Key considerations

NSW Government agencies will use the NSW Government AI Assurance Framework to assist with procurement, design and implementation of AI systems.

The Framework provides information for agencies on the use of AI. In addition, agencies must consider legislative requirements for their solutions.

Legislative requirements

Agencies must comply with all applicable laws when developing and using an AI solution. Further, agencies must be mindful of the ethical and probity requirements of the Government Sector Employment Act 2013 and the Government Sector Finance Act 2018.

Agencies also need to comply with privacy and information access laws in their development and use of AI Solutions. The NSW Government AI Assurance Framework will provide assistance to agencies on data considerations during project design and implementation. However, there are a range of legislative protections in place, in both the NSW and Commonwealth jurisdictions, to protect personal data and maintain privacy.

Relevant legislation must always be considered for any use of AI, while noting that the complexity of the project, and its objectives, will be critical factors.

There are a number of Acts and regulations that promote the protection of personal and health information in NSW that is collected, stored and used by public sector agencies to provide services to the public:

  • Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act)
  • Privacy and Personal Information Protection Regulation 2014 (NSW) (PPIP Regulation)
  • Privacy and Personal Information Protection Regulation 2005 (NSW) (PPIP Regulation) repealed on 1 September 2014 (NSW Legislation website)
  • Privacy Codes of Practice made under PPIP Act (exemptions)
  • Privacy Code of Practice (General) 2003 (NSW)
  • Public Interest Directions made under PPIP Act (exemptions)
  • Health Records and Information Privacy Act 2002 (NSW) (HRIP Act)
  • Health Records and Information Privacy Regulation 2017 (NSW) (HRIP Regulation)
  • Health Records and Information Privacy Code of Practice 2005 (NSW)
  • Health Public Interest Directions made under HRIP Act (exemptions)
  • Government Information (Public Access) Act 2009 (GIPA Act)
  • Privacy Act 1988 (Cth)
  • Data Sharing (Government Sector) Act 2015 (NSW)

The PPIP Act

The PPIP Act applies to NSW public sector agencies including government agencies, local councils and universities.

The HRIP Act

The HRIP Act applies to NSW public sector agencies including government agencies, local councils, State Owned Corporations, universities and public sector health organisations, as well as private sector organisations, health service providers and businesses with a turnover of more than $3 million which hold health information.

Other relevant legislation:

Other laws that should be considered before commencing any AI-based project include:

  • State Records Act 1998 (NSW)
  • Road Transport Act 2013 (NSW)
  • NSW Anti-Discrimination Act 1977 (NSW)
  • Disability Discrimination Act 1992 (Commonwealth)
  • Workplace Surveillance Act 2005 (NSW)
  • Surveillance Devices Act 2007 (NSW)
  • Telecommunications (Interception and Access) Act 1979 (Cth)
  • Adoption Act 2000 (NSW)
  • Assisted Reproductive Technology Act 2007 (NSW)
  • Crimes (Forensic Procedures) Act 2000 (NSW)
  • Criminal Records Act 1991 (NSW)
  • Police Act 1990 (NSW)

Information and Privacy Commission

The Information and Privacy Commission (IPC) can assist with guidance on data and information handling to ensure the AI project addresses all privacy and information access considerations. The IPC provides education primarily for public sector agency staff working with the:

  • Government Information (Public Access) Act 2009 (GIPA Act)
  • Privacy and Personal Information Protection Act 1998 (PPIP Act)
  • Health Records and Information Privacy Act 2002 (HRIP Act)

Training and education that extends to both privacy protection and right to information is delivered via a variety of methods to assist public sector agency officers perform their duties under legislation. More information can be found at: https://www.ipc.nsw.gov.au/about-us/ipc-e-learning.

Assurance requirements

AI remains a relatively new technology for government and there is community concern about how it is applied, particularly where decisions impact citizens. It is imperative that the NSW Government ensure that AI solutions are designed with and monitored against explicit standards for performance, reliability, robustness and auditability, and that they align with the NSW Government Ethical AI Principles. For these reasons, the NSW Government has implemented an AI Assurance Framework to ensure public confidence as maturity in the use of the technology grows across the sector. 

There are also a number of other accountability mechanisms that provide rigor and assurance for government projects, including ICT projects, and subject them to a range of checks and balances.

AI Assurance Framework

NSW Government has implemented an AI Assurance Framework to help agencies design, build and use AI technology appropriately. 

The Framework contains questions that project teams will need to answer at every stage of implementing and operating an AI system. The aim of the framework is to support the NSW Government to innovate with AI technology, while making sure we use it safely and securely, with clear accountability for the design and use of our AI Systems.

How to use the Framework

The Framework is intended to be used by:

  • project teams who are using AI systems in their solutions
  • operational teams who are managing AI systems
  • Senior Officers who are accountable for the design and use of AI systems
  • internal assessors conducting agency self-assessments

The Framework should be used:

  • during all stages of an AI project from inception to handover
  • periodically to review services that use AI systems.

The Framework does not apply to projects that are:

  • using an AI system that is a widely available commercial application, and
  • which are not customizing this AI system in any way or using it in a way other than as intended.

Review by an AI review body

The AI Assurance Framework applies to all projects that use an AI system; however, the assurance requirements differ between small and large projects. 

Large projects

Large AI projects and services are required to self-assess against the AI Assurance Framework. This self-assessment must be reviewed by a NSW AI review body. The review body, which is currently in development, will review the answers and explanations within the assessment and may make recommendations to help mitigate risks.

The criteria for a large project is any project or service that:

  • uses an AI system, and
  • is funded from the Digital Restart Fund, or
  • exceeds an estimated total cost of $5 million.

Small projects

Small AI projects and services are required to self-assess against the AI Assurance Framework and seek approval for this assessment from an appropriate senior officer within the agency. 
The criteria for a small project is any project or service that:

  • uses an AI system, and
  • is funded from your agency budget, and
  • has an estimated total cost less than $5 million.

Other assurance mechanisms

There are also a number of other existing governance mechanisms across government that provide transparency and assurance for AI and other projects. These ensure that projects will deliver the outcomes stated in the original business case, that the development of the solution is in line with public sector requirements and that the final product works as intended. These mechanisms include:

  • ICT Assurance Framework
  • IIAF Assurance Framework
  • NSW Audit Office and internal audit functions within agencies
  • Accountability of Secretaries and agency heads
  • Accountability of project steering committees.