Priority area 3: Privacy and security

Ensure data privacy and protection from cybersecurity threats

Safeguarding the privacy of all individuals who may interact with, or be impacted by, the use of AI systems at or in connection with NSW Health, and ensuring robust data security, are fundamental to the responsible adoption of AI in healthcare.

Effective privacy and security measures build trust, uphold compliance with legal and ethical standards, and protect sensitive health information from misuse or breaches.

Safeguard privacy

AI systems must protect individual privacy. NSW Health must ensure informed consent for the use and disclosure (including transborder disclosure) of personal information to AI systems, cybersecurity compliance, and privacy legislation adherence, and maintain transparency of data usage. NSW Health organisations should:

foster public trust through robust security measures, and stakeholder and community engagement
identify unreasonable safety risks and protect against foreseeable misuse and risk of harm
provide sufficient information about how data; specifically, personal information, will be stored, used, and disposed of, and consider informed consent processes
maintain transparency around data use, including reasonably expected and otherwise authorised secondary uses of personal information in accordance with applicable laws.

Secure data and models

Protect the confidentiality, integrity and availability of healthcare data and models through strong data handling practices.

Maintain, control and protect healthcare data to assist with resource allocation and planning.
Determine the minimum data requirements for the collection, storage and sharing of health data.
Ensure good data mapping and access practices to minimise security breaches.
Perform privacy impact assessments as required by law, which may include circumstances where any personal information will be provided to, generated, collected, stored, accessed or disclosed by an AI system.

Policy and guidance

Below are the key considerations for integrating AI, along with current policies and guidance that outline healthcare and technology obligations for maintaining privacy and security.

Topic	Current policies and guidance
Key privacy laws and regulations	Privacy and Personal Information Protection Act 1998 (NSW)(PPIP Act) Privacy and Personal Information Protection Regulation 2019 (NSW) (PPIP Regulation) Privacy Codes of Practice made under PPIP Act (exemptions) Privacy Code of Practice (General) 2003 (NSW) Public Interest Directions made under PPIP Act (exemptions) Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) Health Records and Information Privacy Regulation 2017 (NSW) (HRIP Regulation) Health Records and Information Privacy Regulation 2022 (NSW) (HRIP Regulation) Health Public Interest Directions made under HRIP Act (exemptions) Government Information (Public Access) Act 2009 (GIPA Act) Privacy Act 1988 (Cth) Data Sharing (Government Sector) Act 2015 (NSW) Government Sector Employment Act 2013 Government Sector Finance Act 2018
Privacy	NSW Health Privacy Manual for Health Information Provides operational guidance for complying with the Health Records and Information Privacy Act 2002 (NSW), outlining procedures for managing personal health information across NSW Health activities. Source: NSW Health Guide to Privacy Impact Assessments in NSW Helps identify and minimise privacy risks when starting a new project or making changes to existing initiatives. Source: Information and Privacy Commission NSW Guide to Undertaking Privacy Impact Assessments on AI Systems and Projects Provides guidance to NSW government agencies on carrying out privacy impact assessments on AI systems. Source: Information and Privacy Commission NSW
Cybersecurity	Advice on the Use of Generative Artificial Intelligence Provides guidance to NSW Health staff on the use of generative AI. Source: NSW Health NSW Cyber Security Policies Provides a framework to guide cyber security uplift across NSW Government agencies, outlining mandatory requirements, reporting obligations, threat-based cyber risk management principles, roles and responsibilities, and support resources. Source: Digital NSW
Minimum standards for developers	ISO Standards – Information Technology – Artificial Intelligence Guidance on Risk Management (ISO/IEC 23894:2023) Guidance on how organisations that develop, produce, deploy or use AI products, systems and services can manage AI-specific risks. Management System (ISO/IEC 4200:2023) Specifies requirements for establishing, implementing, maintaining and continually improving an artificial intelligence management system (AIMS) within organisations. Source: International Organization for Standardization
Data governance and use	NSW Health Data Governance Framework Outlines the roles and responsibilities involved in data governance and the structures needed to ensure effective and consistent management of NSW Health data assets. Source: NSW Health Fact Sheet: Providing Access to Health Information Information for healthcare providers about their obligations and responsibilities under NSW privacy laws. Source: Information and Privacy Commission NSW Fact Sheet: A Guide to Retention and Storage of Health Information in NSW for Private Health Service Providers Information for private healthcare providers about their obligations and responsibilities in retaining and storing health information in accordance with NSW privacy laws. Source: Information and Privacy Commission NSW Fact Sheet: Consent Guidance for NSW public sector agencies and healthcare providers in understanding the issue of consent in the context of privacy laws in NSW. Source: Information and Privacy Commission NSW Artificial Intelligence Ethics Policy This policy outlines 5 overarching principles that are designed to ensure best practice use of AI. Source: Digital NSW

Practice

Practice areas	Considerations
Privacy and data protection	Develop minimum cybersecurity standards and accreditation requirements for healthcare AI users Determine whether the AI system requires a privacy impact assessment. If personal or health information will be collected, stored, used, or disclosed to, or by, the AI system, conduct a privacy impact assessment for the AI system. An assessment may still be conducted if no personal or health information is being collected to show how personal information is not being used Develop an appropriate consent management approach and ensure consent requirements for AI system use is clear, especially where it interfaces with personal information. Refer to Priority area 1: Consumers Develop an appropriate consent management approach and ensure consent requirements are clear for using AI tools Monitor and raise awareness of upcoming changes in privacy laws and regulations Ensure those assessing data understand, and are supported in, navigating complex and evolving privacy laws Clearly define data usage, distinguishing between identifiable and non-identifiable data Ensure privacy policies of NSW Health and AI providers address secondary use, disclosures and storage of information.
Ethical use and accountability	Ensure transparency in data ownership, including through appropriate AI system procurement settings Require AI developers to enter contractual terms that comply with privacy and appropriate ethical standards Develop mechanisms to address risks associated with both medical and non-medical applications of AI systems
Infrastructure and interoperability	Determine the technological, hardware and software requirements to support deployment and scalability Evaluate the ability of the AI system to easily exchange and integrate data across existing platforms and devices

Challenges and opportunities

When adopting AI systems, focus on the following to ensure privacy and security of health data:

Prevention of data breaches
Privacy settings
Well-defined data ownership
Monitoring for bias
Clear consent management

Optimising privacy and security fosters trust and transparency and benefits all stakeholders and is mandated at law.

Previous:Priority area 2: Workforce

Next:Priority area 4: Governance and regulation