Agencies must comply with all applicable laws when developing and using an AI solution. Further, agencies must be mindful of the ethical and probity requirements of the Government Sector Employment Act 2013 and the Government Sector Finance Act 2018.
Agencies also need to comply with privacy and information access laws in their development and use of AI Solutions. The NSW Government AI User Guide will provide assistance to agencies on data considerations during project design and implementation. However, there are a range of legislative protections in place, in both the NSW and Commonwealth jurisdictions, to protect personal data and maintain privacy.
Relevant legislation must always be considered for any use of AI, while noting that the complexity of the project, and its objectives, will be critical factors.
There are a number of Acts and regulations that promote the protection of personal and health information in NSW that is collected, stored and used by public sector agencies to provide services to the public:
- Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act)
- Privacy and Personal Information Protection Regulation 2014 (NSW) (PPIP Regulation)
- Privacy and Personal Information Protection Regulation 2005 (NSW) (PPIP Regulation) repealed on 1 September 2014 (NSW Legislation website)
- Privacy Codes of Practice made under PPIP Act (exemptions)
- Privacy Code of Practice (General) 2003 (NSW)
- Public Interest Directions made under PPIP Act (exemptions)
- Health Records and Information Privacy Act 2002 (NSW) (HRIP Act)
- Health Records and Information Privacy Regulation 2017 (NSW) (HRIP Regulation)
- Health Records and Information Privacy Code of Practice 2005 (NSW)
- Health Public Interest Directions made under HRIP Act (exemptions)
- Road Transport Act 2013
- NSW Anti-Discrimination Act 1977.
The PPIP Act
The PPIP Act applies to NSW public sector agencies including government agencies, local councils and universities.
The HRIP Act
The HRIP Act applies to NSW public sector agencies including government agencies, local councils, State Owned Corporations, universities and public sector health organisations, as well as private sector organisations, health service providers and businesses with a turnover of more than $3 million which hold health information. There are other laws that should be considered before commencing any AI-based project.
- Privacy Act 1988 (Cth)
- Workplace Surveillance Act 2005 (NSW)
- Surveillance Devices Act 2007 (NSW)
- Telecommunications (Interception and Access) Act 1979 (Cth)
- Adoption Act 2000 (NSW)
- Assisted Reproductive Technology Act 2007 (NSW)
- Crimes (Forensic Procedures) Act 2000 (NSW)
- Criminal Records Act 1991 (NSW)
Information and Privacy Commission
The Information and Privacy Commission (IPC) can assist with guidance on data and information handling to ensure the AI project addresses all privacy and information access considerations. The IPC provides education primarily for public sector agency staff working with the:
- Government Information (Public Access) Act 2009 (GIPA Act)
- Privacy and Personal Information Protection Act 1998 (PPIP Act)
- Health Records and Information Privacy Act 2002 (HRIP Act)
Training and education that extends to both privacy protection and right to information is delivered via a variety of methods to assist public sector agency officers perform their duties under legislation. More information can be found at: https://www.ipc.nsw.gov.au/about-us/ipc-e-learning.
There are a number of existing accountability mechanisms that provide rigour and assurance for government projects, including ICT projects, and subject them to a range of checks and balances. AI remains a relatively new technology for government and there is community concern about how it is applied, particularly where decisions impact citizens. For these reasons, further assurance is required to build public confidence as maturity in the use of the technology grows across the sector.
Existing assurance mechanisms
There are a number of existing governance mechanisms across government that provide transparency and assurance for AI and other projects. These ensure that projects will deliver the outcomes stated in the original business case, that the development of the solution is in line with public sector requirements and that the final product works as intended. These mechanisms include:
- ICT Assurance Framework
- IIAF Assurance Framework
- NSW Audit Office and internal audit functions within agencies
- Accountability of Secretaries and agency heads
- Accountability of project steering committees
Additional assurance for AI
AI projects subject to the ICT Assurance Framework must follow an additional assurance process. All projects must first be registered as low, medium or high risk. This is based on the data that the software is/will be using and the types of decisions that it will generate.
|Low||Uses basic or generic information: for example, large-scale de-identified information or logistics data. AI-informed decisions are expected to be low impact on individuals or community safety.|
|Medium||Uses personal data that is not sensitive or decisions that have medium level implications for individuals or community safety.|
|High||Uses sensitive personal data – i.e.: identifiable data relating to health or financial position, or data that concerns minority groups. The high risk category involves data that could have direct personal implications for someone’s wellbeing or present high risk to community safety if not implemented properly.|
This level of assurance will be in place for an interim period and will be reviewed as government maturity in the use of AI grows.All projects must submit a high-level project document (see Attachment F in AI User Guide). The ICT Assurance Framework review panel for AI projects will include AI governance and ethics experts both internal and external to government.
AI Advisory Committee
NSW Government will put in place an AI Advisory Committee, to be chaired by the NSW Government Chief Data Scientist. The Committee will be a key source of expertise to both government and agencies on AI implementation
The Committee’s role will be to work with project teams to manage and mitigate risks, particularly on projects determined as high-risk. It will be comprised of experts from industry, academia and government and will advise on projects to ensure consistency with this AI Ethics Policy.