government digital transformation bill 2021 arrangement of … bill 2021 first draft.pdf · 2021....

GDT Bill (Draft I January 2021)

1

No. X of 2021.

Government Digital Transformation Bill 2021

ARRANGEMENT OF CLAUSES

PART I – PRELIMINARY

1. Compliance with Constitutional Requirements

2. Purpose

3. Interpretation

4. National Interest

5. Act binds State and application to Public Bodies

6. Certain Proceedings against the State and Public Bodies not enforceable

7. Functions and powers of the Minister

8. Minister to approve certain new ICT

9. Minister may issue certain directives

PART II – INSTITUTIONAL ARRANGEMENTS

10. Change of name to Department of Information and Communication Technology

11. Departmental Head

12. Functions and powers of the Departmental Head

13. Deputy Secretaries

14. Department as Government Central ICT Coordinating Agency

15. Functions of the Department

16. Powers of the Department

17. Government Digital Services Strategic Plan

18. Public Sector ICT Development Project Funding

19. Digital Transformation Officers

20. ICT Incubation Centre

21. National Cyber Security Centre

22. Functions of National Cyber Security Centre

23. Joint Strategic Centre

24. Functions of Joint Strategic Centre

25. Public Service ICT Audit Committee

26. Functions of the Public Service ICT Audit Committee

27. Deemed Government Priorities for UAS Funding

PART III – PUBLIC SERVICE ICT STEERING COMMITTEE

28. Public Service ICT Steering Committee

29. Functions of the Public Service ICT Steering Committee

30. Evaluation of certain ICT project designs and contracts

31. Meetings of the Public Service ICT Steering Committee


2

PART IV – DIGITAL INFRASTRUCTURE

32. Digital Infrastructure

33. Use of Digital Infrastructure

34. Critical Digital Infrastructure

35. Government Cloud

36. Government Private Network

37. Data Traffic Prioritization if Government Private Network not available

38. Alternative networks to the Government Private Network

39. Redundancy Requirement for Government Private Network

40. Localising Digital Infrastructure for Government Private Network

41. National Strategic Electronic Data Bank

42. Central Electronic Data Repository

43. Access to Central Electronic Data Repository

44. Secured Information Exchange Platform

45. Security Surveillance Using Digital Technology

PART V – DIGITAL SERVICES AND RELATED MATTERS

46. Digital Services

47. Provision of Digital Services and making Digital Services accessible

48. Digital services for Expanding Financial Inclusion

49. National e-Government Online Portal

50. Open data

51. Infrastructure as Shared Services (should be under Infrastructure)

52. Government Domain

53. Government Emails and Websites

54. Government Social Media Accounts

55. Reduction of Paper Documents

PART VI – ELECTRONIC DATA

56. Electronic Data Governance across Government

57. Public Bodies and Electronic Data Governance

58. Data to be collected and stored in electronic form

59. Electronic Data Ownership

60. Electronic Data Integration

61. Electronic Data Management

62. Electronic Data Sharing

63. Electronic Data in Provinces and Districts

64. New Contracts relating to Electronic Data

PART VII – OFFENCES AND PENALTIES

65. Offences

66. Penalties

PART VIII – MISCELLANEOUS

67. Delegation


3

68. Committees

69. Immunity

70. Penalties not to affect other liabilities

71. Regulations

72. Standards, Specifications, Guidelines and Forms

73. Code of Practice Rules

74. Certain existing ICT contracts


4

No. ……of 2021.

A Bill

for

An Act

entitled

Government Digital Transformation Bill 2021

Being an Act relating to establishment of government ICT central coordinating agency,

electronic data, digital infrastructure, digital services and digital skill sets across whole of

government, and other aspects of digital government, and for related purposes,

MADE by the National Parliament to come into operation in accordance with a notice in the

National Gazette by the Head of State, acting with, and in accordance with, the advice of the

Minister.

PART I – PRELIMINARY

1. COMPLIANCE WITH CONSTITUTIONAL REQUIREMENTS

This Act, to the extent that it regulates or restricts a right or freedom referred to in

Subdivision III.3.C. (qualified rights) of the Constitution, namely -

(a) the right to freedom from arbitrary search and entry conferred by Section 44 of the

Constitution; and

(b) the right to freedom of expression conferred by Section 46 Constitution; and

(c) the right to freedom of employment conferred by Section 48 of the Constitution; and

(d) the right to privacy conferred by Section 49 of the Constitution; and

(e) the right to freedom of information conferred by Section 51 of the Constitution;

and


5

(f) the right to protection from unjust deprivation of property conferred by Section 53

of the Constitution,

is a law that is made for the purpose of giving effect to the public interest in public order,

public safety and public welfare.

2. PURPOSE

The purpose of this Act is to -

(a) give effect to the vision and goals of the Government to develop Papua New

Guinea into a smart, fair, wise, healthy and happy nation by enabling digital services

to propel a resilient digital economy; and

(b) provide an enabling legal framework to implement the Government’s digital

transformation policies and other ICT policies, including to -

(i) empower the Department to facilitate, oversee and promote digital government;

and

(ii) enable the development of electronic data governance across whole of

government; and

(iii) enable the re-engineering and design of government digital processes and

procedures; and

(iv) enable the integration of ICT systems across whole of government; and

(v) enable the provision of shared infrastructure as a service across whole of

government; and

(vi) enable the provision of the Government’s cyber security operations; and

(vii) enable the development of essential digital skill sets across government and the

non-government sector; and

(c) enable and facilitate the coordination of ICT development budget and projects

across whole of government; and

(d) enable the streamlining, planning and coordination of digital government, digital

services, digital infrastructure, ICT project funding and digital skills across whole of

government.

3. INTERPRETATION

In this Act, unless the contrary intention appears -

“application” means a distinct set of machine instructions interpretable and executable by a

computing device and designed to fulfil a particular purpose.

Commented [IK1]: Using the phrase “across whole of

government” as it appears to be the phrase used in various

policy documents with respect to Digital Transformation.


6

“application programming interface” means any software application or hardware

technology or combination of them designed to facilitate integration or interoperability of

two or more systems, and in this Act is also represented by the acronym ‘API’.

“Central Electronic Data Repository” means the Central Electronic Data Repository

established under Section 42.

“Code of Practice Rules” means a Code of Practice Rules developed under Section 73.

“critical digital infrastructure” has the meaning given by Section 34.

“Department” means the department responsible for information and communications

technology.

“digital government” means the use of ICT by government to deliver digital services.

“digital infrastructure” has the meaning given by Section 32.

“digital service” has the meaning given by Section 46.

“digital transformation officer”, in relation to a public body, means the person who has

oversight of, and is responsible for, ICT matters in a public body.

“electronic data” means data entered into an electronic device to be stored and shared using

digital infrastructure for the purposes of enabling the delivery of digital services.

“Electronic Data Register” means the Electronic Data Register established under Section

61.

“endpoint” means any internet capable device that communicates across a network, such as

laptops, telephones and personal computers.

“Government Cloud” means the Government Cloud established under Section 35.

“Government Digital Services Strategic Plan” means the Government Digital Services

Strategic Plan developed under Section 17.

“Government Private Network” means the Government Private Network referred to in

Section 36.

“ICT” means information and communications technology.

“ICT Incubation Centre” means an ICT Incubation Centres established under Section 20.

“integration” means connecting one or more systems so that data from one system can be

used by another to deliver digital services.

“interoperability” means the ability of different systems to communicate and exchange data

in real-time and use data that has been exchanged.


7

“JSC” means the Joint Strategic Centre established under Section 23.

“Minister” means the Minister administering the Department.

“Ministry” means the ministry responsible for information and communications technology

that the Minister is overseeing under the Primes Minister’s Determination of Titles and

Responsibilities.

“National e-Government Online Portal” means the National e-Government Online Portal


“National Strategic Electronic Data Bank” means the National Strategic Electronic Data

Bank referred to in Section 41.

“NCSC” means the National Cyber Security Centre referred to in Section 21.

“NEC” means the National Execution Council of the Government of Papua New Guinea.

“NICTA” means the National Information and Communications Technology Authority

established by the National Information and Communications Technology Authority Act

2009.

“public body” has the same meaning as governmental body in Sch. 1.2 of Part 2 of Schedule

1 of the Constitution.

“Public Service ICT Audit Committee” means the Public Service ICT Audit Committee


“Public Service ICT Steering Committee” means the Public Service ICT Steering

Committee established under Section 28.

“shared service” means the consolidation of digital infrastructure from public bodies into a

stand-alone digital infrastructure as an internal service for public bodies to use to provide

digital services.

“system” means an information technology set-up that has a defined procedure consisting of

hardware, software, data and people to produce a specific outcome.

4. NATIONAL INTEREST

(1) For the purposes of Section 41 of the Organic Law on Provincial Governments and

Local-level Governments, this Act relates to a matter of national interest.

(2) Pursuant to Subsection (1), national interest includes, but is not limited to -

(a) the storing of a public body’s baseline electronic data; and

(b) the use of systems, devices, equipment, apparatus, instruments, applications and

digital infrastructure by the government; and

(c) the sharing and access to government data and information across government.


8

5. ACT BINDS STATE AND APPLICATION TO PUBLIC BODIES

(1) This Act binds the State.

(2) This Act applies to all public bodies.

6. CERTAIN PROCEEDINGS AGAINST THE STATE AND PUBLIC BODIES NOT

ENFORCEABLE

(1) This Section applies to a legal proceeding for -

(a) a claim for payment, compensation, restitution or damages; or

(b) a declaration or any other form of equitable relief,

arising from the supply of digital infrastructure or digital services to the State or a public

body.

(2) A legal proceeding to which this Section applies is not enforceable in a court, unless the

supplier of the digital infrastructure or digital services has complied with this Act and the

regulations, standards and specifications made under this Act.

7. FUNCTIONS AND POWERS OF THE MINISTER

(1) The Minister is responsible for ICT policy oversight and development, and is to -

(a) provide leadership to government to facilitate the development of ICT policies and

legislation; and

(b) advise the NEC on ICT policies and legislation; and

(c) inform the NEC on ICT business matters affecting government; and

(d) issue directions to the Department and public bodies reporting to the Minister to

implement ICT policies, plans and legislation; and

(e) perform other functions as provided under this Act or any other law.

(2) The Minister has the power to -

(a) issue a national ICT policy directive to the Department consistent with this Act;

and

(b) direct the formulation, implementation and review of policies relating to the ICT

sector; and

(c) direct the formulation, implementation and review of a disaster preparedness plan

for the ICT sector; and


9

(d) direct the Department to develop policies relating to revenue generation,

procurement, standards and management of digital infrastructure and digital services;

and

(e) direct the Department to perform its functions as provided under this Act or any

other law.

(3) The Minister may, in consultation with the Department and any relevant public body

under the Ministry, issue written directions if -

(a) a state of emergency relating to ICT has been declared; and

(b) the Minister is satisfied that it is necessary to issue directions for the welfare and

safety of people affected by the emergency.

(4) To avoid doubt, this section does not limit the Minister’s powers or functions under any

other law.

8. MINISTER TO APPROVE CERTAIN NEW ICT

(1) This section applies to any new ICT that is proposed to be purchased by one or more

public bodies if the total investment value of the new ICT exceeds or is likely to exceed

K1,000,000.00.

(2) The Department must give the Minister a report, recommended by the Public ICT

Steering Committee, on the proposed purchase of any new ICT to which this Section applies

and the Minister must submit the report to the NEC.

(3) The Minister must, acting on the advice of the NEC, approve, subject to conditions (if

any), or reject the proposed purchase of the new ICT.

(4) A public body must not purchase any new ICT, unless the Minister has, acting on the

advice of the NEC, approved its purchase. The Minister may approve the purchase of the new

ICT subject to conditions.

(5) The Minister may, acting on the advice of the NEC reject the purchase of the new ICT if

the use of the new ICT poses a serious risk or threat to public health, safety, welfare or

security.

(6) Despite any licences, permits or approvals obtained under any other law, a rejection by

the Minister of the purchase of the new ICT automatically prohibits its use by a public body

by force of this Subsection.

(7) An approval or rejection comes into effect in accordance with a notice by the Minister

published in the National Gazette.

(8) The Department must publish any approval or rejection by the Minister.

Commented [IK2]: I don’t think this Section is necessary.

Commented [IK3]: Do we need to define what constitute

new ICT?

Commented [IK4]: National Procurement Act already

provides for procurement hence this Section is not necessary.

Also Section 30 of this Bill “Evaluation of certain ICT project

designs and contracts” suffices to address issues of new ICT

hence I recommend this entire Section 8 to be deleted. The

effect of this Section may create bottleneck to address

pressing issues requiring new technology implementation. If

any this Section would best fit into the functions of NICTA

and apply to all persons conducting business in the country.

Commented [IK5]: The initial idea was to give Minister

some general powers through an NEC Decision to approve,

set limit or ban use of certain ICT technology that would be

considered as posing serious risk or threat to public health,

safety, welfare or security of citizens in the country.


10

(9) If a person contravenes a rejection or a condition of an approval, the person commits an

offence and is liable on conviction to a penalty -

(a) in the case of an offence by a natural person, a fine not exceeding K20,000.00 or

imprisonment for a period not exceeding 5 years, or both; and

(b) in the case of an offence by a body corporate, a fine not exceeding K100,000.00.

9. MINISTER MAY ISSUE CERTAIN DIRECTIVES

(1) The Minister may, acting on the advice of the NEC, issue all or any of the following

directives to an internet service provider or any other person providing internet services -

(a) ban the use of a software application in Papua New Guinea that poses a serious

risk or threat to public health, safety, welfare or national security;

(b) if there is considered to be a serious risk or threat to public health, safety, welfare

or national security, to do all or any of the following-

(i) filter, restrict or ban websites;

(ii) monitor and control the content of websites;

(iii) control expressions on websites by blocking, keyword filtering, censoring or

suspending social media platforms;

(iv) lock access to specific internet protocol addresses.

(2) A directive comes into effect in accordance with a notice by the Minister published in the

National Gazette.

(3) The Department must publish on its website any directive.

(4) If a person fails to comply with a directive, the person commits an offence and is liable on

conviction to a penalty -

(a) in the case of an offence by a natural person, a fine not exceeding K20,000.00 and

imprisonment for a period not exceeding 5 years, or both; and


(5) The Head of Department may make guidelines for the purposes of Subsection (1).


11

PART II – INSTITUTIONAL ARRANGEMENTS

10. CHANGE OF NAME TO DEPARTMENT OF INFORMATION AND

COMMUNICATION TECHNOLOGY

(1) The name of the Department of Communication and Information (“DCI”) that existed

immediately before the commencement of this Act is changed to the Department of

Information and Communication Technology (“DICT”).

(2) The change of name takes effect on the commencement of this Act or on the date a

Gazettal Notice is published for name change, whichever comes first.

(3)Subject to subsection (2), a reference to the former name has effect as if it were a

reference to the new name -

(a) in any law; or

(b) in any contract to which the State is a party; or

(c) in any legal proceedings in which the State is a party.

(4) The Head of Department of the DCI remains the Head of Department of the DICT.

(5) Each employee of DCI remains an employee of the DICT.

(6) The terms and conditions of service of the Head of Department and those employees are

not altered by the change of name.

(7) The functions and powers of the DICT are not altered by the change of name.

11. DEPARTMENTAL HEAD

(1) The Head of Department is to be appointed and hold office for a term of 4 years or as

directed by Department responsible for personnel matters pursuant to the Public Services

(Management)Act 1995 and any other law relating to the appointment of a departmental head.

(2) Without prejudice to any other law, a person appointed as the Head of Department must -

(a) possess a minimum university qualification of a masters level degree in ICT,

management or equivalent; and

(b) have at least ten years’ experience in the field of ICT technical or policy matters;

and

(c) have last occupied a senior position, at a minimum level of First Assistant

Secretary or equivalent.

(3) For the purposes of this Section, the office of the Head of Department is an office to

which Part III, Division 2 (Leadership Code) of the Constitution applies.

Commented [IK6]: Our current status is before this proposed

Act takes effect, by and under an NEC directive DPM has

already approved Department’s name change to DICT from

DCI.


12

12. FUNCTIONS AND POWERS OF THE DEPARTMENTAL HEAD

(1) The Head of Department is responsible for -

(a) carrying out the functions and responsibilities of a departmental head under

Subsection 24(1) of the Public Services (Management) Act 1995 and any other law;

and

(b) the administration of this Act; and

(c) providing leadership and managing the Department in accordance with

government policies and the directions of the Minister; and

(d) advising the Minister on matters concerning ICT.

(2) The Head of Department has the powers conferred upon the office of a head of

department under the Public Services (Management) Act 1995, this Act or any other law.

(3) For the purposes of this Act, the Head of Department is the Chief State ICT Advisor to

the Government and is the ultimate source of ICT advice to the Government

13. DEPUTY SECRETARIES

(1) The Deputy Secretaries of the Department are to be employed under the Public Services

(Management) Act 1995 as contract officers of the Department.

(2) The Deputy Secretaries are to report to the Head of Department and perform all functions

directed by the Head of Department.

(3) For the general working and efficient conduct of the Department, the Head of Department

may assign to another officer within the Department any of the functions, duties or powers of

a Deputy Secretary, or a person occupying a position within the Department equivalent to

Deputy Secretary.

14. DEPARTMENT AS GOVERNMENT CENTRAL ICT COORDINATION

AGENCY

(1) The Department is the Government Central ICT Coordinating Agency which is

responsible for ICT matters for all public bodies.

(2) In discharging its functions as the Government Central ICT Coordinating Agency, the

Department must review any ICT project design or contract of a public body and make

recommendations to the department or public body responsible for project funding matters or

national procurement matters about the project design or contract.

(3) The Head of Department is deemed to be a member of any government sanctioned social

or economic inter-agency committee that deliberates on issues associated with or relating to

the delivery of digital services or ICT


13

(4) The Minister, acting on recommendation of the Department, must co-sponsor any

submission to the NEC made by another Minister if the submission relates to -

(a) the implementation of digital infrastructure; or

(b) a system; or

(c) the delivery of digital services.

15. FUNCTIONS OF THE DEPARTMENT

The Department has the following functions -

(a) develop, implement, monitor and evaluate ICT policies, plans and legislation for the

delivery of digital infrastructure and digital services, and the dissemination of

government information;

(b) co-ordinate the funding and delivery of whole-of-government digital

infrastructure and digital services platforms;

(c) support operations with agencies responsible for national intelligence and national

security to ensure cyber security and safety are maintained across whole of

government;

(d) oversee government ICT investments;

(e) provide policy guidance, assistance and awareness on government digital initiatives

and digital safety; and

(f) in relation to digital services -

(i) promote, develop and coordinate the delivery of quality digital services across

government;

(ii) advise the Minister on the implementation and sustainability of digital services;

(iii) facilitate public access to digital services;

(iv) promote, develop and coordinate quality shared digital infrastructure as a service

to enable the delivery of digital services;

(v) monitor and evaluate the delivery of digital services;

(vi) audit systems used to deliver digital services;

(g) promote and coordinate -

(i) ICT innovation policies and initiatives across whole government; and

(ii) digital government research across whole of government; and

(iii) the use of secured systems by public bodies;

(h) promote transparency and accountability through electronic connectivity;

(i) ensure integration and interoperability of public bodies’ systems;


14

(j) facilitate public bodies to access shared services;

(k) approve digital infrastructures for use by public bodies;

(l) undertake the following audits -

(i) audit the systems of public bodies and other private systems offering services to

public bodies;

(ii) audit the digital infrastructure of public bodies,

to ensure compliance by the public body with this Act and the regulations, standards

and specifications made under this Act;

(m) establish and maintain a whole-of-government register of systems, digital

infrastructure and digital services;

(n) conduct research on the benefits and risks of any new type of ICT that is proposed

to be used by a public body or in the country and make appropriate recommendations

to the Minister ;

(o) facilitate accessibility of ICT to persons with disabilities;

(p) collaborate with the department responsible for public service personnel matters

to retain skilled ICT personnel in the Department and in public bodies;

(q) provide administrative support and oversight to committees established under this

Act;

(r) such other functions conferred on the Department by this Act or any other law.

16. POWERS OF THE DEPARTMENT

For the purpose of performing its functions under this Act, the Department has the following

powers -

(a) to order a public body to give the Department physical or virtual access to a

system of the public body;

(b) to order a public body to cease using a private network that is not consistent with

this Act or the regulations, standards or specifications made under this Act;

(c) to order a public body to give the Department access to any source data of any

format from the public body;);

(d) to receive, investigate, respond to and publish complaints relating to digital

services provided by a public body;


15

(e) to stop or suspend the implementation of any ICT project, digital services project or

digital infrastructure project by a public body that is not in compliance with the

regulations, standards or specifications made under this Act;

(f) to direct any public body to -

(i) furnish any information or produce any record or document relating to ICT

projects, digital services or digital infrastructure; and

(ii) answer all relevant questions relating to digital government initiatives;

(g) to examine any records or documents of a public body relating to ICT projects,

digital services or digital infrastructure and take copies or extracts; and

(h) request any ICT professional or technical assistance from any appropriate body

within or outside Papua New Guinea.

17. GOVERNMENT DIGITAL SERVICES STRATEGIC PLAN

(1) The Department is to develop a Government Digital Services Strategic Plan to deliver

digital services.

(2) The Department must review and update the Government Digital Services Strategic Plan

every 5 years or as directed by the Minister.

(3) The Government Digital Services Strategic Plan is to be -

(a) reviewed by the Public Service ICT Steering Committee before the Department

finalises it; and

(b) circulated to all public bodies; and

(c) complied with by all public bodies.

(4) Each public body must conduct an annual self-assessment of its implementation of the

Government Digital Services Strategic Plan and submit the assessment to the Department on

or before the end of the year to which the assessment relates.

18. PUBLIC SECTOR ICT DEVELOPMENT PROJECTS FUNDING

(1) This Section applies to an ICT project proposed by a public body if the project requires -

(a) development budget funding from the government; or

(b) State guaranteed funding.

(2) An ICT project to which this Section applies must comply with the Government Digital

Services Strategic Plan or relevant ICT sector plan, the ICT policies of the government, and

the regulations, standards and specifications made under this Act.


16

(3) A public body proposing an ICT project to which this Section applies must obtain a

Certificate of Compliance from the Department from recommendation of the Public Service

ICT Steering Committee before submitting:-

(a) its work plan and cash flow plan to the department responsible for national

planning and development budget matters; or

(b) its proposal to the department responsible for issuing State Guarantee on project

funding.

(4) The Certificate of Compliance for a new ICT project is confirmation that the project

complies with Subsection (2).

(5) An ICT project to which this Section applies is deemed to form part of the National

Planning Framework under Section 4 of the Papua New Guinea Planning and Monitoring

Responsibility Act 2016 only if a Certificate of Compliance is obtained for the ICT project.

(6) If a proposal of a public body for an ICT project to which this Section applies does not

comply with any of the requirements of this Section, the proposal must not be considered for

development budget funding or State guaranteed funding.

19. DIGITAL TRANSFORMATION OFFICERS

(1) The digital transformation officer or officers of a public body must ensure that the public

body gives effect to the digital transformation initiatives of the government.

(2) Without limiting the functions of a digital transformation officer of a public body, the

officer must -

(a) take all actions and efforts necessary for the public body to implement the

Government Digital Services Strategic Plan and any ICT sector plans of the

government; and

(b) facilitate integration and interoperability of the systems of the public body; and

(c) ensure the public body complies with Subsection 57(1); and

(d) facilitate delivery of digital services by the public body; and

(e) manage the electronic data-value-cycle in the public body; and

(f) provide ICT reports and feedback on a regular basis to the Department or as

requested by the Head of Department.

20. ICT INCUBATION CENTRE

(1) The Department may provide technical and administrative support to a public body that

is responsible for administering ICT innovation and development entrepreneurial initiatives.

(2) Technical support may include, but is not limited to, providing assistance to -


17

(a) establish one or more ICT Incubation Centres or Centres (“the Centres”) referred

to by another name to promote digital innovation and digital skills; and

(b) establish one or more ICT innovation laboratories in the Department and, if

necessary, in other places to -

(i) promote innovation of ICT ideas in public bodies and by members of the public;

and

(ii) make innovation laboratories accessible to public bodies personnel for ICT

research, development and up-skilling; and

(c) promote access and use of ICT innovation laboratories; and

(d) recognize and reward innovative ICT ideas; and

(e) host the Centres to encourage and enable qualified persons to work on different

innovation initiatives and ICT entrepreneurship start-up concepts; and

(f) assess the enterprise probability of proposals intended to be developed in the

Centres; and

(g) recommend business advice, service and training to a public body or a person

responsible for conducting such training to the participants of the Centres; and

(h) promote incubation for small to medium enterprise growth in software

development, networking, data management, cyber security solution development,

digital surveillance and digital transformation.

(3) In the absence of a public body under Subsection (1), the Department may, on the

directive of the Minister, act as the public body responsible for administering ICT innovation

and development entrepreneurial initiatives.

(4) The Department and the State do not incur any liability for works undertaken and services

rendered under this Section.

(5) The Department may outsource the operation and management of a Centre referred to in

Subsections (2)(a) and (3) and the establishment of such a Centre does not prevent any person

from discharging similar functions under this Section.

21. NATIONAL CYBER SECURITY CENTRE

(1) On and after the commencement of this Act, the National Cyber Security Centre is to be

jointly operated by -

(a) the Department; and

(b) the department responsible for defence; and


18

(c) the department responsible for police; and

(d) the department responsible for justice; and

(e) the National Intelligence Office; and

(f) the department responsible for Prime Minister and NEC.

(2) The Department is to continue to provide administrative oversight of the NCSC.

(3) All assets, equipment, systems and apparatus used by the NCSC immediately before the

commencement of this Act are by force of this Subsection is transferred to the National

Government on that commencement.

22. FUNCTIONS OF NATIONAL CYBER SECURITY CENTRE

(1) The function of the National Cyber Security Centre is to conduct defensive cyber security

operations.

(2) Without limiting Subsection (1), the NCSC must do the following -

(a) promote a secured digital government environment;

(b) ensure government digital infrastructure contains appropriate security control

technologies;

(c) promote cyber resilience to ensure services that are essential for everyday life

remain effective and operational during cyber threats and attacks;

(d) investigate any breaches of cyber security and escalate security incidents to

appropriate authorities if necessary for their intervention;

(e) monitor and hunt cyber threats across networks and endpoints, and ensure that

threats attacking data and assets are contained and eliminated;

(f) provide its constituents with remote incident response and handling support;

(g) conduct audits on endpoint cyber security tracking and monitoring systems used by

public bodies;

(h) establish procedures for its constituents and other member organizations of

PNGCERT to report cyber-attacks or suspected cyber incidents;

(i) provide regular reports to its constituents;

(j) provide technical support to PNGCERT;

(k) recommend to the Head of Department for prosecution of relevant offences;


19

(l) perform other activities as directed in writing by the Head of Department following

consultation with the departments referred to in Subsection 21(1).

(3) In this Section -

“constituents” means a set of customers to which the NCSC provides services.

“PNGCERT” means the Papua New Guinea Computer Emergency Response Team.

23. JOINT STRATEGIC CENTRE

(1) The Department may establish a Joint Strategic Centre for the control and management of

a special situation.

(2) The person administering the JSC is to report to the Head of the Department.

(3) The JSC is to be jointly operated by the relevant public bodies in a special situation.

(4) The relevant public bodies are to share skills, technical resources and financial resources

to discharge the functions of the JSC under Section 24.

(5) The Department is to develop a Code of Practice to govern interagency collaboration for

the JSC. The Minister is to approve the Code of Practice acting on the advice of the Head of

Department.

(6) In this Section, each of the following is a “special situation” -

(a) a state of emergency;

(b) a national disaster;

(c) a public health emergency;

(d) unlawful social unrest, a strike or demonstration;

(e) a government organised or sanctioned international event;

(f) a situation that the NEC directs is a special situation.

(7) In this Section, a public body is a “relevant public body” for a special situation if the

NEC has directed that the public body respond to the special situation.

24. FUNCTIONS OF JOINT STRATEGIC CENTRE

The Joint Strategic Centre has the following functions -

(a) ensure interagency connectivity and resource sharing for emergency responses and

public safety;

(b) provide emergency systems or digital infrastructure as shared services;


20

(c) use software and hardware to provide facial recognition services, vehicle

recognition services and intelligent video recognition services;

(d) provide human behaviour analysis services for early detection of offences;

(e) provide services to eliminate information and communication silos across public

bodies;

(f) enable efficient collaboration amongst public bodies for data storage, data sharing,

analysis and dispatch to support policy decisions;

(g) otherwise enhance the control and management of any special situation referred to

in Subsection 24(6) and promote enforcement of any restrictions or other lawful

requirements made in response to the special situation.

25. PUBLIC SERVICE ICT AUDIT COMMITTEE

(1) The Public Service ICT Audit Committee is established.

(2) The Committee consists of -

(a) the Deputy Secretary in charge of digital matters of the Department or his or her

nominee; and

(b) a representative of the Auditor General’s Office nominated by the Auditor-

General; and

(c) a lawyer from the State Solicitor’s Office nominated by the State Solicitor; and

(d) a representative of the Papua New Guinea Information Systems Audit and Control

Association; and

(e) a person nominated by the Head of Department.

(3) The Head of Department is to determine the chairperson of the Committee.

(4) The Committee must meet if -

(a) the Head of Department considers it necessary that the Committee assess and

evaluate a public body’s use of a system against, regulations, standards and

specifications made under this Act; or

(b) the chairperson of the Committee considers it necessary for the efficient conduct

of the Committee’s business.

(5) The Committee is to regulate the conduct of proceedings at its meetings as it thinks fit.

(6) If the Head of Department considers it appropriate, the Department may discharge all or

any of the functions of the Committee without the need for the Committee to meet.


21

26. FUNCTIONS OF THE PUBLIC SERVICE ICT AUDIT COMMITTEE

(1) The Public Service ICT Audit Committee is to perform ICT audits on the systems of

public bodies and has such other functions as are set out in the Committee’s terms of

reference that is to be prescribed by the Head of Department.

(2) In conducting an ICT audit, the Committee may evaluate the systems of a public body by

-

(a) reviewing all or any of the following -

(i) the ICT organizational structure of the public body;

(ii) its internal ICT policies and procedures;

(iii) the public body’s compliance with this Act and the regulations, standards and

specifications made under this Act;

(iv) ICT documentation and ICT projects of the public body;

(b) interviewing the appropriate ICT personnel of the public body ; and

(c) conducting such other audit activities as directed by the Head of Department.

(3) Within 4 weeks after completing an audit, the Committee is to report its findings to the

Department.

27. DEEMED GOVERNMENT PRIORITIES FOR UAS FUNDING

(1) For the purposes of Sections 90 and 98 of the National Information and Communications

Technology Authority Act 2009, digital government and ICT Incubation Centres are deemed

to be -

(a) priorities of the government for utilisation of the Universal Access and Service

Fund; and

(b) approved UAS Projects that will encourage the development of ICT or digital

infrastructure and improve availability of ICT or digital services.

(2) The Minister by force of this Section is deemed to have informed the UAS Board and

NICTA of the matters in Paragraphs (1)(a) and (b).

(3) Despite any other law, an amount calculated in accordance with an annual percentage of

the Universal Access and Service Fund determined under Subsection (4) must be used to -

(a) expand and maintain digital government, digital infrastructure and digital

services; and

(b) fund programs and projects of any ICT Incubation Centre.


22

(4) The UAS Board is to meet annually and determine the annual percentage referred to in

Subsection (3) which must not exceed 25% of the Universal Access and Service Fund.

(5) In this Section, “UAS Board”, “UAS Project” and “Universal Access and Service

Fund” have the same meaning as in the National Information and Communications

Technology Authority Act 2009.


23

PART III – PUBLIC SERVICE ICT STEERING COMMITTEE

28. PUBLIC SERVICE ICT STEERING COMMITTEE

(1) The Public Service ICT Steering Committee is established.

(2) The Committee consists of the Head of Department or his or her nominee, and the digital

transformation officer of each public body or his or her nominee.

(3) The Head of Department or his or her nominee is the chairperson of the Committee.

(4) The chairperson may, acting on the advice of the Committee, make reports and

recommendations to the Minister.

(5) A member of the Committee is to perform his or her functions as part of his or her

contractual duties to the Public Service and the State.

(6) Despite Subsection (5), the Department may pay meeting allowances to members of the

Committee as determined in writing by the Head of Department.

29. FUNCTIONS OF THE PUBLIC SERVICE ICT STEERING COMMITTEE

The functions of the Public Service ICT Steering Committee are to -

(a) facilitate the formulation, implementation and review of the Government Digital

Services Strategic Plan across all public bodies; and

(b) serve as a government forum for awareness on ICT policies, laws, programs and

projects in relation to public bodies; and

(c) assist the Department to identify and evaluate public bodies’ digital infrastructure

and digital government programs and projects; and

(d) assist the Department to identify ICT policy gaps and make recommendations to

address them; and

(e) give effect to ICT policy directions of the government.

30. EVALUATION OF CERTAIN ICT PROJECT DESIGNS AND CONTRACTS

(1) If a public body intends in any fiscal year to -

(a) undertake one or more ICT project designs with a total value exceeding

K500,000.00, or

(b) enter into one or more ICT contracts with a total value exceeding K500,000.00 ,

the Public Service ICT Steering Committee must evaluate the designs or contracts and make

recommendations to the Department to approve, subject to conditions (if any), or reject the

designs or contracts.


24

(2) The Department may, on receipt of a recommendation for approval from the Committee,

issue a Certificate of Compliance consistent with Section 18.

(3) If the Department rejects a recommendation of the Committee, the Department must,

within 10 working days after the date of rejection, provide written notice to the public body

concerned.

(4) The decision of the Department to approve or reject a recommendation is final.

(5) However, nothing in this Section prevents or limits a person from applying to a court for

judicial review of a decision of the Department.

31. MEETINGS OF THE PUBLIC SERVICE ICT STEERING COMMITTEE

(1) The Public Service ICT Steering Committee is to meet quarterly or at such other times as

the chairperson of the Committee determines.

(2) A quorum for a meeting of the Committee is 5 members.

(3) Prior to a meeting of the Committee, the Department must send an invitation through

authenticated electronic means to all members of the Committee and attach with it the

meeting agenda or by a written notice or both.

(4) An officer of the Department or a member of the Committee must keep minutes,

resolutions and action items of the meeting.

(5) The chairperson of the Committee must send to all members approved meeting minutes,

resolutions and action items, not later than 28 days after the day the meeting was held.

(6) Subject to this Section, the Committee is to regulate the conduct of proceedings at its

meetings as it thinks fit.

Commented [IK7]: Section 18(4) is sufficient for this

purposes hence it is not necessary to repeat here.


25

PART IV – DIGITAL INFRASTRUCTURE

32. DIGITAL INFRASTRUCTURE

(1) “Digital infrastructure” is any physical or virtual system or resource used by a public

body to deliver digital services and includes, but is not limited to the following -

(a) the Central Electronic Data Repository;

(b) the National Strategic Electronic Data Bank referred to in Subsection (2);

(c) data registers;

(d) ICT platforms;

(e) cloud infrastructure;

(f) the Government Cloud;

(g) the Government Private Network and other networks;

(h) systems;

(i) software applications;

(j) APIs and integration;

(k) endpoint devices;

(l) internet exchange points;

(m) servers, routers and modems enabling system connectivity of virtual private

networks and wireless by-pass links;

(n) telecommunication infrastructures such as broadband, satellite connectivity, radio

links, optic fiber, dark fiber, copper cables and all other related systems

(2) The National Strategic Electronic Data Bank is to consists of -

(a) the Central Electronic Data Repository; and

(b) the National Cyber Security Centre; and

(c) the Joint Strategic Communication Command and Control Centre; and

(d) any other data server of a public body that uses the building referred to in

Subsection (3); and

(e) all associated core infrastructure pertaining to Paragraphs (a), (b) and (c).


26

(3) The National Strategic Electronic Data Bank is to be located in a building owned or

leased by the Department.

33. USE OF DIGITAL INFRASTRUCTURE

(1) All public bodies must use digital infrastructure that is consistent with the regulations,

standards and specifications made under this Act.

(2) The Head of Department must issue application programming interface standards for

different digital infrastructure levels, application level, network level and server level to

govern the flow of government electronic data.

(3) For the purpose of ensuring cost effectiveness and ICT readiness, the construction of any

public infrastructure, such as roads, ports, buildings and electrical cables, must give due

consideration to include digital infrastructure as part of the project design.

(4) The person designing or constructing any public infrastructure must -

(a) share with the Department all relevant ICT designs and ICT specifications; and

(b) provide to the Department all necessary and relevant assistance for installation of

digital infrastructure.

(5) The cost of the installation of any digital infrastructure is deemed to be part of the project

costs for a public infrastructure project and, despite any other law, the government must not

impose in relation to the digital infrastructure any regulatory fees or charges in addition to

those imposed in relation to the infrastructure project as a whole.

(6) If -

(a) a new road is intended to be constructed in a city or an urban town area, the person

constructing the road must give due consideration to install dark fiber along the

proposed road; and

(b) new electrical cables are intended to be constructed for electricity supply in a city

or an urban town area, the person constructing the electrical cables must give due

consideration to install dark fiber along the proposed electrical cables.

34. CRITICAL DIGITAL INFRASTRUCTURE

(1) “Critical digital infrastructure” is digital infrastructure operated and owned by the State

that is essential for the functioning of the government, the economy and the society as whole.

(2) Critical digital infrastructure includes, but is not limited to, the following -

(a) the Government’s virtual and physical private network;

(b) the National Strategic Electronic Data Bank;

(c) the Central Electronic Data Repository;


27

(d) the Electronic Data Registry;

(e) the Government Private Network;

(f) the Government Cloud.

(g) the Government Secured Infomration Excahnge Platform

(h) Government Data Traffic Prioritization Algorithms

(3 The Minister may in writing designate other digital infrastructure as critical digital

infrastructure.

(4) Critical digital infrastructure is under the control of the State through the Department.

(5) Critical digital infrastructure must not be installed, changed, reconstructed, replaced,

repurposed or removed unless the Minister directs in writing in accordance with a NEC

decision.

35. GOVERNMENT CLOUD

(1) The Department must establish a Government Cloud Infrastructure for virtual networks

connectivity of all public bodies.

(2) All virtual private networks of public bodies that use a cloud infrastructure must operate

within the Government Cloud.

(3) The Head of Department must notify the Public Service ICT Steering Committee of the

date on which the Government Cloud is established.

(4) All public bodies using public cloud space for virtual private network connectivity have

one year from the date of establishment of the Government Cloud as notified under

Subsection (3) to migrate their services into the Government Cloud.

(5) Subject to Subsection (4), if a person operates a government sanctioned virtual private

network outside of the Government Cloud, the person commits an offence and is liable on

conviction to -

(a) in the case of an offence by a natural person, a fine not exceeding K100,000.00

and imprisonment for a period not exceeding 5 years, or both; and


(7) To avoid doubt, the imposition of a penalty under Subsection (5) in the case of an offence

by an officer of a public body, does not prevent disciplinary action being taken against the

officer.

Commented [IK8]: Can we use “a” instead of “the” since

there are several virtual private networks

Commented [IK9]: Subsection (2) is sufficient to cover

intent of deleted subsection (3)


28

36. GOVERNMENT PRIVATE NETWORK

(1) There is a Government Private Network that is part of digital infrastructure and it consists

of -

(a) one or more data centres; and

(b) physical and virtual networks connectivity operated by the Department or a public

body approved by the Department.

(2) For the purpose of ensuring that the Government reduces costs and optimises the use of

digital infrastructure, all public bodies must use the Government Private Network or an

alternative network approved under Section 38.

(3) The Government Private Network is to -

(a) host the Central Electronic Data Repository; and

(b) host various types of shared services, including digital infrastructure and software

as services to enhance network connectivity and electronic data sharing amongst

public bodies; and

(c) be managed by the Department or a public body approved by the Department in

compliance with this Act and the regulations, standards and specifications made under

this Act.

37. DATA TRAFFIC PRIORITIZATION IF GOVERNMENT PRIVATE NETWORK

NOT AVAILABLE

(1) If the Government Private Network is not available to a public body, the Department may,

in consultation with a network operator providing network services to the public body,

deploy and operate data traffic prioritization network algorithms on the operator’s network.

(2) The purpose of operating data traffic prioritization network algorithms on an ICT network

is to -

(a) enable the classification of data traffic passing through the ICT network to deliver

quality of service for prioritized data traffic of a public body; and

(b) improve the quality of service provided to the public body by enabling

prioritization of data traffic during periods of network congestion and in areas where

the network infrastructure suppresses delivery of data; and

(c) improve the quality of service to the public body by shaping or constructing

efficient routing or data flows in the ICT network for digital service delivery; and

(d) improve other quality of services with respect to data flows within the ICT

network for the public body.


29

(3) In this Section, a “data traffic prioritization network algorithm” is a computer program

or computer instruction used to solve and manage data flows or efficient routing of data

traffic.

38. ALTERNATIVE NETWORKS TO THE GOVERNMENT PRIVATE NETWORK

(1) A public body that wishes to use an alternate network to the Government Private Network

must make a written request to the Department.

(2) On receipt of a request, the Department must refer the request to the Public Service ICT

Steering Committee for consideration and the Committee must advise the Head of

Department.

(3) The Head of Department, subject to conditions specified by him or her, must on

recommendations of the Public Service ICT Steering Committee, reject or approve the

request in Subsection (2).. .

(4) The decision of the Head of Department is final.

(5) However, nothing in this Section prevents or limits a person from applying to a court to

seek judicial review of a decision of the Head of Department.

(6) A private network of a public body in operation immediately before the commencement

of this Act, is, on that commencement, deemed by the Department to be an approved private

network, unless -

(a) the Head of Department acting on the advice of the Public Service ICT Steering

Committee considers the private network does not comply with this Act; and

(b) the Head of Department issues, within 30 days after the day the Department first

considers the private network none complaint under paragraph (a), a written directive

to the public body hosting the network to comply with this Act.

39. REDUNDANCY REQUIREMENTS FOR GOVERNMENT PRIVATE NETWORK

(1) In addition to the main data centre for the Government Private Network, the Department

must have at minimum two other data centres, physical or virtual, to facilitate redundancies

for the Government Private Network.

(2) Each of the additional data centres must have -

(a) a daily synchronization with the main data centre in the Government Private

Network; and

(b) the full protection of the National Cyber Security Centre firewall; and

(c) a transmitter connecting the centre to the main data centre in the Government

Private Network.


30

40. LOCALISING CLOUD INFRASTRUCTURE FOR GOVERNMENT PRIVATE

NETWORK.

(1) The Department must investigate the means of building a Government Private Cloud

Infrastructure as part of the Government Private Network for data governance and delivery of

digital services.

(2) Subject to an NEC decision, the investigations are to include -

(a) approval for the investigation for hosting a Government Private Cloud

Infrastructure; and

(b) specification of the time period to commence investigation to recommend the

feasibility of the proposal; and

(c) allocation of funding support to commence the investigation.

(3) The electronic data of public bodies must be stored and secured on systems and servers in

the Private Government Cloud Infrastructure within one year, or such longer period as is

determined by the Head of Department, after the date the Private Government Cloud

Infrastructure is commissioned by the Department as fully functional.

(4) Subject to Subsection (5), the Private Government Cloud Infrastructure is to be located in

Papua New Guinea.

(5) A public body may store its electronic data on a server outside of Papua New Guinea if -

(a) it will contribute to the efficient functioning of the public body; and

(b) the Department has given its written approval to the public body for storage

outside of Papua New Guinea.

41. NATIONAL STRATEGIC ELECTRONIC DATA BANK DESIGN

(1) The National Strategic Electronic Data Bank must have digitally high security systems of

international standards acceptable to the Department.

(2) Entry and exit access to the National Strategic Electronic Data Bank must be

authenticated by at least 3 digital security systems, but not exceeding 5 security checkpoints.

(3) The Head of Department must in writing prescribe security standards, specifications and

rules for entry and exit access of the National Strategic Electronic Data Bank.

(4) The Department must initiate the design of the National Strategic Electronic Data Bank

and approve the final digital security architectural design.


31

(5) The design of the National Strategic Electronic Data Bank is classified at the level of

‘restricted top secret’ and is accessible only by persons authorised by the Head of

Department.

(6) The Department must provide general oversight on the capital financing and construction

of the National Strategic Electronic Data Bank.

(7) A person must not conduct other business in the National Strategic Electronic Data Bank,

unless the Head of Department gives his or her written approval.

42. CENTRAL ELECTRONIC DATA REPOSITORY

(1) The Central Electronic Data Repository for all public bodies is established and is to be

managed by the Department.

(2) The purpose of the Central Electronic Data Repository is to be the official storage server

to backup electronic data of public bodies and provide safety against potential unforeseen

events that may cause data loss to public bodies.

(3) The Central Electronic Data Repository consists of -

(a) a physical data repository in the data centre referred to in Section 39; and

(b) other virtual data repositories;

that are synchronised and operating as one data storage sever for compulsory backup or

redundant data storage for all public bodies.

(4) The Central Electronic Data Repository must -

(a) contain the following servers -

(i) an active operational software and hardware sever;

(ii) a storage software and hardware sever;

(iii) a system processing software and hardware sever; and

(b) provide the full protection of the National Cyber Security Centre firewall.

(5) A public body that stores its data by an electronic means in its own in-house server or

through the use of a system must also have its electronic data backed up and managed in the

Central Electronic Data Repository as a redundancy.

(6) The Department must endeavour to have two separate replicas of the Central Electronic

Data Repository and each replica is to be located in a different province.

(7) Each replica site of the Central Electronic Data Repository must have -

(a) a daily synchronization with the main Central Electronic Data Repository; and


32

(b) the full protection of the National Cyber Security Centre firewall; and

(c) a transmitter connecting the sites to the main Central Electronic Data Repository in

the National Strategic Electronic Data Bank.

(8) A public body must comply with the electronic data management, regulations, standards

and specifications made under this Act.

43. ACCESS TO CENTRAL ELECTRONIC DATA REPOSITORY

(1) For the purpose of this Section, access to the Central Electronic Data Repository is access

to different sections of the physical and virtual database servers and consists of -

(a) physical access to the National Strategic Electronic Data Bank; and

(b) physical access to the holding vault of the main Central Electronic Data

Repository; and

(c) physical and virtual access to the active operating system of the Central Electronic

Data Repository.

(2) A person must not access any electronic data stored as backup in the Central Electronic

Data Repository, unless -

(a) the public body that first collected, generated, stored and secured the electronic

data, by a written notice to the Department, grants written permission; and

(b) in the case of personal data of an individual, in addition to written permission

under Paragraph (a), the individual has given his or her written consent.

(3) The written permission referred to in Paragraph (2)(a) must specify -

(a) the reasons for granting access; and

(b) the type of electronic data that will be accessed or shared; and

(c) the time period allowed for the electronic data access; and

(d) the applicable standards to be observed; and

(e) all other criteria that the person requesting access needs to observe.

(4) If access to electronic data is granted under Subsection (2) to a person, the electronic data

must be made available only to that person and the public body granting the permission.

(5) If electronic data stored in the Central Electronic Data Repository is classified under

Subsection 57(2) as restricted top secret data or confidential data, the Head of Department

may prescribe additional requirements for access to such data and restrictions on how that

data may be used.


33

(6) Physical access to the Central Electronic Data Repository by any person must comply

with security standards, specifications and rules made under this Act.

(7) If a person who suffers loss or damages directly as a result of a contravention of this

Section, the person has a civil right of action for relief.

(8) To avoid doubt, nothing in this Section prevents or limits an individual from accessing his

or her personal data stored in the Central Electronic Data Repository if he or she has obtained

written permission from the public body under Paragraph (2)(a).

44. SECURED INFORMATION EXCHANGE PLATFORM

(1) For the purpose of public bodies providing digital services and making digital services

accessible, the Department is responsible for providing digital identity verification and

authentication services through a digital verification and authentication exchange platform.

(2) For the purposes of Subsection (1), the Department must -

(a) develop, operate and maintain a digital verification and authentication exchange

platform to facilitate use of digital identity providers; or

(b) supervise and contract out digital identity verification and authentication services

to a person qualified to provide such services.

(3) Closed APIs and, if appropriate in the circumstances, hybrid APIs must be used to

facilitate data exchange for digital identity verification and authentication services.

(4) The digital verification and authentication exchange platform must comply with

regulations, standards and specifications made under this Act.

45. PHYSICAL SECURITY SURVEILLANCE AND MONITORING USING

DIGITAL TECHNOLOGY

(1) Without prejudice to any other law, if a person uses or proposes to use digital

infrastructure or ICT to provide static, aerial or underwater physical security surveillance and

monitoring services to the premises or property of a public body, the person must

comply with the standards and specifications made under this Act.

(2) A person providing services referred to in Subsection (1) to a public body must, upon

request by the public body, make available to the public body data in electronic form

collected by the person under that Subsection.

(3) The Department or body responsible for national security matters may, on reasonable

suspicion of a digital security breach, request -

(a) a person providing services referred to in Subsection (1) to a public body; or

(b) the public body to which such services are provided,


34

to provide access to electronic data collected.

(4) The person or public body to which a request is made must, as soon as practicable,

comply with the request.

(5) For the purposes of Subsection (1), physical security surveillance and monitoring services

using digital infrastructure or ICT includes the following -

(a) static and mobile cameras;

(b) aerial drones;

(c) underwater drones;

(d) geographical positioning hardware and software;

(e) all other ICT instruments, equipment and apparatus capable of being used to

conduct physical area security surveillance to collect electronic data.

(6) The Department must back up digital electronic data made available under Subjection (4)

in the Central Electronic Data Repository.


35

PART V - DIGITAL SERVICES AND RELATED MATTERS

46. DIGITAL SERVICES

(1) “Digital services” are internet enabled services that are delivered and accessed using

digital infrastructure.

(2) Public bodies may provide digital services through all or any of the following internet and

shared services -

(a) online applications;

(b) online registrations;

(c) online reporting;

(d) online monitoring and evaluation;

(e) online payments;

(f) renewals;

(g) any other services delivered or accessed using the Internet or a system .

47. PROVISION OF DIGITAL SERVICES AND MAKING DIGITAL SERVICES

ACCESSIBLE

(1) Despite any other law, if a public body is required to provide a service, the public body

may provide the service, and make the service accessible, as a digital service and deal with

any data, information or documents relating to the service in electronic form.

(2) The Department may consult with public bodies before regulations, standards,

specifications and guidelines are made under this Act for providing digital services or making

digital services accessible.

(3) A public body in providing a digital service or making a digital service accessible must

comply with this Act and the regulations, standards and specifications made under this Act.

(4) A public body in providing digital services or making digital services accessible must -

(a) use one or more appropriate systems; and

(b) use open APIs, closed APIs or hybrid APIs appropriate in the

circumstances; and

(c) ensure its business processes enhance digital services; and

(d) ensure availability of digital services that are reliable, open and

interoperable; and


36

(e) use appropriate channels, documentation and languages, both spoken

and sign, and use audible instructions if necessary; and

(f) ensure accessibility to people with disabilities and people with limited

access to electronic services; and

(g) ensure audio and video formats are captioned for people with

disabilities; and

(h) ensure adequate system support for all users; and

(i) maintain and promote integrated, interoperable and transparent and

accountable systems; and

(j) ensure a business process that facilitates revenue generation and is

automated and integrated with electronic payment systems.

(5) A public body may provide a digital service or make a digital service accessible in one or

more of the following forms -

(a) word document soft copy form;

(b) photographic image that is accurately described in the alternative text of a

document, website, or other online or electronic location and provided in a soft copy

form;

(c) digital audio or video form that is captioned and accessible to people with

disabilities;

(d) any other electronic form or expression easily accessible by people with

disabilities;

(e) any other sign, signal or expression in soft copy.

48. DIGITAL SERVICES FOR EXPANDING FINANCIAL INCLUSION

(1) The Department must collaborate with licensed financial institutions, businesses and other

stakeholders to expand opportunities that will -

(a) provide access to digital financial services, including for people with disabilities;

and

(b) enable the expansion of financial inclusion in Papua New Guinea.

(2) Without limiting any other law -

(a) digital financial services must be provided using safe and secure programming

interface technology, APIs, eKYC and blockchain consistent with standards approved

by the Central Bank of Papua New Guinea; and


37

(b) closed APIs and, in appropriate cases, hybrid APIs must be used to provide

confidential financial transaction services for the purposes of digital financial

services; and

(c) open APIs must not be used for the provision of digital financial services.

(3) Digital financial services include the following -

(a) digital banking;

(b) online loan applications;

(c) online bill payments;

(d) electronic money transfers;

(e) mobile payments;

(f) e-wallet;

(g) electronic insurance applications;

(h) online company and business name registration;

(i) online tax returns;

(j) other online financial services.

(4) The Department must, in consultation with the Central Bank of Papua New Guinea,

develop a Digital Financial Inclusion Service Code of Practice Rules to guide the working

relationship between the Department and licensed financial institutions, businesses and other

stakeholders for the provision of digital financial services.

(5) In this Section, “eKYC” means electronic-know-your-customer software application used

by a person carrying on a business of providing digital financial services to enable effective

online transactions.

49. NATIONAL E-GOVERNMENT ONLINE PORTAL

(1) The National e-Government Online Portal is established.

(2) The Department is responsible for designing, developing, operating and maintaining a

central ‘one-stop-shop’ platform for public bodies to deliver digital services through the

National e-Government Online Portal.

(3) The National e-Government Online Portal must -

(a) facilitate a centralized approach and provide seamless access to all digital services;

and


38

(b) facilitate sharing of data amongst public bodies’ systems to deliver digital services

in an effective manner; and

(c) provide shared digital services to public bodies; and

(d) maintain a secured information exchange system as a shared digital service.

50. OPEN DATA

(1) “Open data” refers to data that any person can access, use and share.

(2) The Department must create a place on the National e-Government Online Portal to host

open data and ensure that open data is stored in easily readable formats and is publicly

accessible consistent with the government’s open data principles.

(3) The Department must develop -

(a) a whole of government approach to the generation, collection, processing, storage,

usage and sharing of open data; and

(b) in consultation with public bodies, the government’s open data principles setting

out a series of practices to guide public bodies on how to leverage the value of open

data across whole of government.

(4) In developing the government’s open data principles, the Department is to have regard to

the following -

(a) make non-sensitive data open by default to contribute to greater innovation and

productivity improvements across all sectors of the economy;

(b) where possible, make data available with free, easy to use, high quality and

reliable application programming interfaces;

(c) make high-value data available for use by the public, industry and academia, in a

manner that is enduring and frequently updated using high quality standards;

(d) where possible, ensure non-sensitive publicly funded research data is made open

for use and reuse;

(e) only charge for specialised data services;

(f) build partnerships with the public, private and research sectors to build collective

expertise and to find new ways to leverage open data for social and economic benefit;

(g) securely share data between public bodies to improve efficiencies, and inform

policy development and decision-making;

(h) engage openly with local and provincial governments to share and integrate data

to inform matters of importance to each jurisdiction and at the national level;


39

(i) uphold the highest standards of security and privacy for individuals, national

security and commercial confidentiality;

(j) ensure all new systems support discoverability, interoperability, data and

information accessibility and cost-effective access to facilitate access to data.

(5) Public bodies in making open data accessible must have regard to the following -

(a) data is to be easily discoverable and available;

(b) data is to be in a machine-readable, spatially-enabled format;

(c) public bodies are to use high quality, easy to use and freely available API access;

(d) data is to contain descriptive information about what is included in the data;

(e) data is to be kept up to date in an automated way.

(6) The Head of Department may make regulations, standards and specifications relating to

open data for the purposes of this Act.

(7) Public bodies in generating, collecting, processing, storing, using and sharing open data

must comply with the regulations, standards and specifications made under this Act.

51. SHARED SERVICES

(1) For the purpose of public bodies providing digital services and making digital services

accessible, shared services managed by the Department or any public body may consist of -

(a) shared services from the cloud infrastructure; or

(b) shared services from any digital infrastructure; or

(c) shared services amongst one or more departments or public bodies.

(2) For the purpose of Subsection (1), shared services from -

(a) cloud infrastructure are digital services from one web hosting server used to host

multiple clients with multiple websites or web applications; and

(b) digital infrastructure are ICT support skill resources and physical digital

infrastructure resources.

(3) A public body hosting and using shared services is responsible for its local digital

infrastructure within the government cloud infrastructure.

(4) The Department must focus on core shared services that include digital infrastructure

managed and controlled through ICT support resources of the Department.


40

(5) The Head of Department may in writing declare a digital infrastructure to be a shared

service for all public bodies.

(6) Upon declaration of a shared service, all public bodies must be given a reasonable

timeframe determined by the Department to commence use of the shared service.

(7) Before the declaration of a shared service, the Department may undertake an assessment

to ensure the proposed shared service -

(a) enables public bodies to focus on their core duties; and

(b) achieves lower cost and economies of scale; and

(c) improves user experience; and

(d) reduces technology footprint, maintenance and security vulnerability; and

(e) addresses legacy system issues; and

(f) satisfies other criteria determined by the Department.

(8) A public body must not develop, maintain or use any service that is determined by the

Department to be -

(a) standalone to a declared shared service; or

(b) a duplicate of, or similar to, a declared shared service.

(9) Shared services must comply with the regulatins, standards, specifications and Code of

Practice Rules made under this Act.

52. GOVERNMENT DOMAIN

(1) The government domain is a domain name ending in .gov.pg.

(2) The Department is to provide policy oversight and may manage the government domain

ending in .gov.pg.

(3) All public bodies must use the government domain ending in .gov.pg for official

purposes.

(4) The Department may outsource the registration and management of government domain

names to a person qualified to manage domain name services.

(5) The Department must establish a register of government domain names of public bodies

and keep it up to date.

53. GOVERNMENT EMAILS AND WEBSITES

(1) A public body must use the government domain ending in .gov.pg -


41

(a) as the public body’s email domain and any such email is an official email of the

public body; and

(b) as the public body’s website domain and any such website is an official website of

the public body.

(2) If, on the commencement of this Act, a public body does not have a website, the public

body must publish online its website or websites within 2 years after the commencement of

this Act.

(3) If a public body uses -

(a) an email domain that is not the government domain ending in .gov.pg, any such

email is not an official email of the public body; and

(b)a website domain that is not the government domain ending in .gov.pg, any such

website is not an official website of the public body;

unless the head of the public body approves otherwise.

(4) The Department is to regulate the websites of public bodies through standards, guidelines


(5) An official website of a public body must -

(a) comply with the standards and specifications made under this Act; and

(b) contain functional links of other relevant public bodies located on a place

approved by the Department on the website; and

(c) use text format approved by the Department; and

(d) contain correct information about the organizational structure of the public body;

and

(e) ensure access to the webpage is mobile device friendly; and

(f) be certified by the Department or by a person specialising in the field of digital

accessibility, recommended by the Department; and

(g) ensure videos or multimedia files uploaded and available on the website are

captioned and accessible to people with disabilities; and

(h) include information for public consumption on the organization, structure, mission

and legal mandate of the public body; and

(i) contain links to information about -

(i) the public body’s strategic plan and annual performance plan; and


42

(ii) its privacy policy page; and

(iii) its point of contact; and

(iv) its open data; and

(j) be easy to navigate to obtain relevant information.

(6) Digital content and products that are developed, maintained or owned by a public body

must be accessible on an official website of the public body, and may include all or any of the

following -

(a) digital services;

(b) sector specific guidance that aligns with a government policy intent linked to user

needs;

(c) policies and consultations documents for good governance;

(d) published guides on laws and regulations;

(e) information on government services;

(f) information on business opportunities;

(g) awareness-raising campaigns and templates.

(7) The Department must physically or virtually remove from the Internet a public body’s

website that does not comply with this Section.

(8) Before taking action under Subsection (7), the Department must give the public body at

least 60 days to rectify the website.

(9) If a person in his or her official capacity for or on behalf of a public body uses an email

address that does not end with the government domain ending in .gov.pg, the person commits

an offence and is liable on conviction to a fine not exceeding K10,000.00 and imprisonment

for a period not exceeding 12 months, or both.

(10) To avoid doubt, the imposition of a penalty under Subsection (9) in the case of an

offence by an officer of, or other person working for, a public body, does not prevent

disciplinary action being taken against the officer or other person.

(11) If the head of a public body fails to comply with Subsection (2), disciplinary action must

be taken against the head of the public body.

(12) In the event it is practically impossible to use government email domain by a public

body to communicate government business, a wriiten permission must be issued by the

Department:


43

(a) specifying the period the none government email doimain is to be used; and (b) the email domain name to be use.

54. GOVERNMENT SOCIAL MEDIA ACCOUNTS

(1) If a public body intends to use a social media account, the public body must advise the

Department of the account details, including the reasons the public body is using the account

and the proposed time period for its use.

(2) The Department is to regulate the social media accounts of public bodies through

standards, guidelines and specifications made under this Act.

(3) The Department must facilitate the coordination, standardization and streamlining of

official government information disseminated on the social media accounts of public bodies.

(4) Content published on social media accounts of public bodies is deemed to be official

government information and must be digitally archived.

(5) The Department must establish a register of social media accounts of public bodies and

keep it up to date.

(6) The Department must physically or virtually remove from the Internet any social media

account of a public body that does not comply with any of the standards or specifications

made under this Act.

(7) Before taking action under Subsection (6), the Department must give the public body 90

days to rectify the social media account.

(8) If, immediately before the commencement of this Act, a public body is using a social

media account, the public body must advise the Department of the details of the account.

55. REDUCTION OF PAPER DOCUMENTS

Public bodies must -

(a) endeavour to reduce the paper documents that they have acquired, prepared,

circulated or preserved by digitizing their work processes; and

(b) make necessary efforts to reduce reliance on the use of paper documents by

sharing administrative information amongst public bodies through the use of systems

and shared services; and

(c) aim to reduce public expenditure on the use of paper documents.


44


45

PART VI – ELECTRONIC DATA

56. ELECTRONIC DATA GOVERNANCE ACROSS GOVERNMENT

(1) The Department is responsible for electronic data governance across government by -

(a) building capacity for the implementation of electronic data governance measures

across government; and

(b) providing oversight on electronic data infrastructure, such as data registry, data

lakes, APIs, cloud based solutions and other infrastructure related to electronic data

governance; and

(c) managing electronic data architecture, including interoperability, integration,

reference data, schematics and relationship; and

(d) managing data-value cycles; and

(e) monitoring and evaluating the generation, collection, processing, storage, use and

sharing of electronic data by public bodies; and

(f) making regulations, standards, specifications and guidelines under this Act for

electronic data governance.

(2) For the purpose of electronic data governance across government, the Head of

Department must, by written instrument, classify electronic data as -

(a) restricted top secret data if the unauthorized disclosure, alteration or destruction of

the data could result in a significant level of risk to the government; or

(b) confidential data if the unauthorized disclosure, alteration or destruction of the

data could result in a moderate level of risk to the government; or

(c) public data if the unauthorized disclosure, alteration or destruction of the data

could result in little or no risk to the government.

(3) A public body must apply the data classifications made under Subsection (2) to any

electronic data that it generates, collects, processes, stores, uses or shares.

(4) The Head of Department must make standards prescribing security controls to be applied

by public bodies for safeguarding electronic data against unauthorised disclosure,

modification or destruction having regard to the classifications of data made under

Subsection (2).

(5) A standard made for the purposes of public electronic data governance under this Act is

not a Papua New Guinea Standard of Measurement in respect of a commodity, practice,

process or product under the National Institute of Standards and Industrial Technology Act

1993.

Commented [IK10]: Would this subsection be seen as

repetitive of Subsection 1(f). If so we delete it if not we leave

it as it is.


46

57. PUBLIC BODIES AND ELECTRONIC DATA GOVERNANCE

(1) Despite any other law, a public body must generate, collect, process, store, use and share

electronic data in accordance with the requirements of this Act and the regulations, standards


(2) Subject to Subsection (5), a person must not access any electronic data stored by a public

body, unless -

(a) the public body storing the data grants written permission; and

(b) in the case of personal data of an individual, in addition to written permission

under Paragraph (a), the individual has given his or her written consent.

(3) If access to electronic data is granted under Subsection (2) to a person, the electronic data

must be made available only to that person.

(4) If electronic data stored by a public body is classified under Subsection 56(2) as restricted

top secret data or confidential data, the Head of Department may prescribe additional

requirements for access to such data and restrictions on how the data may be used.

(5) To avoid doubt, nothing in this Section prevents or limits an individual from accessing his

or her personal data stored by a public body if he or she has obtained written permission from

the public body under Paragraph (2)(a).

58. DATA TO BE COLLECTED AND STORED IN ELECTRONIC FORM

(1) A public body may -

(a) collect data in electronic form; and

(b) store data in its system at the first point of electronic data collection.

(2) On and after a date declared in writing by the Head of Department, a public body, in

discharging its functions, must, at the first point of collection of data, ensure that the data is

collected and stored in electronic form.

(3) Electronic data collection and storage may be undertaken by utilizing all or any of the

following -

(a) computer devices;

(b) other electronic devices;

(c) digital voice recorders;

(d) digital video recorders;


47

(e) translation of signs, symbols or signals into words by interpreter devices or an

interpreter;

(f) digital photo cameras;

(g) digital instruments, apparatus, devices or equipment in substitution for words.

(4) The Department is responsible for the oversight of electronic data collection and storage

by public bodies, including when a public body converts any data collected in non-electronic

form into electronic form.

(5) Without prejudice to any other law, the Head of Department may authorize or direct a

public body or a person engaged by a public body under a contract to collect and store

specific electronic data for a particular purpose.

(6) An authorization or directive commences on the day it is issued and ends on the day

specified in the authorization or directive.

59. ELECTRONIC DATA OWNERSHIP

(1) All electronic data stored as backup in the Central Electronic Data Repository is the

property of the State.

(2) To avoid doubt, Subsection (1) extends to electronic data that is collected and stored by a

person under a contract with a public body.

(3) A person under Subsection (2), who receives written request by a public body, fails to

make available electronic data collected and stored commits an offence.

60. ELECTRONIC DATA INTEGRATION

(1) A public body must comply with the standards for electronic data integration made under

this Act.

(2) Subject to Subsection (3), the electronic data integration standards must -

(a) prescribe matters relating to the use of open APIs, closed APIs and hybrid APIs by

public bodies to share electronic data for service delivery, including APIs that are-

(i) machine readable;

(ii) publicly accessible;

(iii) stable and scalable;

(iv) available to other public bodies;

(v) able to function on different platforms using multiple languages; and

Commented [IK11]: Can we insert an offending Section

here and perhaps insert penalty as well.


48

(b) comply with the National Cyber Security Policy and Guidelines developed by the

Department in consultation with NICTA and other relevant public bodies.

(3) The APIs used by a public body must -

(a) be properly documented with sample code and sufficient information for

developers to make use of, if appropriate; and

(b) if appropriate, have their life-cycle made available by the public body owning it;

and

(c) be backward compatible with at least two earlier versions; and

(d) comply with national security policies, laws, guidelines and specifications; and

(e) enable a public body, if appropriate, to use an authentication mechanism to enable

service interoperability on a single sign-on system; and

(f) promote easy and transparent integration and interoperability of electronic data;

and

(g) promote safe and reliable sharing of electronic data and information to enable

delivery of digital services; and

(h) encourage and enable innovation; and

(i) promote open standards of software interoperability across public bodies; and

(j) ensure easy access of information collected by public bodies.

(4) A public body using one or more systems must make available to the Department the

specifications of the APIs used by the public body to deliver digital services.

(5) The Department must establish a register of APIs used by public bodies and keep it up to

date.

61. ELECTRONIC DATA MANAGEMENT

(1) A public body must comply with the standards for electronic data management

(2) The Department must establish the Electronic Data Register to record the types of

electronic data collected, stored and shared by public bodies, and keep the register up to date.

(3) To avoid doubt, the Electronic Data Register may be used for cataloguing electronic data

collected, stored and shared by public bodies.

62. ELECTRONIC DATA SHARING

(1) A public body must comply with the standards for electronic data sharing made under this

Act.


49

(2) When sharing electronic data, a public body must take the necessary precautions to ensure

that the sharing of the data will be done in a secured manner without causing data privacy

violations or leaving the data open to being hacked.

(3) For the purposes of facilitating data sharing across government, the Department must

establish and manage a data sharing and exchange data centre.

63. ELECTRONIC DATA IN PROVINCES AND DISTRICTS

(1) The Department must for the purposes of electronic data governance and the delivery of

digital services in provinces and districts discharge its functions as a public body mandated

by Section 106 of the Organic Law on Provincial Governments and Local Level

Governments 1998.

(2) The Department must, in the discharge of its functions under this Act, work in

collaboration with any other public body mandated by law to deliver services in provinces

and districts with respect to the generation, collection, processing, storing, securing, using

and sharing of electronic data.

64. NEW CONTRACTS RELATING TO ELECTRONIC DATA

(1) This Section applies to a contract or agreement with a public body relating to the

generation, collection, processing, storage, security, use or sharing of electronic data if the

contract or agreement is entered into on or after the commencement of this Act.

(2) Electronic data under a contract or agreement to which this Section applies must be

generated, collected, processed, stored, secured, used or shared in accordance with this Act

and the regulations, standards and specification made under this Act, despite any provisions

to the contrary in the contract or agreement.


50

PART VII – OFFENCES AND PENALTIES

65. OFFENCES

(1) A person commits an offence if the person intentionally, knowingly or recklessly, or

without lawful excuse or justification, or in excess of a lawful excuse or justification -

(a) discloses electronic data or electronic records accessed in the course of the

person’s employment or engagement with a public body; or

(b) accesses or downloads electronic data or electronic records from a public body’s

system or digital infrastructure; or

(c) accesses or downloads any unauthorized material by the use of a public body’s

system or digital infrastructure; or

(d) disseminates or transmits electronic data or electronic records of a public body

through unauthorized channels; or

(e) removes, destroys, alters or damages electronic data or electronic records of a

public body; or

(f) removes, destroys, alters or damages a public body’s digital infrastructure,

software or hardware, or a system.

(2) If a person is convicted of an offence, the person is liable on conviction -

(a) in the case of an offence under Paragraph (1)(a),(b),(c) or (d) -

(i) for a natural person, to a fine not exceeding K25,000.00 or imprisonment for a

period not exceeding 3 years, or both, and

(ii) for a body corporate, to a fine not exceeding K125,000.00; and

(b) in the case of an offence under Paragraph (1)(e) or (f) -

(i) for a natural person, to a fine not exceeding K100,000.00 or imprisonment for a

period not exceeding 10 years, or both; and

(ii) for a body corporate, to a fine not exceeding K500,000.00.

(3) To avoid doubt, the imposition of a penalty under this Section does not prevent -

(a) disciplinary action being taken against a natural person; or

(b) the cancellation or suspension of a body corporate’s operational licence, permit,

approval or certificate under any other law.


51

(4) If a person is convicted of an offence under this Section or an offence referred to in

Section 66, a court may, in addition to any penalties prescribed in this Act, order the person

convicted to pay to the State a sum equal to the cost of repairing any damage resulting from

the commission of the offence.

66. PENALTIES

If a person contravenes a provision of this Act, for which no specific penalty is provided, the

person commits an offence and is liable on conviction to -

(a) in the case of an offence by a natural person, a fine not exceeding K 5,000.00; and



52

PART VIII – MISCELLANEOUS

67. DELEGATION

(1) The Head of Department may delegate any of his or her powers or functions under this

Act to an officer of the Department.

(2) A delegation must be in writing signed by the Head of Department.

68. COMMITTEES

(1) The Department may form specialist committees to assist it in the performance of its

functions and prescribe their terms of reference.

(2) A committee is to regulate the conduct of proceedings at its meetings as it thinks fit.

69. IMMUNITY

A person engaged in the administration or enforcement of this Act is not personally liable for

anything done or omitted to be done in good faith in the performance or exercise, or

purported performance or exercise, of a function or power under this Act.

70. PENALTIES NOT TO AFFECT OTHER LIABILITIES

The penalties that may be imposed under this Act are in addition to and not in derogation of

any liability in respect of the payment of compensation or penalties for breach of licence or

permit conditions or other laws and regulations relating to ICT.

71. REGULATIONS

(1) The Head of State, acting on advice of the Minister, may make regulations prescribing

matters -

(a) required or permitted by this Act to be prescribed by the regulations; or

(b) necessary or convenient to be prescribed for carrying out or giving effect to this

Act.

(2) Without limiting Subsection (1), the regulations may prescribe matters relating to all or

any of the following -

(a) digital government infrastructure integration;

(b) digital government infrastructure interoperability;

(c) websites of public bodies;

(d) social media platforms of public bodies;

(e) internet services of public bodies;


53

(f) digital infrastructure;

(g) critical digital infrastructure;

(h) digital services;

(i) government ICT infrastructure projects;

(j) cyber security of public bodies;

(k) government communication command and control centres;

(l) measures to protect the generation, collection, processing, storage and usage of

electronic data by public bodies;

(m) measures to protect the security of personal data of individuals that is generated,

collected, processed, stored, used and shared electronically by public bodies;

(n) measures to protect the privacy of personal data of individuals that is generated,

collected, processed, stored, used and shared electronically by public bodies;

(o) fees and charges for services provided;

(p) smart contracts;

(q) penalties for offences against the regulations not exceeding a fine of K2,000.

(3) The regulations may make provision in relation to a matter by applying, adopting or

incorporating any matter contained in an instrument or other writing as in force or existing

from time to time.

72. STANDARDS, SPECIFICATIONS, GUIDELINES AND FORMS

(1) The Head of Department may make standards, specifications and guidelines for the

purposes of this Act.

(2) The standards, specifications and guidelines may make provision in relation to a matter by

applying, adopting or incorporating any matter contained in an instrument or other writing as

in force or existing from time to time.

(3) The standards and specifications are subordinate legislative instruments.

(4) A guideline is an instrument of an advisory nature and is not mandatory.

(5) The Head of Department may prescribe forms for the purposes of this Act.


54

73. CODE OF PRACTICE RULES

(1) The Department may, after consultation with the Public Service ICT Steering Committee,

develop Code of Practice Rules to govern interagency working relationships amongst public

bodies for the purposes of digital government, critical digital infrastructure and public digital

services.

(2) The Code of Practice Rules take effect on the date certified by the Minister.

(3) The Code of Practice Rules is a subordinate legislative instrument.

74. CERTAIN EXISTING ICT CONTRACTS

(1) This Section applies to a contract or agreement relating to conducting ICT business with a

public body if the contract or agreement was in force immediately before the commencement

of this Act.

(2) A person conducting ICT business with a public body under a contract or agreement to

which this Section applies has 2 years from the commencement of this Act to ensure the

services provided to the public body under the contract or agreement comply with this Act

and the regulations, standards and specification made under this Act.

(3) A contract or agreement to which this Section applies is null and void and unenforceable

if Subsection (2) is not complied with.

(4) If data, information or a document -

(a) is collected by a public body under a contract or agreement to which this Section

applies; and

(b) on and after the commencement of this Act, is inputted into an electronic database

system owned and operated by another party to the contract or agreement,

the data, information or document remains the property of the contracting public body and

the State, despite any provisions to the contrary in the contract or agreement.

(5) On and after the commencement of this Act, if -

(a) information is paid for by a public body under a contract or agreement to which

this Section applies; and

(b) payment in full is made under the contract or agreement by the public body; and

(c) the source code of the information is necessary for the public body to access

services,

the source code must be made available to the public body when payment is made in full.

(6) On and after the commencement of this Act, if a contract or agreement to which this

Section applies is declared null and void and unenforceable by a court, any electronic data


55

stored, generated or secured under the contract or agreement by a person other than the

contracting public body must be returned to the public body, despite any provisions to the

contrary in the contract or agreement.

(7) A court must take judicial notice of the following -

(a) an unenforceable contract or agreement referred to in Subsection (3);

(b) the State must not under that contract or agreement -

(i) compensate any person for any damage, other than compensation on fair

market value for work done; or

(ii) enforce any rights or obligations in breach of this Act.