Fact sheet - The GIPA Act: Agency systems, policies and practices - guidance for principal officers
This fact sheet appears below or can be viewed and downloaded here Fact Sheet - The GIPA Act: Agency systems, policies and practices - guidance for principal officers, updated November 2021
This guidance is provided to assist principal officers in the performance of their responsibilities under the Government Information (Public Access) Act 2009 (GIPA Act). It provides suggested actions to improve agency systems, policies and practices that relate to functions of agencies under the GIPA Act.
NSW public sector operating environments
In the context of cluster arrangements, principal departments may institute arrangements to exercise responsibilities under a devolved model in which a central ‘GIPA unit’ coordinates processes for dealing with and deciding GIPA access applications. Within cluster arrangements, government information can be held in different electronic information management systems accessed by different business units. These arrangements require local business units to perform GIPA Act functions under delegation or authorisation by the principal officer of the agency. In particular, local business units may have responsibility for conducting searches for the information sought by a GIPA access applicant.
To ensure principal officers are able to confidently uphold their responsibilities under the GIPA Act, a devolved model must be well supported by leadership, investment in training, systems and processes including assurances and certifications.
In exercising responsibilities under the GIPA Act, agencies have statutory obligations to:
- interpret and apply the Act to further its objects, including to open government information up to the public
- exercise discretion to facilitate and encourage, prompt access to government information, at the lowest reasonable cost
- uphold the general principles of open government information.
The statutory responsibilities of agencies to uphold the general principles of open government information are highlighted in section 5 of the GIPA Act, which provides:
There is a presumption in favour of the disclosure of government information unless there is an overriding public interest against disclosure.
The responsibilities of principal officers in upholding the GIPA Act are to:
- set the strategic direction
- ensure the operationalisation of responsibilities and
- create the cultural environment through which these legislative obligations are met.
Upholding these responsibilities in cluster arrangements requires accepted and applied process and sound systems for governance and accountability.
GIPA Act offences
The objects of the GIPA Act provide a sound basis to secure good governance and guide the actions of the public sector in operationalising the intent of the Act. The aim is to open government information to the public and in doing so maintain and advance a system of responsible and effective representative democratic government that is open, accountable, fair and effective.
In particular, the GIPA Act envisaged a “cultural change” that is advanced by a number of key features of the legislation.
The offence provisions have application in securing cultural change. Accordingly, systems, policies and practices must operate effectively under contemporary public sector structures and arrangements to safeguard against vulnerabilities that may arise under devolved decision making models.
Training, at all levels in relation to the offence provisions is essential to ensuring that responsibilities under the GIPA Act are upheld.
The GIPA Act creates five offences (section 116-120) which, in summary serve two regulatory purposes:
- an enforcement function to impose penalties upon persons committing the most serious contraventions of the GIPA Act, and
- a persuasive/educative function to deter persons from committing contraventions of the GIPA Act.
The IPC has issued guidance, Fact Sheet – Offences under the GIPA Act, to assist agencies and members of the public and in promoting awareness and understanding.
Managing risks to compliance in a devolved environment
The suggested actions set out below are designed to provide assistance and guidance to agencies in the exercise of GIPA functions and respond to risks that may arise in the performance of GIPA functions under devolved functional and decision-making arrangements.
Systems, policies and practices
1. Record keeping: agencies should regularly review and promote systems, policies and practices to ensure that contemporaneous records of conversations in relation to GIPA access applications are created and maintained in file notes.
2. Certification templates: provide a means of promoting accountability regarding the conduct of searches by individual officers. Agencies should regularly review and promote systems, policies and practices to support the conduct of searches in response to GIPA access applications. Certification templates may include a requirement for officers to identify the:
- search terms applied
- systems searched
- information identified
- officer conducting the search return to the GIPA access application decision-maker by way of certification or attestation, e.g. signature or other identification mechanism.
Certification templates may also enable the officer providing the search return to specify the factors for and against disclosure of information returned for consideration by the decision-maker.
3. Search processes: agencies’ development of systems, policies and practices should reflect the guidance provided by the Information and Privacy Commission (IPC) and case law in relation to:
- identifying the parameters of the access application and the search terms to be applied by officers conducting searches relevant to the access application
- the processes to be adopted to ensure identification of government information held by agencies
- coordinating searches to better identify locations and systems to be searched.
Training and guidance
4. Agencies should implement a program of regular training to support the performance of functions under the GIPA Act, which may also include information management more broadly, including:
- the offence provisions under the GIPA Act
- the agency Code of Conduct and NSW Public Service Commission’s Ethical Framework as they relate to the GIPA Act, with a particular emphasis on transparency, accountability and governance.
5. Training should be tailored appropriately for specific roles and responsibilities, in particular:
- those charged with responsibility for coordinating and searching for information
- officers receiving search requests
- contractors and temporary employees and
- senior managers and executives.
6. Agencies should consider and apply available data and resources, including those provided by the IPC, to benchmark and better manage GIPA access applications and ensure compliance with statutory timeframes. The IPC’s online Information Governance Agency Self-assessment Tool allows agencies to measure the maturity of their information governance systems and implement plans to further develop those systems and confidently meet their information access requirements.
7. Agencies should consider the inclusion of compliance with the GIPA Act and broader information management policies as a performance indicator for all employees, particularly those at senior leadership levels. If included, compliance could then be monitored and reviewed no less than annually as a component of performance reviews.
For more information
Contact the Information and Privacy Commission NSW (IPC):
Freecall: 1800 472 679
NOTE: The information in this Fact Sheet is to be used as a guide only.
Legal advice should be sought in relation to individual circumstances.
 GIPA Act 2009 section 3 https://www.legislation.nsw.gov.au/acts/2009-52.pdf
 Government Information (Public Access) Bill 2009, 2nd Reading Speech LA, https://www.parliament.nsw.gov.au/bill/files/3117/LA%2052,%2053,%2054%2009.pdf
 McKay v Transport for NSW  NSWCATAD 212