipient in line with the demands of the NSW Privacy Act.
Data sharing will also be allowed in situations where it is necessary to fulfil a contract between the NSW government and third party, or it is needed to address a “serious or imminent threat” to life, health or safety of an individual.
The new law is designed to make it clear that NSW entities are still responsible for privacy even outside state borders when they are sharing data with other governments or third-party vendors like cloud hosting providers.
The bill passed unopposed.
NSW Attorney-General Gabrielle Upton said the legislation would finally deliver “clarity to both New South Wales public sector agencies and individuals about when such disclosures are permitted”.
The passage of the amendment comes more than a year after Upton’s predecessor Brad Hazzard indicated his intention to bypass a code of practice and formalise the cross-border information provisions in law.
Coombs welcomed the legal changes after more than a decade of inertia on the privacy gap.
“NSW was the second international jurisdiction to introduce specific privacy protections, back in 1975," she said.
“But the current legislation was introduced 17 years ago – this update and simplification have been long awaited."