Artboard 1Icon/UI/CalendarIcons/Ionic/Social/social-pinterestIcon/UI/Video-outline

NSW Government Bulletin

02 March 2022

#Government, #Data & Privacy

Published by:

Clare Giugni

NSW Government Bulletin

[Update: This article is aimed at NSW Government agencies, not Australian government agencies. Readers should also be aware that the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 which is referred to in this article (which was written in early March) was in fact passed by the Australian Parliament in late March, before the calling of the federal election.]

Amendments to the Security of Critical Infrastructure Act 2018 (Cth) provide protection for NSW Government data

Data protection is front of mind for governments at all levels, both in Australia and internationally.  Recent and proposed amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) will provide the New South Wales Government with additional protections for its data assets.

New South Wales Government cyber risk management

The New South Wales Government has long had in place its own policies and frameworks to protect the State’s critical data assets.  For example, the ICT Purchasing Framework, which must be complied with by government agencies for the procurement of ICT and related services, incorporates mechanisms to mitigate risks associated with the procurement of these services, including data storage and processing services, by standardising the ICT procurement process across all agencies.  Under that Framework, amongst other measures, ICT providers must implement robust information security measures and must typically ensure that New South Wales Government data remains physically located within New South Wales.  To take another example, agencies are also required to comply with the New South Wales Government’s Cyber Security Policy which mandates the implementation of measures to protect systems and information from compromise.

Australia’s critical infrastructure regulatory framework

Recent and proposed amendments to the Commonwealth’s critical infrastructure legislation, the SOCI Act, provide further protections for New South Wales Government agencies regarding the security and reliability of data storage and processing services.

The Commonwealth’s critical infrastructure framework is contained in the SOCI Act.  When the SOCI Act was first implemented, it applied only to four critical sectors, namely, water, gas, electricity and ports.  Telecommunications infrastructure, which would have been expected to also be covered by the SOCI Act, was not included as it was subject (and still is subject) to its own separate critical infrastructure statutory regime.

When initially implemented, two primary obligations were imposed under the SOCI Act.  First, ownership, operational, interest and control information in respect of critical infrastructure assets was required to be provided to the Commonwealth for inclusion in a  non-public critical assets register and a Ministerial power, originally vested in the Attorney-General now the Minister for Home Affairs, was granted to issue directions in limited circumstances.

Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (First Amendment Act)

The First Amendment Act was passed in late 2021.  In summary, it amended the SOCI Act to:

  • Include an additional seven sectors as critical infrastructure sectors, increasing the total number of critical infrastructure sectors governed by the SOCI Act regime to eleven.
  • Introduce new provisions requiring reporting by responsible entities of cyber security incidents that involve critical infrastructure assets.
  • Provide for an Australian Government assistance regime, which is triggered where specific types of cyber security incidents occur and there is no other existing regulatory regime of the Commonwealth, a State or a Territory that could be used to provide a practical and effective response to the incident.

One of the new critical infrastructure sectors now falling within the scope of the SOCI Act is the “data storage or processing sector”.  This is defined as the sector of the Australian economy that involves providing data storage or processing services.  A data storage or processing service is in turn defined to mean a service that enables end-users to store or back-up data (through the use of information technology) or a data processing service.  This sector therefore captures data storage or processing services where the provider controls the physical infrastructure or computing platforms used to provide such services.  Such infrastructure includes for example enterprise data centres, managed services data centres, colocation data centres and cloud data centres. 

The inclusion of this sector as a critical infrastructure sector reflects the Australian Government’s view that all levels of government and industry are increasingly dependent on data storage and processing services, for example cloud services, for their effective operation.  Accordingly, the ongoing availability of such services is critical for facilitating the effective functioning of much of Australian society.  The Australian Government has highlighted its concerns that cyber breaches involving such services may result in the disclosure of highly sensitive information relevant to the operation of the nation (or one of its States or Territories), risk foreign relations with key international partners and/or undermine economic prosperity and social stability.

Although specific sectors have been designated as critical under the SOCI Act, a particular asset used in a designated sector will only be a critical infrastructure asset, and subject to the SOCI Act regime, if that asset itself is designated as critical.  A data storage or processing asset will be characterised as a “critical infrastructure asset” if, amongst other circumstances:

  • it is owned or operated by an entity that is a data storage or processing provider;
  • it is used wholly or primarily to provide a data storage or processing service that is provided by that entity on a commercial basis to an end user that is a State or Territory or a body corporate established by the law of a State or Territory; and
  • that entity knows that the relevant asset is used for this purpose.

The definition aims to capture data storage companies or cloud computing companies that provide data storage or processing as their primary business offering on a commercial basis using the critical infrastructure asset, whether that be through, for example, infrastructure as a service (IaaS) or platform as a service (PaaS) offerings.  The assets of software as a service (SaaS) providers may also in some cases be captured by the critical data storage or processing asset definition.

The Department of Home Affairs is finalising its consultation on the Security of Critical Infrastructure (Application) Rules, which would “turn on” register reporting obligations and cyber security incident reporting obligations under the SOCI Act for most of the new critical infrastructure asset classes, including data storage or processing assets.  When those Rules commence, data storage and processing assets used primarily to provide services to New South Wales Government agencies will be classified as critical infrastructure assets and therefore subject to the SOCI Act regime.

Further amendments to SOCI Act in 2022

In February 2022, on one of the few sitting days before the next federal election, the Australian Government introduced the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (2022 Bill) to the House of Representatives.  That Bill, if it becomes law, would primarily amend the SOCI Act to provide for:

  • a mandatory requirement that responsible entities for critical infrastructure assets adopt a risk management program.  The detailed requirements for such a program would be contained in rules introduced under the Act;
  • a regime to allow systems of national significance to be declared.  These would be systems which would have a significant impact on Australia’s social and economic stability, defence or national security in the event of a cyberattack or systems which are interdependent with other critical infrastructure assets; and
  • enhanced cyber security obligations to be imposed in respect of systems of national significance.

The 2022 Bill will probably not pass the Australian Senate before the looming federal election.  However, even if there is a change of Government as a consequence of that election, it seems likely that the 2022 Bill, perhaps with some amendments, would be enacted this year.

Implications for New South Wales Government agencies

Data protection issues are equally as important to the New South Wales Government as they are to the Commonwealth Government. The SOCI Act, including as likely to be amended in the short term, provides important protections in respect of the data storage and processing services used by the New South Wales Government and its agencies.  The protections under the SOCI Act will be a welcome complement to the New South Wales Government’s existing efforts to manage cyber risk and data protection for New South Wales Government data.

Authors: Angela Flannery & Clare Giugni

In the media

Big Tech media bargaining code review begins before government activates it
A review has been launched into the Big Tech media bargaining code, before the Federal Government has formally activated it. This review has now been launched by Treasury, looking at the extent to which the code has achieved its objective of sustaining public interest journalism in Australia (1 March 2022).  More…

Identifying complexity in financial services legislation
In 2022, the ALRC is undertaking a number of projects to identify aspects of complexity in corporations and financial services legislation. These projects will provide legislators with a reform menu and allow complexity to be appropriately managed over time (22 February 2022).  More…

Australia must open its doors to Ukrainian refugees
The Law Council of Australia joins members of the international legal community in expressing grave concerns at Russia’s invasion of Ukraine in violation of international law. The Law Council of Australia calls on the Australian Government to join and support international efforts to accommodate refugees leaving Ukraine (28 February 2022).  More…

Legal profession keen to retain COVID changes justice system
The vast majority of solicitors who took part in exclusive research commissioned by the Law Society of NSW hope that many of the changes to legal practice and the justice system, brought about by the COVID-19 pandemic, will remain a permanent part of their working lives.  More…

Australian organisations should urgently adopt an enhanced cyber security posture
​​​​On 23 February 2022, the ACSC released the alert: Australian organisations encouraged to urgently adopt an enhanced cyber security posture. The updated ​Technical Advisory provides additional information to support entities to take appropriate actions in order to secure their systems and networks (28 February 2022).  More…

Focus on accountability to prevent data breaches
As Australia’s Notifiable Data Breaches scheme marks its fourth year of operation, the Office of the Australian Information Commissioner is urging organisations to put accountability at the centre of their information handling practices (22 February 2022).  More…

Safe sharing of government data for public benefit
Data sharing helped Australians to receive timely and reliable services in a time of need. Data sharing helped ‘track and trace’ to quickly identify and contact people who may have been exposed to COVID-19. Data sharing helped Australians to quickly and accurately share their vaccination status (22 February 2022).  More…

Digitising legal documents to save Australians time and money
The Morrison Government is making it easier to communicate digitally with a $2.8 million commitment. Attorney-General, Michaelia Cash said over the next 18 months the investment will improve digital approaches to document execution, and develop practical resources to support further application of the Electronic Transactions Act 1999. "We want to make it simpler for individuals and businesses to complete legal documents," the Attorney-General said (17 February 2022).  More…

Practice and courts

Commonwealth

High Court Bulletin [2022] HCAB 1 (18 February 2022)
A record of recent High Court of Australia cases: Decided, reserved for judgment, awaiting hearing in the Court's original jurisdiction, granted special leave to appeal, refused special leave to appeal and not proceeding or vacated. Read more here.

AAT Bulletin Issue No. 4/2022 21 February 2022
The AAT Bulletin is a fortnightly publication containing information about recently published decisions and appeals against decisions in the AAT’s General, Freedom of Information, National Disability Insurance Scheme, Security, Small Business Taxation, Taxation & Commercial and Veterans’ Appeals Divisions. Read more here.

Reform of Australia’s electronic surveillance framework: Discussion paper
The submission to the Department of Home Affairs in relation to its discussion paper on the reform of Australia’s electronic surveillance framework was prepared by the Law Council of Australia. Read more here.

NSW

Supreme Court of NSW Court of Appeal decisions reserved as at 25 February 2022. Read more here.

Chief Magistrate’s Memorandum No. 27A – COVID-19
As the number of COVID infections in the community has decreased, the Court is able to resume its usual work, and makes the following directions in order to balance the safety of those working within courts, the community and accessibility to justice. These directions commence on and from 28 February 2022 and apply until replaced by any subsequent memorandum. Read more here.

COVID-19: Information for attending court
The New South Wales Bar Association’s publication, COVID-19: Information for attending court was updated on 24 February 2022 with an announcement from the Supreme Court of NSW, District Court of NSW and Fair Work Commission. Read more here.

Update to Supreme Court COVID protocols
Effective from Tuesday, 1 March 2022, Bail List hearings will proceed by way of live hearing with legal practitioners appearing in person unless the presiding judge determines the matter should be heard via AVL. Read more here.

Published – articles, papers and reports

Public statement – complaint handling in Australian public service agencies
In April 2021, the Office of the Commonwealth Ombudsman invited a broad selection of APS agencies to participate in a voluntary survey about how they handle complaints. The survey aims to establish a baseline for how the APS handles complaints from members of the community. Read more here.

Submission by the Commonwealth Ombudsman reform of Australia's electronic surveillance framework discussion paper
The discussion paper by the Office of the Commonwealth Ombudsman covers a wide range of electronic surveillance issues and provides an overview of how the Government proposes to reform Australia’s electronic surveillance legislative framework. Read more here.

The role of affiliate services in promoting illegal online gambling in Australia
Australian Communications and Media Authority examines how gambling affiliates operate across a range of online platforms. Read more here.

Cases

NSW

James v Department of Justice (Corrective Services NSW) [2022] NSWCATAP 49
APPEALS – findings of fact – findings based upon acceptance of credit – no basis for setting aside.
HUMAN RIGHTS – Anti-Discrimination Act 1977 (NSW) – victimisation – whether placement of the appellant on a “transitional plan” was “on the ground of” the appellant’s earlier proceedings in the Tribunal.

Wojciechowska v Commissioner of Police [2022] NSWCATAD 70
CONSTITUTIONAL LAW (CTH) – chapter III – application under the Government Information (Public Access) Act 2009 (NSW) (the GIPA Act) came before the Tribunal Civil where one party is the state of NSW and the other party is a resident of another state – common ground that the Tribunal is not a "court of a state" – whether NCAT exercises state judicial power in hearing and determining a dispute under the GIPA Act.
ADMINISTRATIVE LAW – judicial review – construction of regulations – validity of regulation – construction of regulation-making power – whether regulations which cut down common law rights authorised – grounds to refuse visits – application to communications with legal practitioners – Crimes (Administration of Sentences) Regulation 2014 (NSW), cl 94.

Hamzy v Commissioner of Corrective Services NSW [2022] NSWCA 16
CONSTITUTIONAL LAW – inconsistency – state law having discriminatory impact on ethnic group – whether inconsistent with Racial Discrimination Act 1975 (Cth), ss 9, 10; Constitution, s 109.
HUMAN RIGHTS – discrimination – grounds – racial discrimination – ethnic origin – restrictions on use of language – disparate impact – prison security – extreme high risk inmate – communications with family and lawyers – Racial Discrimination Act 1975 (Cth), ss 9, 10.
PRISONERS – administration – supervision of visits and telephone calls – requirement to communicate in English – validity of Regulation – Commissioner’s monitoring policy – validity of policy – application to legal visits and communication with legal representatives – prisoners’ right to lawyer of choice and access to courts – whether criminal record check authorised – power to refuse visits by legal practitioners for any other reason.
STATUTORY INTERPRETATION – regulation-making power – authorising regulations limiting common law rights – sufficiency of general words – administration of prisons – rights of access to courts and legal advice – Crimes (Administration of Sentences) Regulation 2014, cll 15, 101, 116, 119.

Flowers v State of New South Wales [2022] NSWCA 28
APPEAL – leave to appeal – whether statutory threshold met – no affidavit supporting right to appeal – no objection to competency – matter deemed to be leave application.
APPEAL – motion to adduce further evidence – where appellant sought to examine opponent’s lawyers as to conduct of trial – full transcript of trial available.
APPEAL – challenge to finding as to credibility of police informant – finding not inconsistent with objective evidence nor glaringly improbable – allegation not put to police officer in cross-examination.
CIVIL PROCEDURE – hearings – application to vacate hearing – challenge to COVID-19 protocol requiring persons entering court to be vaccinated – matter not fixed for live hearing – hearing by audio-visual link or telephone available – applicant homeless – inconvenience where no live hearing.
CIVIL PROCEDURE – application for trial by jury – application for appeal to be heard by jury – no jury available on appeal.
COURT AND JUDGES – procedural fairness – reasonable apprehension of bias – plaintiff wrongly accused state of concealing documents – judge told plaintiff he owed the state an apology – whether lay observer might think judge might be biased.
TORTS – malicious prosecution – evidence of improper purpose – whether prosecutor concealed evidence – improper motive said to be revenge for prior successful claim by appellant.

Carr v Carr [2022] NSWSC 166
ADMINISTRATIVE LAW – judicial review of Secretary’s decision not to approve exhumation – plaintiff’s husband and son buried in same grave many years ago – plaintiff applied for approval to exhume remains for re-interment at different cemetery pursuant to Public Health Regulation 2012 (NSW), cl 70 – surviving children of marriage opposed exhumation applications – Secretary’s delegate refused application on basis of children’s opposition – whether children were “nearest surviving relatives” in respect of the deceased son – whether applications required to be determined separately – whether delegate entitled to have regard to children’s objections to application in respect of the deceased son – whether remains buried in consecrated land – whether procedural fairness required delegate to give notice of aspects of the decision in advance – Secretary’s decision not circumscribed as plaintiff contended – no denial of procedural fairness – summons dismissed.

Legislation

Commonwealth

Acts Compilation

Foreign Judgments Act 1991
1 March 2022 – Act No. 112 of 1991 as amended.

Child Support (Registration and Collection) Act 1988
1 March 2022 – Act No. 3 of 1988 as amended.

Work Health and Safety Act 2011
1 March 2022 – Act No. 137 of 2011 as amended.

Judiciary Act 1903
28 February 2022 – Act No. 6 of 1903 as amended.

Admiralty Act 1988
24 February 2022 – Act No. 34 of 1988 as amended.

Broadcasting Services Act 1992
24 February 2022 – Act No. 110 of 1992 as amended.

Special Broadcasting Service Act 1991
24 February 2022 – Act No. 180 of 1991 as amended.

Foreign States Immunities Act 1985
23 February 2022 – Act No. 196 of 1985 as amended.

Administrative Appeals Tribunal Act 1975
23 February 2022 – Act No. 91 of 1975 as amended.

Australian Broadcasting Corporation Act 1983
23 February 2022 – Act No. 6 of 1983 as amended.

Commonwealth Electoral Act 1918
18 February 2022 – Act No. 27 of 1918 as amended.

Referendum (Machinery Provisions) Act 1984
18 February 2022 – Act No. 44 of 1984 as amended.

Veterans' Entitlements Act 1986
17 February 2022 – Act No. 27 of 1986 as amended.

Bills
Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 – 25 February 2022
Appropriation (Coronavirus Response) Bill (No. 2) 2021–2022 – 17 February 2022
Appropriation (Coronavirus Response) Bill (No. 1) 2021–2022 – 17 February 2022

NSW

Bills
COVID-19 and Other Legislation Amendment (Regulatory Reforms) Bill 2022 – 23 February 2022
Electronic Conveyancing (Adoption of National Law) Amendment Bill 2022 – 22 February 2022
Motor Sports Bill 2022 – 22 February 2022
Major Events Amendment Bill 2022 – 22 February 2022
Health Legislation (Miscellaneous) Amendment Bill 2022 – 23 February 2022
Biosecurity Order (Permitted Activities) Amendment Order 2022 (2022–37) – LW 16 February 2022
Administrative Arrangements (Administrative Changes–Miscellaneous) Order 2022 (2022–38) – LW 17 February 2022

Regulations
Environmental Planning and Assessment Amendment (Moree Activation Precinct) Regulation 2022 (2022–39) – LW 18 February 2022
Environmental Planning and Assessment Amendment Regulation 2022 (2022–40) – LW 18 February 2022
Liquor Amendment (Outdoor Dining) Regulation 2022 (2022–41) – LW 18 February 2022
Mining Amendment (Competitive Selection Process) Regulation 2022 (2022–42) – LW 18 February 2022
Road Transport (Vehicle Registration) Amendment (Primary Producer’s Vehicle) Regulation 2022 – (2022–43) LW 18 February 2022
Water Management (Application of Act to Certain Water Sources) Proclamation 2022 (2022–44) – LW 18 February 2022
Public Health Amendment (COVID-19) Regulation (No 2) 2022 (2022–52) – LW 24 February 2022
Public Health Amendment (COVID-19) Regulation 2022 (2022–53) – LW 24 February 2022
Design and Building Practitioners Amendment (Miscellaneous) Regulation 2022 (2022–62) – LW 2 March 2022
Public Health Amendment (COVID-19 Penalty Notice Offences) Regulation 2022 (2022–63) – LW 2 March 2022

Disclaimer
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.

Published by:

Clare Giugni

Share this