government digital transformation bill 2021 arrangement of … bill 2021 first draft.pdf · 2021....
TRANSCRIPT
GDT Bill (Draft I January 2021)
1
No. X of 2021.
Government Digital Transformation Bill 2021
ARRANGEMENT OF CLAUSES
PART I – PRELIMINARY
1. Compliance with Constitutional Requirements
2. Purpose
3. Interpretation
4. National Interest
5. Act binds State and application to Public Bodies
6. Certain Proceedings against the State and Public Bodies not enforceable
7. Functions and powers of the Minister
8. Minister to approve certain new ICT
9. Minister may issue certain directives
PART II – INSTITUTIONAL ARRANGEMENTS
10. Change of name to Department of Information and Communication Technology
11. Departmental Head
12. Functions and powers of the Departmental Head
13. Deputy Secretaries
14. Department as Government Central ICT Coordinating Agency
15. Functions of the Department
16. Powers of the Department
17. Government Digital Services Strategic Plan
18. Public Sector ICT Development Project Funding
19. Digital Transformation Officers
20. ICT Incubation Centre
21. National Cyber Security Centre
22. Functions of National Cyber Security Centre
23. Joint Strategic Centre
24. Functions of Joint Strategic Centre
25. Public Service ICT Audit Committee
26. Functions of the Public Service ICT Audit Committee
27. Deemed Government Priorities for UAS Funding
PART III – PUBLIC SERVICE ICT STEERING COMMITTEE
28. Public Service ICT Steering Committee
29. Functions of the Public Service ICT Steering Committee
30. Evaluation of certain ICT project designs and contracts
31. Meetings of the Public Service ICT Steering Committee
GDT Bill (Draft I January 2021)
2
PART IV – DIGITAL INFRASTRUCTURE
32. Digital Infrastructure
33. Use of Digital Infrastructure
34. Critical Digital Infrastructure
35. Government Cloud
36. Government Private Network
37. Data Traffic Prioritization if Government Private Network not available
38. Alternative networks to the Government Private Network
39. Redundancy Requirement for Government Private Network
40. Localising Digital Infrastructure for Government Private Network
41. National Strategic Electronic Data Bank
42. Central Electronic Data Repository
43. Access to Central Electronic Data Repository
44. Secured Information Exchange Platform
45. Security Surveillance Using Digital Technology
PART V – DIGITAL SERVICES AND RELATED MATTERS
46. Digital Services
47. Provision of Digital Services and making Digital Services accessible
48. Digital services for Expanding Financial Inclusion
49. National e-Government Online Portal
50. Open data
51. Infrastructure as Shared Services (should be under Infrastructure)
52. Government Domain
53. Government Emails and Websites
54. Government Social Media Accounts
55. Reduction of Paper Documents
PART VI – ELECTRONIC DATA
56. Electronic Data Governance across Government
57. Public Bodies and Electronic Data Governance
58. Data to be collected and stored in electronic form
59. Electronic Data Ownership
60. Electronic Data Integration
61. Electronic Data Management
62. Electronic Data Sharing
63. Electronic Data in Provinces and Districts
64. New Contracts relating to Electronic Data
PART VII – OFFENCES AND PENALTIES
65. Offences
66. Penalties
PART VIII – MISCELLANEOUS
67. Delegation
GDT Bill (Draft I January 2021)
3
68. Committees
69. Immunity
70. Penalties not to affect other liabilities
71. Regulations
72. Standards, Specifications, Guidelines and Forms
73. Code of Practice Rules
74. Certain existing ICT contracts
GDT Bill (Draft I January 2021)
4
No. ……of 2021.
A Bill
for
An Act
entitled
Government Digital Transformation Bill 2021
Being an Act relating to establishment of government ICT central coordinating agency,
electronic data, digital infrastructure, digital services and digital skill sets across whole of
government, and other aspects of digital government, and for related purposes,
MADE by the National Parliament to come into operation in accordance with a notice in the
National Gazette by the Head of State, acting with, and in accordance with, the advice of the
Minister.
PART I – PRELIMINARY
1. COMPLIANCE WITH CONSTITUTIONAL REQUIREMENTS
This Act, to the extent that it regulates or restricts a right or freedom referred to in
Subdivision III.3.C. (qualified rights) of the Constitution, namely -
(a) the right to freedom from arbitrary search and entry conferred by Section 44 of the
Constitution; and
(b) the right to freedom of expression conferred by Section 46 Constitution; and
(c) the right to freedom of employment conferred by Section 48 of the Constitution; and
(d) the right to privacy conferred by Section 49 of the Constitution; and
(e) the right to freedom of information conferred by Section 51 of the Constitution;
and
GDT Bill (Draft I January 2021)
5
(f) the right to protection from unjust deprivation of property conferred by Section 53
of the Constitution,
is a law that is made for the purpose of giving effect to the public interest in public order,
public safety and public welfare.
2. PURPOSE
The purpose of this Act is to -
(a) give effect to the vision and goals of the Government to develop Papua New
Guinea into a smart, fair, wise, healthy and happy nation by enabling digital services
to propel a resilient digital economy; and
(b) provide an enabling legal framework to implement the Government’s digital
transformation policies and other ICT policies, including to -
(i) empower the Department to facilitate, oversee and promote digital government;
and
(ii) enable the development of electronic data governance across whole of
government; and
(iii) enable the re-engineering and design of government digital processes and
procedures; and
(iv) enable the integration of ICT systems across whole of government; and
(v) enable the provision of shared infrastructure as a service across whole of
government; and
(vi) enable the provision of the Government’s cyber security operations; and
(vii) enable the development of essential digital skill sets across government and the
non-government sector; and
(c) enable and facilitate the coordination of ICT development budget and projects
across whole of government; and
(d) enable the streamlining, planning and coordination of digital government, digital
services, digital infrastructure, ICT project funding and digital skills across whole of
government.
3. INTERPRETATION
In this Act, unless the contrary intention appears -
“application” means a distinct set of machine instructions interpretable and executable by a
computing device and designed to fulfil a particular purpose.
Commented [IK1]: Using the phrase “across whole of
government” as it appears to be the phrase used in various
policy documents with respect to Digital Transformation.
GDT Bill (Draft I January 2021)
6
“application programming interface” means any software application or hardware
technology or combination of them designed to facilitate integration or interoperability of
two or more systems, and in this Act is also represented by the acronym ‘API’.
“Central Electronic Data Repository” means the Central Electronic Data Repository
established under Section 42.
“Code of Practice Rules” means a Code of Practice Rules developed under Section 73.
“critical digital infrastructure” has the meaning given by Section 34.
“Department” means the department responsible for information and communications
technology.
“digital government” means the use of ICT by government to deliver digital services.
“digital infrastructure” has the meaning given by Section 32.
“digital service” has the meaning given by Section 46.
“digital transformation officer”, in relation to a public body, means the person who has
oversight of, and is responsible for, ICT matters in a public body.
“electronic data” means data entered into an electronic device to be stored and shared using
digital infrastructure for the purposes of enabling the delivery of digital services.
“Electronic Data Register” means the Electronic Data Register established under Section
61.
“endpoint” means any internet capable device that communicates across a network, such as
laptops, telephones and personal computers.
“Government Cloud” means the Government Cloud established under Section 35.
“Government Digital Services Strategic Plan” means the Government Digital Services
Strategic Plan developed under Section 17.
“Government Private Network” means the Government Private Network referred to in
Section 36.
“ICT” means information and communications technology.
“ICT Incubation Centre” means an ICT Incubation Centres established under Section 20.
“integration” means connecting one or more systems so that data from one system can be
used by another to deliver digital services.
“interoperability” means the ability of different systems to communicate and exchange data
in real-time and use data that has been exchanged.
GDT Bill (Draft I January 2021)
7
“JSC” means the Joint Strategic Centre established under Section 23.
“Minister” means the Minister administering the Department.
“Ministry” means the ministry responsible for information and communications technology
that the Minister is overseeing under the Primes Minister’s Determination of Titles and
Responsibilities.
“National e-Government Online Portal” means the National e-Government Online Portal
established under Section 49.
“National Strategic Electronic Data Bank” means the National Strategic Electronic Data
Bank referred to in Section 41.
“NCSC” means the National Cyber Security Centre referred to in Section 21.
“NEC” means the National Execution Council of the Government of Papua New Guinea.
“NICTA” means the National Information and Communications Technology Authority
established by the National Information and Communications Technology Authority Act
2009.
“public body” has the same meaning as governmental body in Sch. 1.2 of Part 2 of Schedule
1 of the Constitution.
“Public Service ICT Audit Committee” means the Public Service ICT Audit Committee
established under Section 25.
“Public Service ICT Steering Committee” means the Public Service ICT Steering
Committee established under Section 28.
“shared service” means the consolidation of digital infrastructure from public bodies into a
stand-alone digital infrastructure as an internal service for public bodies to use to provide
digital services.
“system” means an information technology set-up that has a defined procedure consisting of
hardware, software, data and people to produce a specific outcome.
4. NATIONAL INTEREST
(1) For the purposes of Section 41 of the Organic Law on Provincial Governments and
Local-level Governments, this Act relates to a matter of national interest.
(2) Pursuant to Subsection (1), national interest includes, but is not limited to -
(a) the storing of a public body’s baseline electronic data; and
(b) the use of systems, devices, equipment, apparatus, instruments, applications and
digital infrastructure by the government; and
(c) the sharing and access to government data and information across government.
GDT Bill (Draft I January 2021)
8
5. ACT BINDS STATE AND APPLICATION TO PUBLIC BODIES
(1) This Act binds the State.
(2) This Act applies to all public bodies.
6. CERTAIN PROCEEDINGS AGAINST THE STATE AND PUBLIC BODIES NOT
ENFORCEABLE
(1) This Section applies to a legal proceeding for -
(a) a claim for payment, compensation, restitution or damages; or
(b) a declaration or any other form of equitable relief,
arising from the supply of digital infrastructure or digital services to the State or a public
body.
(2) A legal proceeding to which this Section applies is not enforceable in a court, unless the
supplier of the digital infrastructure or digital services has complied with this Act and the
regulations, standards and specifications made under this Act.
7. FUNCTIONS AND POWERS OF THE MINISTER
(1) The Minister is responsible for ICT policy oversight and development, and is to -
(a) provide leadership to government to facilitate the development of ICT policies and
legislation; and
(b) advise the NEC on ICT policies and legislation; and
(c) inform the NEC on ICT business matters affecting government; and
(d) issue directions to the Department and public bodies reporting to the Minister to
implement ICT policies, plans and legislation; and
(e) perform other functions as provided under this Act or any other law.
(2) The Minister has the power to -
(a) issue a national ICT policy directive to the Department consistent with this Act;
and
(b) direct the formulation, implementation and review of policies relating to the ICT
sector; and
(c) direct the formulation, implementation and review of a disaster preparedness plan
for the ICT sector; and
GDT Bill (Draft I January 2021)
9
(d) direct the Department to develop policies relating to revenue generation,
procurement, standards and management of digital infrastructure and digital services;
and
(e) direct the Department to perform its functions as provided under this Act or any
other law.
(3) The Minister may, in consultation with the Department and any relevant public body
under the Ministry, issue written directions if -
(a) a state of emergency relating to ICT has been declared; and
(b) the Minister is satisfied that it is necessary to issue directions for the welfare and
safety of people affected by the emergency.
(4) To avoid doubt, this section does not limit the Minister’s powers or functions under any
other law.
8. MINISTER TO APPROVE CERTAIN NEW ICT
(1) This section applies to any new ICT that is proposed to be purchased by one or more
public bodies if the total investment value of the new ICT exceeds or is likely to exceed
K1,000,000.00.
(2) The Department must give the Minister a report, recommended by the Public ICT
Steering Committee, on the proposed purchase of any new ICT to which this Section applies
and the Minister must submit the report to the NEC.
(3) The Minister must, acting on the advice of the NEC, approve, subject to conditions (if
any), or reject the proposed purchase of the new ICT.
(4) A public body must not purchase any new ICT, unless the Minister has, acting on the
advice of the NEC, approved its purchase. The Minister may approve the purchase of the new
ICT subject to conditions.
(5) The Minister may, acting on the advice of the NEC reject the purchase of the new ICT if
the use of the new ICT poses a serious risk or threat to public health, safety, welfare or
security.
(6) Despite any licences, permits or approvals obtained under any other law, a rejection by
the Minister of the purchase of the new ICT automatically prohibits its use by a public body
by force of this Subsection.
(7) An approval or rejection comes into effect in accordance with a notice by the Minister
published in the National Gazette.
(8) The Department must publish any approval or rejection by the Minister.
Commented [IK2]: I don’t think this Section is necessary.
Commented [IK3]: Do we need to define what constitute
new ICT?
Commented [IK4]: National Procurement Act already
provides for procurement hence this Section is not necessary.
Also Section 30 of this Bill “Evaluation of certain ICT project
designs and contracts” suffices to address issues of new ICT
hence I recommend this entire Section 8 to be deleted. The
effect of this Section may create bottleneck to address
pressing issues requiring new technology implementation. If
any this Section would best fit into the functions of NICTA
and apply to all persons conducting business in the country.
Commented [IK5]: The initial idea was to give Minister
some general powers through an NEC Decision to approve,
set limit or ban use of certain ICT technology that would be
considered as posing serious risk or threat to public health,
safety, welfare or security of citizens in the country.
GDT Bill (Draft I January 2021)
10
(9) If a person contravenes a rejection or a condition of an approval, the person commits an
offence and is liable on conviction to a penalty -
(a) in the case of an offence by a natural person, a fine not exceeding K20,000.00 or
imprisonment for a period not exceeding 5 years, or both; and
(b) in the case of an offence by a body corporate, a fine not exceeding K100,000.00.
9. MINISTER MAY ISSUE CERTAIN DIRECTIVES
(1) The Minister may, acting on the advice of the NEC, issue all or any of the following
directives to an internet service provider or any other person providing internet services -
(a) ban the use of a software application in Papua New Guinea that poses a serious
risk or threat to public health, safety, welfare or national security;
(b) if there is considered to be a serious risk or threat to public health, safety, welfare
or national security, to do all or any of the following-
(i) filter, restrict or ban websites;
(ii) monitor and control the content of websites;
(iii) control expressions on websites by blocking, keyword filtering, censoring or
suspending social media platforms;
(iv) lock access to specific internet protocol addresses.
(2) A directive comes into effect in accordance with a notice by the Minister published in the
National Gazette.
(3) The Department must publish on its website any directive.
(4) If a person fails to comply with a directive, the person commits an offence and is liable on
conviction to a penalty -
(a) in the case of an offence by a natural person, a fine not exceeding K20,000.00 and
imprisonment for a period not exceeding 5 years, or both; and
(b) in the case of an offence by a body corporate, a fine not exceeding K100,000.00.
(5) The Head of Department may make guidelines for the purposes of Subsection (1).
GDT Bill (Draft I January 2021)
11
PART II – INSTITUTIONAL ARRANGEMENTS
10. CHANGE OF NAME TO DEPARTMENT OF INFORMATION AND
COMMUNICATION TECHNOLOGY
(1) The name of the Department of Communication and Information (“DCI”) that existed
immediately before the commencement of this Act is changed to the Department of
Information and Communication Technology (“DICT”).
(2) The change of name takes effect on the commencement of this Act or on the date a
Gazettal Notice is published for name change, whichever comes first.
(3)Subject to subsection (2), a reference to the former name has effect as if it were a
reference to the new name -
(a) in any law; or
(b) in any contract to which the State is a party; or
(c) in any legal proceedings in which the State is a party.
(4) The Head of Department of the DCI remains the Head of Department of the DICT.
(5) Each employee of DCI remains an employee of the DICT.
(6) The terms and conditions of service of the Head of Department and those employees are
not altered by the change of name.
(7) The functions and powers of the DICT are not altered by the change of name.
11. DEPARTMENTAL HEAD
(1) The Head of Department is to be appointed and hold office for a term of 4 years or as
directed by Department responsible for personnel matters pursuant to the Public Services
(Management)Act 1995 and any other law relating to the appointment of a departmental head.
(2) Without prejudice to any other law, a person appointed as the Head of Department must -
(a) possess a minimum university qualification of a masters level degree in ICT,
management or equivalent; and
(b) have at least ten years’ experience in the field of ICT technical or policy matters;
and
(c) have last occupied a senior position, at a minimum level of First Assistant
Secretary or equivalent.
(3) For the purposes of this Section, the office of the Head of Department is an office to
which Part III, Division 2 (Leadership Code) of the Constitution applies.
Commented [IK6]: Our current status is before this proposed
Act takes effect, by and under an NEC directive DPM has
already approved Department’s name change to DICT from
DCI.
GDT Bill (Draft I January 2021)
12
12. FUNCTIONS AND POWERS OF THE DEPARTMENTAL HEAD
(1) The Head of Department is responsible for -
(a) carrying out the functions and responsibilities of a departmental head under
Subsection 24(1) of the Public Services (Management) Act 1995 and any other law;
and
(b) the administration of this Act; and
(c) providing leadership and managing the Department in accordance with
government policies and the directions of the Minister; and
(d) advising the Minister on matters concerning ICT.
(2) The Head of Department has the powers conferred upon the office of a head of
department under the Public Services (Management) Act 1995, this Act or any other law.
(3) For the purposes of this Act, the Head of Department is the Chief State ICT Advisor to
the Government and is the ultimate source of ICT advice to the Government
13. DEPUTY SECRETARIES
(1) The Deputy Secretaries of the Department are to be employed under the Public Services
(Management) Act 1995 as contract officers of the Department.
(2) The Deputy Secretaries are to report to the Head of Department and perform all functions
directed by the Head of Department.
(3) For the general working and efficient conduct of the Department, the Head of Department
may assign to another officer within the Department any of the functions, duties or powers of
a Deputy Secretary, or a person occupying a position within the Department equivalent to
Deputy Secretary.
14. DEPARTMENT AS GOVERNMENT CENTRAL ICT COORDINATION
AGENCY
(1) The Department is the Government Central ICT Coordinating Agency which is
responsible for ICT matters for all public bodies.
(2) In discharging its functions as the Government Central ICT Coordinating Agency, the
Department must review any ICT project design or contract of a public body and make
recommendations to the department or public body responsible for project funding matters or
national procurement matters about the project design or contract.
(3) The Head of Department is deemed to be a member of any government sanctioned social
or economic inter-agency committee that deliberates on issues associated with or relating to
the delivery of digital services or ICT
GDT Bill (Draft I January 2021)
13
(4) The Minister, acting on recommendation of the Department, must co-sponsor any
submission to the NEC made by another Minister if the submission relates to -
(a) the implementation of digital infrastructure; or
(b) a system; or
(c) the delivery of digital services.
15. FUNCTIONS OF THE DEPARTMENT
The Department has the following functions -
(a) develop, implement, monitor and evaluate ICT policies, plans and legislation for the
delivery of digital infrastructure and digital services, and the dissemination of
government information;
(b) co-ordinate the funding and delivery of whole-of-government digital
infrastructure and digital services platforms;
(c) support operations with agencies responsible for national intelligence and national
security to ensure cyber security and safety are maintained across whole of
government;
(d) oversee government ICT investments;
(e) provide policy guidance, assistance and awareness on government digital initiatives
and digital safety; and
(f) in relation to digital services -
(i) promote, develop and coordinate the delivery of quality digital services across
government;
(ii) advise the Minister on the implementation and sustainability of digital services;
(iii) facilitate public access to digital services;
(iv) promote, develop and coordinate quality shared digital infrastructure as a service
to enable the delivery of digital services;
(v) monitor and evaluate the delivery of digital services;
(vi) audit systems used to deliver digital services;
(g) promote and coordinate -
(i) ICT innovation policies and initiatives across whole government; and
(ii) digital government research across whole of government; and
(iii) the use of secured systems by public bodies;
(h) promote transparency and accountability through electronic connectivity;
(i) ensure integration and interoperability of public bodies’ systems;
GDT Bill (Draft I January 2021)
14
(j) facilitate public bodies to access shared services;
(k) approve digital infrastructures for use by public bodies;
(l) undertake the following audits -
(i) audit the systems of public bodies and other private systems offering services to
public bodies;
(ii) audit the digital infrastructure of public bodies,
to ensure compliance by the public body with this Act and the regulations, standards
and specifications made under this Act;
(m) establish and maintain a whole-of-government register of systems, digital
infrastructure and digital services;
(n) conduct research on the benefits and risks of any new type of ICT that is proposed
to be used by a public body or in the country and make appropriate recommendations
to the Minister ;
(o) facilitate accessibility of ICT to persons with disabilities;
(p) collaborate with the department responsible for public service personnel matters
to retain skilled ICT personnel in the Department and in public bodies;
(q) provide administrative support and oversight to committees established under this
Act;
(r) such other functions conferred on the Department by this Act or any other law.
16. POWERS OF THE DEPARTMENT
For the purpose of performing its functions under this Act, the Department has the following
powers -
(a) to order a public body to give the Department physical or virtual access to a
system of the public body;
(b) to order a public body to cease using a private network that is not consistent with
this Act or the regulations, standards or specifications made under this Act;
(c) to order a public body to give the Department access to any source data of any
format from the public body;);
(d) to receive, investigate, respond to and publish complaints relating to digital
services provided by a public body;
GDT Bill (Draft I January 2021)
15
(e) to stop or suspend the implementation of any ICT project, digital services project or
digital infrastructure project by a public body that is not in compliance with the
regulations, standards or specifications made under this Act;
(f) to direct any public body to -
(i) furnish any information or produce any record or document relating to ICT
projects, digital services or digital infrastructure; and
(ii) answer all relevant questions relating to digital government initiatives;
(g) to examine any records or documents of a public body relating to ICT projects,
digital services or digital infrastructure and take copies or extracts; and
(h) request any ICT professional or technical assistance from any appropriate body
within or outside Papua New Guinea.
17. GOVERNMENT DIGITAL SERVICES STRATEGIC PLAN
(1) The Department is to develop a Government Digital Services Strategic Plan to deliver
digital services.
(2) The Department must review and update the Government Digital Services Strategic Plan
every 5 years or as directed by the Minister.
(3) The Government Digital Services Strategic Plan is to be -
(a) reviewed by the Public Service ICT Steering Committee before the Department
finalises it; and
(b) circulated to all public bodies; and
(c) complied with by all public bodies.
(4) Each public body must conduct an annual self-assessment of its implementation of the
Government Digital Services Strategic Plan and submit the assessment to the Department on
or before the end of the year to which the assessment relates.
18. PUBLIC SECTOR ICT DEVELOPMENT PROJECTS FUNDING
(1) This Section applies to an ICT project proposed by a public body if the project requires -
(a) development budget funding from the government; or
(b) State guaranteed funding.
(2) An ICT project to which this Section applies must comply with the Government Digital
Services Strategic Plan or relevant ICT sector plan, the ICT policies of the government, and
the regulations, standards and specifications made under this Act.
GDT Bill (Draft I January 2021)
16
(3) A public body proposing an ICT project to which this Section applies must obtain a
Certificate of Compliance from the Department from recommendation of the Public Service
ICT Steering Committee before submitting:-
(a) its work plan and cash flow plan to the department responsible for national
planning and development budget matters; or
(b) its proposal to the department responsible for issuing State Guarantee on project
funding.
(4) The Certificate of Compliance for a new ICT project is confirmation that the project
complies with Subsection (2).
(5) An ICT project to which this Section applies is deemed to form part of the National
Planning Framework under Section 4 of the Papua New Guinea Planning and Monitoring
Responsibility Act 2016 only if a Certificate of Compliance is obtained for the ICT project.
(6) If a proposal of a public body for an ICT project to which this Section applies does not
comply with any of the requirements of this Section, the proposal must not be considered for
development budget funding or State guaranteed funding.
19. DIGITAL TRANSFORMATION OFFICERS
(1) The digital transformation officer or officers of a public body must ensure that the public
body gives effect to the digital transformation initiatives of the government.
(2) Without limiting the functions of a digital transformation officer of a public body, the
officer must -
(a) take all actions and efforts necessary for the public body to implement the
Government Digital Services Strategic Plan and any ICT sector plans of the
government; and
(b) facilitate integration and interoperability of the systems of the public body; and
(c) ensure the public body complies with Subsection 57(1); and
(d) facilitate delivery of digital services by the public body; and
(e) manage the electronic data-value-cycle in the public body; and
(f) provide ICT reports and feedback on a regular basis to the Department or as
requested by the Head of Department.
20. ICT INCUBATION CENTRE
(1) The Department may provide technical and administrative support to a public body that
is responsible for administering ICT innovation and development entrepreneurial initiatives.
(2) Technical support may include, but is not limited to, providing assistance to -
GDT Bill (Draft I January 2021)
17
(a) establish one or more ICT Incubation Centres or Centres (“the Centres”) referred
to by another name to promote digital innovation and digital skills; and
(b) establish one or more ICT innovation laboratories in the Department and, if
necessary, in other places to -
(i) promote innovation of ICT ideas in public bodies and by members of the public;
and
(ii) make innovation laboratories accessible to public bodies personnel for ICT
research, development and up-skilling; and
(c) promote access and use of ICT innovation laboratories; and
(d) recognize and reward innovative ICT ideas; and
(e) host the Centres to encourage and enable qualified persons to work on different
innovation initiatives and ICT entrepreneurship start-up concepts; and
(f) assess the enterprise probability of proposals intended to be developed in the
Centres; and
(g) recommend business advice, service and training to a public body or a person
responsible for conducting such training to the participants of the Centres; and
(h) promote incubation for small to medium enterprise growth in software
development, networking, data management, cyber security solution development,
digital surveillance and digital transformation.
(3) In the absence of a public body under Subsection (1), the Department may, on the
directive of the Minister, act as the public body responsible for administering ICT innovation
and development entrepreneurial initiatives.
(4) The Department and the State do not incur any liability for works undertaken and services
rendered under this Section.
(5) The Department may outsource the operation and management of a Centre referred to in
Subsections (2)(a) and (3) and the establishment of such a Centre does not prevent any person
from discharging similar functions under this Section.
21. NATIONAL CYBER SECURITY CENTRE
(1) On and after the commencement of this Act, the National Cyber Security Centre is to be
jointly operated by -
(a) the Department; and
(b) the department responsible for defence; and
GDT Bill (Draft I January 2021)
18
(c) the department responsible for police; and
(d) the department responsible for justice; and
(e) the National Intelligence Office; and
(f) the department responsible for Prime Minister and NEC.
(2) The Department is to continue to provide administrative oversight of the NCSC.
(3) All assets, equipment, systems and apparatus used by the NCSC immediately before the
commencement of this Act are by force of this Subsection is transferred to the National
Government on that commencement.
22. FUNCTIONS OF NATIONAL CYBER SECURITY CENTRE
(1) The function of the National Cyber Security Centre is to conduct defensive cyber security
operations.
(2) Without limiting Subsection (1), the NCSC must do the following -
(a) promote a secured digital government environment;
(b) ensure government digital infrastructure contains appropriate security control
technologies;
(c) promote cyber resilience to ensure services that are essential for everyday life
remain effective and operational during cyber threats and attacks;
(d) investigate any breaches of cyber security and escalate security incidents to
appropriate authorities if necessary for their intervention;
(e) monitor and hunt cyber threats across networks and endpoints, and ensure that
threats attacking data and assets are contained and eliminated;
(f) provide its constituents with remote incident response and handling support;
(g) conduct audits on endpoint cyber security tracking and monitoring systems used by
public bodies;
(h) establish procedures for its constituents and other member organizations of
PNGCERT to report cyber-attacks or suspected cyber incidents;
(i) provide regular reports to its constituents;
(j) provide technical support to PNGCERT;
(k) recommend to the Head of Department for prosecution of relevant offences;
GDT Bill (Draft I January 2021)
19
(l) perform other activities as directed in writing by the Head of Department following
consultation with the departments referred to in Subsection 21(1).
(3) In this Section -
“constituents” means a set of customers to which the NCSC provides services.
“PNGCERT” means the Papua New Guinea Computer Emergency Response Team.
23. JOINT STRATEGIC CENTRE
(1) The Department may establish a Joint Strategic Centre for the control and management of
a special situation.
(2) The person administering the JSC is to report to the Head of the Department.
(3) The JSC is to be jointly operated by the relevant public bodies in a special situation.
(4) The relevant public bodies are to share skills, technical resources and financial resources
to discharge the functions of the JSC under Section 24.
(5) The Department is to develop a Code of Practice to govern interagency collaboration for
the JSC. The Minister is to approve the Code of Practice acting on the advice of the Head of
Department.
(6) In this Section, each of the following is a “special situation” -
(a) a state of emergency;
(b) a national disaster;
(c) a public health emergency;
(d) unlawful social unrest, a strike or demonstration;
(e) a government organised or sanctioned international event;
(f) a situation that the NEC directs is a special situation.
(7) In this Section, a public body is a “relevant public body” for a special situation if the
NEC has directed that the public body respond to the special situation.
24. FUNCTIONS OF JOINT STRATEGIC CENTRE
The Joint Strategic Centre has the following functions -
(a) ensure interagency connectivity and resource sharing for emergency responses and
public safety;
(b) provide emergency systems or digital infrastructure as shared services;
GDT Bill (Draft I January 2021)
20
(c) use software and hardware to provide facial recognition services, vehicle
recognition services and intelligent video recognition services;
(d) provide human behaviour analysis services for early detection of offences;
(e) provide services to eliminate information and communication silos across public
bodies;
(f) enable efficient collaboration amongst public bodies for data storage, data sharing,
analysis and dispatch to support policy decisions;
(g) otherwise enhance the control and management of any special situation referred to
in Subsection 24(6) and promote enforcement of any restrictions or other lawful
requirements made in response to the special situation.
25. PUBLIC SERVICE ICT AUDIT COMMITTEE
(1) The Public Service ICT Audit Committee is established.
(2) The Committee consists of -
(a) the Deputy Secretary in charge of digital matters of the Department or his or her
nominee; and
(b) a representative of the Auditor General’s Office nominated by the Auditor-
General; and
(c) a lawyer from the State Solicitor’s Office nominated by the State Solicitor; and
(d) a representative of the Papua New Guinea Information Systems Audit and Control
Association; and
(e) a person nominated by the Head of Department.
(3) The Head of Department is to determine the chairperson of the Committee.
(4) The Committee must meet if -
(a) the Head of Department considers it necessary that the Committee assess and
evaluate a public body’s use of a system against, regulations, standards and
specifications made under this Act; or
(b) the chairperson of the Committee considers it necessary for the efficient conduct
of the Committee’s business.
(5) The Committee is to regulate the conduct of proceedings at its meetings as it thinks fit.
(6) If the Head of Department considers it appropriate, the Department may discharge all or
any of the functions of the Committee without the need for the Committee to meet.
GDT Bill (Draft I January 2021)
21
26. FUNCTIONS OF THE PUBLIC SERVICE ICT AUDIT COMMITTEE
(1) The Public Service ICT Audit Committee is to perform ICT audits on the systems of
public bodies and has such other functions as are set out in the Committee’s terms of
reference that is to be prescribed by the Head of Department.
(2) In conducting an ICT audit, the Committee may evaluate the systems of a public body by
-
(a) reviewing all or any of the following -
(i) the ICT organizational structure of the public body;
(ii) its internal ICT policies and procedures;
(iii) the public body’s compliance with this Act and the regulations, standards and
specifications made under this Act;
(iv) ICT documentation and ICT projects of the public body;
(b) interviewing the appropriate ICT personnel of the public body ; and
(c) conducting such other audit activities as directed by the Head of Department.
(3) Within 4 weeks after completing an audit, the Committee is to report its findings to the
Department.
27. DEEMED GOVERNMENT PRIORITIES FOR UAS FUNDING
(1) For the purposes of Sections 90 and 98 of the National Information and Communications
Technology Authority Act 2009, digital government and ICT Incubation Centres are deemed
to be -
(a) priorities of the government for utilisation of the Universal Access and Service
Fund; and
(b) approved UAS Projects that will encourage the development of ICT or digital
infrastructure and improve availability of ICT or digital services.
(2) The Minister by force of this Section is deemed to have informed the UAS Board and
NICTA of the matters in Paragraphs (1)(a) and (b).
(3) Despite any other law, an amount calculated in accordance with an annual percentage of
the Universal Access and Service Fund determined under Subsection (4) must be used to -
(a) expand and maintain digital government, digital infrastructure and digital
services; and
(b) fund programs and projects of any ICT Incubation Centre.
GDT Bill (Draft I January 2021)
22
(4) The UAS Board is to meet annually and determine the annual percentage referred to in
Subsection (3) which must not exceed 25% of the Universal Access and Service Fund.
(5) In this Section, “UAS Board”, “UAS Project” and “Universal Access and Service
Fund” have the same meaning as in the National Information and Communications
Technology Authority Act 2009.
GDT Bill (Draft I January 2021)
23
PART III – PUBLIC SERVICE ICT STEERING COMMITTEE
28. PUBLIC SERVICE ICT STEERING COMMITTEE
(1) The Public Service ICT Steering Committee is established.
(2) The Committee consists of the Head of Department or his or her nominee, and the digital
transformation officer of each public body or his or her nominee.
(3) The Head of Department or his or her nominee is the chairperson of the Committee.
(4) The chairperson may, acting on the advice of the Committee, make reports and
recommendations to the Minister.
(5) A member of the Committee is to perform his or her functions as part of his or her
contractual duties to the Public Service and the State.
(6) Despite Subsection (5), the Department may pay meeting allowances to members of the
Committee as determined in writing by the Head of Department.
29. FUNCTIONS OF THE PUBLIC SERVICE ICT STEERING COMMITTEE
The functions of the Public Service ICT Steering Committee are to -
(a) facilitate the formulation, implementation and review of the Government Digital
Services Strategic Plan across all public bodies; and
(b) serve as a government forum for awareness on ICT policies, laws, programs and
projects in relation to public bodies; and
(c) assist the Department to identify and evaluate public bodies’ digital infrastructure
and digital government programs and projects; and
(d) assist the Department to identify ICT policy gaps and make recommendations to
address them; and
(e) give effect to ICT policy directions of the government.
30. EVALUATION OF CERTAIN ICT PROJECT DESIGNS AND CONTRACTS
(1) If a public body intends in any fiscal year to -
(a) undertake one or more ICT project designs with a total value exceeding
K500,000.00, or
(b) enter into one or more ICT contracts with a total value exceeding K500,000.00 ,
the Public Service ICT Steering Committee must evaluate the designs or contracts and make
recommendations to the Department to approve, subject to conditions (if any), or reject the
designs or contracts.
GDT Bill (Draft I January 2021)
24
(2) The Department may, on receipt of a recommendation for approval from the Committee,
issue a Certificate of Compliance consistent with Section 18.
(3) If the Department rejects a recommendation of the Committee, the Department must,
within 10 working days after the date of rejection, provide written notice to the public body
concerned.
(4) The decision of the Department to approve or reject a recommendation is final.
(5) However, nothing in this Section prevents or limits a person from applying to a court for
judicial review of a decision of the Department.
31. MEETINGS OF THE PUBLIC SERVICE ICT STEERING COMMITTEE
(1) The Public Service ICT Steering Committee is to meet quarterly or at such other times as
the chairperson of the Committee determines.
(2) A quorum for a meeting of the Committee is 5 members.
(3) Prior to a meeting of the Committee, the Department must send an invitation through
authenticated electronic means to all members of the Committee and attach with it the
meeting agenda or by a written notice or both.
(4) An officer of the Department or a member of the Committee must keep minutes,
resolutions and action items of the meeting.
(5) The chairperson of the Committee must send to all members approved meeting minutes,
resolutions and action items, not later than 28 days after the day the meeting was held.
(6) Subject to this Section, the Committee is to regulate the conduct of proceedings at its
meetings as it thinks fit.
Commented [IK7]: Section 18(4) is sufficient for this
purposes hence it is not necessary to repeat here.
GDT Bill (Draft I January 2021)
25
PART IV – DIGITAL INFRASTRUCTURE
32. DIGITAL INFRASTRUCTURE
(1) “Digital infrastructure” is any physical or virtual system or resource used by a public
body to deliver digital services and includes, but is not limited to the following -
(a) the Central Electronic Data Repository;
(b) the National Strategic Electronic Data Bank referred to in Subsection (2);
(c) data registers;
(d) ICT platforms;
(e) cloud infrastructure;
(f) the Government Cloud;
(g) the Government Private Network and other networks;
(h) systems;
(i) software applications;
(j) APIs and integration;
(k) endpoint devices;
(l) internet exchange points;
(m) servers, routers and modems enabling system connectivity of virtual private
networks and wireless by-pass links;
(n) telecommunication infrastructures such as broadband, satellite connectivity, radio
links, optic fiber, dark fiber, copper cables and all other related systems
(2) The National Strategic Electronic Data Bank is to consists of -
(a) the Central Electronic Data Repository; and
(b) the National Cyber Security Centre; and
(c) the Joint Strategic Communication Command and Control Centre; and
(d) any other data server of a public body that uses the building referred to in
Subsection (3); and
(e) all associated core infrastructure pertaining to Paragraphs (a), (b) and (c).
GDT Bill (Draft I January 2021)
26
(3) The National Strategic Electronic Data Bank is to be located in a building owned or
leased by the Department.
33. USE OF DIGITAL INFRASTRUCTURE
(1) All public bodies must use digital infrastructure that is consistent with the regulations,
standards and specifications made under this Act.
(2) The Head of Department must issue application programming interface standards for
different digital infrastructure levels, application level, network level and server level to
govern the flow of government electronic data.
(3) For the purpose of ensuring cost effectiveness and ICT readiness, the construction of any
public infrastructure, such as roads, ports, buildings and electrical cables, must give due
consideration to include digital infrastructure as part of the project design.
(4) The person designing or constructing any public infrastructure must -
(a) share with the Department all relevant ICT designs and ICT specifications; and
(b) provide to the Department all necessary and relevant assistance for installation of
digital infrastructure.
(5) The cost of the installation of any digital infrastructure is deemed to be part of the project
costs for a public infrastructure project and, despite any other law, the government must not
impose in relation to the digital infrastructure any regulatory fees or charges in addition to
those imposed in relation to the infrastructure project as a whole.
(6) If -
(a) a new road is intended to be constructed in a city or an urban town area, the person
constructing the road must give due consideration to install dark fiber along the
proposed road; and
(b) new electrical cables are intended to be constructed for electricity supply in a city
or an urban town area, the person constructing the electrical cables must give due
consideration to install dark fiber along the proposed electrical cables.
34. CRITICAL DIGITAL INFRASTRUCTURE
(1) “Critical digital infrastructure” is digital infrastructure operated and owned by the State
that is essential for the functioning of the government, the economy and the society as whole.
(2) Critical digital infrastructure includes, but is not limited to, the following -
(a) the Government’s virtual and physical private network;
(b) the National Strategic Electronic Data Bank;
(c) the Central Electronic Data Repository;
GDT Bill (Draft I January 2021)
27
(d) the Electronic Data Registry;
(e) the Government Private Network;
(f) the Government Cloud.
(g) the Government Secured Infomration Excahnge Platform
(h) Government Data Traffic Prioritization Algorithms
(3 The Minister may in writing designate other digital infrastructure as critical digital
infrastructure.
(4) Critical digital infrastructure is under the control of the State through the Department.
(5) Critical digital infrastructure must not be installed, changed, reconstructed, replaced,
repurposed or removed unless the Minister directs in writing in accordance with a NEC
decision.
35. GOVERNMENT CLOUD
(1) The Department must establish a Government Cloud Infrastructure for virtual networks
connectivity of all public bodies.
(2) All virtual private networks of public bodies that use a cloud infrastructure must operate
within the Government Cloud.
(3) The Head of Department must notify the Public Service ICT Steering Committee of the
date on which the Government Cloud is established.
(4) All public bodies using public cloud space for virtual private network connectivity have
one year from the date of establishment of the Government Cloud as notified under
Subsection (3) to migrate their services into the Government Cloud.
(5) Subject to Subsection (4), if a person operates a government sanctioned virtual private
network outside of the Government Cloud, the person commits an offence and is liable on
conviction to -
(a) in the case of an offence by a natural person, a fine not exceeding K100,000.00
and imprisonment for a period not exceeding 5 years, or both; and
(b) in the case of an offence by a body corporate, a fine not exceeding K500,000.00.
(7) To avoid doubt, the imposition of a penalty under Subsection (5) in the case of an offence
by an officer of a public body, does not prevent disciplinary action being taken against the
officer.
Commented [IK8]: Can we use “a” instead of “the” since
there are several virtual private networks
Commented [IK9]: Subsection (2) is sufficient to cover
intent of deleted subsection (3)
GDT Bill (Draft I January 2021)
28
36. GOVERNMENT PRIVATE NETWORK
(1) There is a Government Private Network that is part of digital infrastructure and it consists
of -
(a) one or more data centres; and
(b) physical and virtual networks connectivity operated by the Department or a public
body approved by the Department.
(2) For the purpose of ensuring that the Government reduces costs and optimises the use of
digital infrastructure, all public bodies must use the Government Private Network or an
alternative network approved under Section 38.
(3) The Government Private Network is to -
(a) host the Central Electronic Data Repository; and
(b) host various types of shared services, including digital infrastructure and software
as services to enhance network connectivity and electronic data sharing amongst
public bodies; and
(c) be managed by the Department or a public body approved by the Department in
compliance with this Act and the regulations, standards and specifications made under
this Act.
37. DATA TRAFFIC PRIORITIZATION IF GOVERNMENT PRIVATE NETWORK
NOT AVAILABLE
(1) If the Government Private Network is not available to a public body, the Department may,
in consultation with a network operator providing network services to the public body,
deploy and operate data traffic prioritization network algorithms on the operator’s network.
(2) The purpose of operating data traffic prioritization network algorithms on an ICT network
is to -
(a) enable the classification of data traffic passing through the ICT network to deliver
quality of service for prioritized data traffic of a public body; and
(b) improve the quality of service provided to the public body by enabling
prioritization of data traffic during periods of network congestion and in areas where
the network infrastructure suppresses delivery of data; and
(c) improve the quality of service to the public body by shaping or constructing
efficient routing or data flows in the ICT network for digital service delivery; and
(d) improve other quality of services with respect to data flows within the ICT
network for the public body.
GDT Bill (Draft I January 2021)
29
(3) In this Section, a “data traffic prioritization network algorithm” is a computer program
or computer instruction used to solve and manage data flows or efficient routing of data
traffic.
38. ALTERNATIVE NETWORKS TO THE GOVERNMENT PRIVATE NETWORK
(1) A public body that wishes to use an alternate network to the Government Private Network
must make a written request to the Department.
(2) On receipt of a request, the Department must refer the request to the Public Service ICT
Steering Committee for consideration and the Committee must advise the Head of
Department.
(3) The Head of Department, subject to conditions specified by him or her, must on
recommendations of the Public Service ICT Steering Committee, reject or approve the
request in Subsection (2).. .
(4) The decision of the Head of Department is final.
(5) However, nothing in this Section prevents or limits a person from applying to a court to
seek judicial review of a decision of the Head of Department.
(6) A private network of a public body in operation immediately before the commencement
of this Act, is, on that commencement, deemed by the Department to be an approved private
network, unless -
(a) the Head of Department acting on the advice of the Public Service ICT Steering
Committee considers the private network does not comply with this Act; and
(b) the Head of Department issues, within 30 days after the day the Department first
considers the private network none complaint under paragraph (a), a written directive
to the public body hosting the network to comply with this Act.
39. REDUNDANCY REQUIREMENTS FOR GOVERNMENT PRIVATE NETWORK
(1) In addition to the main data centre for the Government Private Network, the Department
must have at minimum two other data centres, physical or virtual, to facilitate redundancies
for the Government Private Network.
(2) Each of the additional data centres must have -
(a) a daily synchronization with the main data centre in the Government Private
Network; and
(b) the full protection of the National Cyber Security Centre firewall; and
(c) a transmitter connecting the centre to the main data centre in the Government
Private Network.
GDT Bill (Draft I January 2021)
30
40. LOCALISING CLOUD INFRASTRUCTURE FOR GOVERNMENT PRIVATE
NETWORK.
(1) The Department must investigate the means of building a Government Private Cloud
Infrastructure as part of the Government Private Network for data governance and delivery of
digital services.
(2) Subject to an NEC decision, the investigations are to include -
(a) approval for the investigation for hosting a Government Private Cloud
Infrastructure; and
(b) specification of the time period to commence investigation to recommend the
feasibility of the proposal; and
(c) allocation of funding support to commence the investigation.
(3) The electronic data of public bodies must be stored and secured on systems and servers in
the Private Government Cloud Infrastructure within one year, or such longer period as is
determined by the Head of Department, after the date the Private Government Cloud
Infrastructure is commissioned by the Department as fully functional.
(4) Subject to Subsection (5), the Private Government Cloud Infrastructure is to be located in
Papua New Guinea.
(5) A public body may store its electronic data on a server outside of Papua New Guinea if -
(a) it will contribute to the efficient functioning of the public body; and
(b) the Department has given its written approval to the public body for storage
outside of Papua New Guinea.
41. NATIONAL STRATEGIC ELECTRONIC DATA BANK DESIGN
(1) The National Strategic Electronic Data Bank must have digitally high security systems of
international standards acceptable to the Department.
(2) Entry and exit access to the National Strategic Electronic Data Bank must be
authenticated by at least 3 digital security systems, but not exceeding 5 security checkpoints.
(3) The Head of Department must in writing prescribe security standards, specifications and
rules for entry and exit access of the National Strategic Electronic Data Bank.
(4) The Department must initiate the design of the National Strategic Electronic Data Bank
and approve the final digital security architectural design.
GDT Bill (Draft I January 2021)
31
(5) The design of the National Strategic Electronic Data Bank is classified at the level of
‘restricted top secret’ and is accessible only by persons authorised by the Head of
Department.
(6) The Department must provide general oversight on the capital financing and construction
of the National Strategic Electronic Data Bank.
(7) A person must not conduct other business in the National Strategic Electronic Data Bank,
unless the Head of Department gives his or her written approval.
42. CENTRAL ELECTRONIC DATA REPOSITORY
(1) The Central Electronic Data Repository for all public bodies is established and is to be
managed by the Department.
(2) The purpose of the Central Electronic Data Repository is to be the official storage server
to backup electronic data of public bodies and provide safety against potential unforeseen
events that may cause data loss to public bodies.
(3) The Central Electronic Data Repository consists of -
(a) a physical data repository in the data centre referred to in Section 39; and
(b) other virtual data repositories;
that are synchronised and operating as one data storage sever for compulsory backup or
redundant data storage for all public bodies.
(4) The Central Electronic Data Repository must -
(a) contain the following servers -
(i) an active operational software and hardware sever;
(ii) a storage software and hardware sever;
(iii) a system processing software and hardware sever; and
(b) provide the full protection of the National Cyber Security Centre firewall.
(5) A public body that stores its data by an electronic means in its own in-house server or
through the use of a system must also have its electronic data backed up and managed in the
Central Electronic Data Repository as a redundancy.
(6) The Department must endeavour to have two separate replicas of the Central Electronic
Data Repository and each replica is to be located in a different province.
(7) Each replica site of the Central Electronic Data Repository must have -
(a) a daily synchronization with the main Central Electronic Data Repository; and
GDT Bill (Draft I January 2021)
32
(b) the full protection of the National Cyber Security Centre firewall; and
(c) a transmitter connecting the sites to the main Central Electronic Data Repository in
the National Strategic Electronic Data Bank.
(8) A public body must comply with the electronic data management, regulations, standards
and specifications made under this Act.
43. ACCESS TO CENTRAL ELECTRONIC DATA REPOSITORY
(1) For the purpose of this Section, access to the Central Electronic Data Repository is access
to different sections of the physical and virtual database servers and consists of -
(a) physical access to the National Strategic Electronic Data Bank; and
(b) physical access to the holding vault of the main Central Electronic Data
Repository; and
(c) physical and virtual access to the active operating system of the Central Electronic
Data Repository.
(2) A person must not access any electronic data stored as backup in the Central Electronic
Data Repository, unless -
(a) the public body that first collected, generated, stored and secured the electronic
data, by a written notice to the Department, grants written permission; and
(b) in the case of personal data of an individual, in addition to written permission
under Paragraph (a), the individual has given his or her written consent.
(3) The written permission referred to in Paragraph (2)(a) must specify -
(a) the reasons for granting access; and
(b) the type of electronic data that will be accessed or shared; and
(c) the time period allowed for the electronic data access; and
(d) the applicable standards to be observed; and
(e) all other criteria that the person requesting access needs to observe.
(4) If access to electronic data is granted under Subsection (2) to a person, the electronic data
must be made available only to that person and the public body granting the permission.
(5) If electronic data stored in the Central Electronic Data Repository is classified under
Subsection 57(2) as restricted top secret data or confidential data, the Head of Department
may prescribe additional requirements for access to such data and restrictions on how that
data may be used.
GDT Bill (Draft I January 2021)
33
(6) Physical access to the Central Electronic Data Repository by any person must comply
with security standards, specifications and rules made under this Act.
(7) If a person who suffers loss or damages directly as a result of a contravention of this
Section, the person has a civil right of action for relief.
(8) To avoid doubt, nothing in this Section prevents or limits an individual from accessing his
or her personal data stored in the Central Electronic Data Repository if he or she has obtained
written permission from the public body under Paragraph (2)(a).
44. SECURED INFORMATION EXCHANGE PLATFORM
(1) For the purpose of public bodies providing digital services and making digital services
accessible, the Department is responsible for providing digital identity verification and
authentication services through a digital verification and authentication exchange platform.
(2) For the purposes of Subsection (1), the Department must -
(a) develop, operate and maintain a digital verification and authentication exchange
platform to facilitate use of digital identity providers; or
(b) supervise and contract out digital identity verification and authentication services
to a person qualified to provide such services.
(3) Closed APIs and, if appropriate in the circumstances, hybrid APIs must be used to
facilitate data exchange for digital identity verification and authentication services.
(4) The digital verification and authentication exchange platform must comply with
regulations, standards and specifications made under this Act.
45. PHYSICAL SECURITY SURVEILLANCE AND MONITORING USING
DIGITAL TECHNOLOGY
(1) Without prejudice to any other law, if a person uses or proposes to use digital
infrastructure or ICT to provide static, aerial or underwater physical security surveillance and
monitoring services to the premises or property of a public body, the person must
comply with the standards and specifications made under this Act.
(2) A person providing services referred to in Subsection (1) to a public body must, upon
request by the public body, make available to the public body data in electronic form
collected by the person under that Subsection.
(3) The Department or body responsible for national security matters may, on reasonable
suspicion of a digital security breach, request -
(a) a person providing services referred to in Subsection (1) to a public body; or
(b) the public body to which such services are provided,
GDT Bill (Draft I January 2021)
34
to provide access to electronic data collected.
(4) The person or public body to which a request is made must, as soon as practicable,
comply with the request.
(5) For the purposes of Subsection (1), physical security surveillance and monitoring services
using digital infrastructure or ICT includes the following -
(a) static and mobile cameras;
(b) aerial drones;
(c) underwater drones;
(d) geographical positioning hardware and software;
(e) all other ICT instruments, equipment and apparatus capable of being used to
conduct physical area security surveillance to collect electronic data.
(6) The Department must back up digital electronic data made available under Subjection (4)
in the Central Electronic Data Repository.
GDT Bill (Draft I January 2021)
35
PART V - DIGITAL SERVICES AND RELATED MATTERS
46. DIGITAL SERVICES
(1) “Digital services” are internet enabled services that are delivered and accessed using
digital infrastructure.
(2) Public bodies may provide digital services through all or any of the following internet and
shared services -
(a) online applications;
(b) online registrations;
(c) online reporting;
(d) online monitoring and evaluation;
(e) online payments;
(f) renewals;
(g) any other services delivered or accessed using the Internet or a system .
47. PROVISION OF DIGITAL SERVICES AND MAKING DIGITAL SERVICES
ACCESSIBLE
(1) Despite any other law, if a public body is required to provide a service, the public body
may provide the service, and make the service accessible, as a digital service and deal with
any data, information or documents relating to the service in electronic form.
(2) The Department may consult with public bodies before regulations, standards,
specifications and guidelines are made under this Act for providing digital services or making
digital services accessible.
(3) A public body in providing a digital service or making a digital service accessible must
comply with this Act and the regulations, standards and specifications made under this Act.
(4) A public body in providing digital services or making digital services accessible must -
(a) use one or more appropriate systems; and
(b) use open APIs, closed APIs or hybrid APIs appropriate in the
circumstances; and
(c) ensure its business processes enhance digital services; and
(d) ensure availability of digital services that are reliable, open and
interoperable; and
GDT Bill (Draft I January 2021)
36
(e) use appropriate channels, documentation and languages, both spoken
and sign, and use audible instructions if necessary; and
(f) ensure accessibility to people with disabilities and people with limited
access to electronic services; and
(g) ensure audio and video formats are captioned for people with
disabilities; and
(h) ensure adequate system support for all users; and
(i) maintain and promote integrated, interoperable and transparent and
accountable systems; and
(j) ensure a business process that facilitates revenue generation and is
automated and integrated with electronic payment systems.
(5) A public body may provide a digital service or make a digital service accessible in one or
more of the following forms -
(a) word document soft copy form;
(b) photographic image that is accurately described in the alternative text of a
document, website, or other online or electronic location and provided in a soft copy
form;
(c) digital audio or video form that is captioned and accessible to people with
disabilities;
(d) any other electronic form or expression easily accessible by people with
disabilities;
(e) any other sign, signal or expression in soft copy.
48. DIGITAL SERVICES FOR EXPANDING FINANCIAL INCLUSION
(1) The Department must collaborate with licensed financial institutions, businesses and other
stakeholders to expand opportunities that will -
(a) provide access to digital financial services, including for people with disabilities;
and
(b) enable the expansion of financial inclusion in Papua New Guinea.
(2) Without limiting any other law -
(a) digital financial services must be provided using safe and secure programming
interface technology, APIs, eKYC and blockchain consistent with standards approved
by the Central Bank of Papua New Guinea; and
GDT Bill (Draft I January 2021)
37
(b) closed APIs and, in appropriate cases, hybrid APIs must be used to provide
confidential financial transaction services for the purposes of digital financial
services; and
(c) open APIs must not be used for the provision of digital financial services.
(3) Digital financial services include the following -
(a) digital banking;
(b) online loan applications;
(c) online bill payments;
(d) electronic money transfers;
(e) mobile payments;
(f) e-wallet;
(g) electronic insurance applications;
(h) online company and business name registration;
(i) online tax returns;
(j) other online financial services.
(4) The Department must, in consultation with the Central Bank of Papua New Guinea,
develop a Digital Financial Inclusion Service Code of Practice Rules to guide the working
relationship between the Department and licensed financial institutions, businesses and other
stakeholders for the provision of digital financial services.
(5) In this Section, “eKYC” means electronic-know-your-customer software application used
by a person carrying on a business of providing digital financial services to enable effective
online transactions.
49. NATIONAL E-GOVERNMENT ONLINE PORTAL
(1) The National e-Government Online Portal is established.
(2) The Department is responsible for designing, developing, operating and maintaining a
central ‘one-stop-shop’ platform for public bodies to deliver digital services through the
National e-Government Online Portal.
(3) The National e-Government Online Portal must -
(a) facilitate a centralized approach and provide seamless access to all digital services;
and
GDT Bill (Draft I January 2021)
38
(b) facilitate sharing of data amongst public bodies’ systems to deliver digital services
in an effective manner; and
(c) provide shared digital services to public bodies; and
(d) maintain a secured information exchange system as a shared digital service.
50. OPEN DATA
(1) “Open data” refers to data that any person can access, use and share.
(2) The Department must create a place on the National e-Government Online Portal to host
open data and ensure that open data is stored in easily readable formats and is publicly
accessible consistent with the government’s open data principles.
(3) The Department must develop -
(a) a whole of government approach to the generation, collection, processing, storage,
usage and sharing of open data; and
(b) in consultation with public bodies, the government’s open data principles setting
out a series of practices to guide public bodies on how to leverage the value of open
data across whole of government.
(4) In developing the government’s open data principles, the Department is to have regard to
the following -
(a) make non-sensitive data open by default to contribute to greater innovation and
productivity improvements across all sectors of the economy;
(b) where possible, make data available with free, easy to use, high quality and
reliable application programming interfaces;
(c) make high-value data available for use by the public, industry and academia, in a
manner that is enduring and frequently updated using high quality standards;
(d) where possible, ensure non-sensitive publicly funded research data is made open
for use and reuse;
(e) only charge for specialised data services;
(f) build partnerships with the public, private and research sectors to build collective
expertise and to find new ways to leverage open data for social and economic benefit;
(g) securely share data between public bodies to improve efficiencies, and inform
policy development and decision-making;
(h) engage openly with local and provincial governments to share and integrate data
to inform matters of importance to each jurisdiction and at the national level;
GDT Bill (Draft I January 2021)
39
(i) uphold the highest standards of security and privacy for individuals, national
security and commercial confidentiality;
(j) ensure all new systems support discoverability, interoperability, data and
information accessibility and cost-effective access to facilitate access to data.
(5) Public bodies in making open data accessible must have regard to the following -
(a) data is to be easily discoverable and available;
(b) data is to be in a machine-readable, spatially-enabled format;
(c) public bodies are to use high quality, easy to use and freely available API access;
(d) data is to contain descriptive information about what is included in the data;
(e) data is to be kept up to date in an automated way.
(6) The Head of Department may make regulations, standards and specifications relating to
open data for the purposes of this Act.
(7) Public bodies in generating, collecting, processing, storing, using and sharing open data
must comply with the regulations, standards and specifications made under this Act.
51. SHARED SERVICES
(1) For the purpose of public bodies providing digital services and making digital services
accessible, shared services managed by the Department or any public body may consist of -
(a) shared services from the cloud infrastructure; or
(b) shared services from any digital infrastructure; or
(c) shared services amongst one or more departments or public bodies.
(2) For the purpose of Subsection (1), shared services from -
(a) cloud infrastructure are digital services from one web hosting server used to host
multiple clients with multiple websites or web applications; and
(b) digital infrastructure are ICT support skill resources and physical digital
infrastructure resources.
(3) A public body hosting and using shared services is responsible for its local digital
infrastructure within the government cloud infrastructure.
(4) The Department must focus on core shared services that include digital infrastructure
managed and controlled through ICT support resources of the Department.
GDT Bill (Draft I January 2021)
40
(5) The Head of Department may in writing declare a digital infrastructure to be a shared
service for all public bodies.
(6) Upon declaration of a shared service, all public bodies must be given a reasonable
timeframe determined by the Department to commence use of the shared service.
(7) Before the declaration of a shared service, the Department may undertake an assessment
to ensure the proposed shared service -
(a) enables public bodies to focus on their core duties; and
(b) achieves lower cost and economies of scale; and
(c) improves user experience; and
(d) reduces technology footprint, maintenance and security vulnerability; and
(e) addresses legacy system issues; and
(f) satisfies other criteria determined by the Department.
(8) A public body must not develop, maintain or use any service that is determined by the
Department to be -
(a) standalone to a declared shared service; or
(b) a duplicate of, or similar to, a declared shared service.
(9) Shared services must comply with the regulatins, standards, specifications and Code of
Practice Rules made under this Act.
52. GOVERNMENT DOMAIN
(1) The government domain is a domain name ending in .gov.pg.
(2) The Department is to provide policy oversight and may manage the government domain
ending in .gov.pg.
(3) All public bodies must use the government domain ending in .gov.pg for official
purposes.
(4) The Department may outsource the registration and management of government domain
names to a person qualified to manage domain name services.
(5) The Department must establish a register of government domain names of public bodies
and keep it up to date.
53. GOVERNMENT EMAILS AND WEBSITES
(1) A public body must use the government domain ending in .gov.pg -
GDT Bill (Draft I January 2021)
41
(a) as the public body’s email domain and any such email is an official email of the
public body; and
(b) as the public body’s website domain and any such website is an official website of
the public body.
(2) If, on the commencement of this Act, a public body does not have a website, the public
body must publish online its website or websites within 2 years after the commencement of
this Act.
(3) If a public body uses -
(a) an email domain that is not the government domain ending in .gov.pg, any such
email is not an official email of the public body; and
(b)a website domain that is not the government domain ending in .gov.pg, any such
website is not an official website of the public body;
unless the head of the public body approves otherwise.
(4) The Department is to regulate the websites of public bodies through standards, guidelines
and specifications made under this Act.
(5) An official website of a public body must -
(a) comply with the standards and specifications made under this Act; and
(b) contain functional links of other relevant public bodies located on a place
approved by the Department on the website; and
(c) use text format approved by the Department; and
(d) contain correct information about the organizational structure of the public body;
and
(e) ensure access to the webpage is mobile device friendly; and
(f) be certified by the Department or by a person specialising in the field of digital
accessibility, recommended by the Department; and
(g) ensure videos or multimedia files uploaded and available on the website are
captioned and accessible to people with disabilities; and
(h) include information for public consumption on the organization, structure, mission
and legal mandate of the public body; and
(i) contain links to information about -
(i) the public body’s strategic plan and annual performance plan; and
GDT Bill (Draft I January 2021)
42
(ii) its privacy policy page; and
(iii) its point of contact; and
(iv) its open data; and
(j) be easy to navigate to obtain relevant information.
(6) Digital content and products that are developed, maintained or owned by a public body
must be accessible on an official website of the public body, and may include all or any of the
following -
(a) digital services;
(b) sector specific guidance that aligns with a government policy intent linked to user
needs;
(c) policies and consultations documents for good governance;
(d) published guides on laws and regulations;
(e) information on government services;
(f) information on business opportunities;
(g) awareness-raising campaigns and templates.
(7) The Department must physically or virtually remove from the Internet a public body’s
website that does not comply with this Section.
(8) Before taking action under Subsection (7), the Department must give the public body at
least 60 days to rectify the website.
(9) If a person in his or her official capacity for or on behalf of a public body uses an email
address that does not end with the government domain ending in .gov.pg, the person commits
an offence and is liable on conviction to a fine not exceeding K10,000.00 and imprisonment
for a period not exceeding 12 months, or both.
(10) To avoid doubt, the imposition of a penalty under Subsection (9) in the case of an
offence by an officer of, or other person working for, a public body, does not prevent
disciplinary action being taken against the officer or other person.
(11) If the head of a public body fails to comply with Subsection (2), disciplinary action must
be taken against the head of the public body.
(12) In the event it is practically impossible to use government email domain by a public
body to communicate government business, a wriiten permission must be issued by the
Department:
GDT Bill (Draft I January 2021)
43
(a) specifying the period the none government email doimain is to be used; and (b) the email domain name to be use.
54. GOVERNMENT SOCIAL MEDIA ACCOUNTS
(1) If a public body intends to use a social media account, the public body must advise the
Department of the account details, including the reasons the public body is using the account
and the proposed time period for its use.
(2) The Department is to regulate the social media accounts of public bodies through
standards, guidelines and specifications made under this Act.
(3) The Department must facilitate the coordination, standardization and streamlining of
official government information disseminated on the social media accounts of public bodies.
(4) Content published on social media accounts of public bodies is deemed to be official
government information and must be digitally archived.
(5) The Department must establish a register of social media accounts of public bodies and
keep it up to date.
(6) The Department must physically or virtually remove from the Internet any social media
account of a public body that does not comply with any of the standards or specifications
made under this Act.
(7) Before taking action under Subsection (6), the Department must give the public body 90
days to rectify the social media account.
(8) If, immediately before the commencement of this Act, a public body is using a social
media account, the public body must advise the Department of the details of the account.
55. REDUCTION OF PAPER DOCUMENTS
Public bodies must -
(a) endeavour to reduce the paper documents that they have acquired, prepared,
circulated or preserved by digitizing their work processes; and
(b) make necessary efforts to reduce reliance on the use of paper documents by
sharing administrative information amongst public bodies through the use of systems
and shared services; and
(c) aim to reduce public expenditure on the use of paper documents.
GDT Bill (Draft I January 2021)
44
GDT Bill (Draft I January 2021)
45
PART VI – ELECTRONIC DATA
56. ELECTRONIC DATA GOVERNANCE ACROSS GOVERNMENT
(1) The Department is responsible for electronic data governance across government by -
(a) building capacity for the implementation of electronic data governance measures
across government; and
(b) providing oversight on electronic data infrastructure, such as data registry, data
lakes, APIs, cloud based solutions and other infrastructure related to electronic data
governance; and
(c) managing electronic data architecture, including interoperability, integration,
reference data, schematics and relationship; and
(d) managing data-value cycles; and
(e) monitoring and evaluating the generation, collection, processing, storage, use and
sharing of electronic data by public bodies; and
(f) making regulations, standards, specifications and guidelines under this Act for
electronic data governance.
(2) For the purpose of electronic data governance across government, the Head of
Department must, by written instrument, classify electronic data as -
(a) restricted top secret data if the unauthorized disclosure, alteration or destruction of
the data could result in a significant level of risk to the government; or
(b) confidential data if the unauthorized disclosure, alteration or destruction of the
data could result in a moderate level of risk to the government; or
(c) public data if the unauthorized disclosure, alteration or destruction of the data
could result in little or no risk to the government.
(3) A public body must apply the data classifications made under Subsection (2) to any
electronic data that it generates, collects, processes, stores, uses or shares.
(4) The Head of Department must make standards prescribing security controls to be applied
by public bodies for safeguarding electronic data against unauthorised disclosure,
modification or destruction having regard to the classifications of data made under
Subsection (2).
(5) A standard made for the purposes of public electronic data governance under this Act is
not a Papua New Guinea Standard of Measurement in respect of a commodity, practice,
process or product under the National Institute of Standards and Industrial Technology Act
1993.
Commented [IK10]: Would this subsection be seen as
repetitive of Subsection 1(f). If so we delete it if not we leave
it as it is.
GDT Bill (Draft I January 2021)
46
57. PUBLIC BODIES AND ELECTRONIC DATA GOVERNANCE
(1) Despite any other law, a public body must generate, collect, process, store, use and share
electronic data in accordance with the requirements of this Act and the regulations, standards
and specifications made under this Act.
(2) Subject to Subsection (5), a person must not access any electronic data stored by a public
body, unless -
(a) the public body storing the data grants written permission; and
(b) in the case of personal data of an individual, in addition to written permission
under Paragraph (a), the individual has given his or her written consent.
(3) If access to electronic data is granted under Subsection (2) to a person, the electronic data
must be made available only to that person.
(4) If electronic data stored by a public body is classified under Subsection 56(2) as restricted
top secret data or confidential data, the Head of Department may prescribe additional
requirements for access to such data and restrictions on how the data may be used.
(5) To avoid doubt, nothing in this Section prevents or limits an individual from accessing his
or her personal data stored by a public body if he or she has obtained written permission from
the public body under Paragraph (2)(a).
58. DATA TO BE COLLECTED AND STORED IN ELECTRONIC FORM
(1) A public body may -
(a) collect data in electronic form; and
(b) store data in its system at the first point of electronic data collection.
(2) On and after a date declared in writing by the Head of Department, a public body, in
discharging its functions, must, at the first point of collection of data, ensure that the data is
collected and stored in electronic form.
(3) Electronic data collection and storage may be undertaken by utilizing all or any of the
following -
(a) computer devices;
(b) other electronic devices;
(c) digital voice recorders;
(d) digital video recorders;
GDT Bill (Draft I January 2021)
47
(e) translation of signs, symbols or signals into words by interpreter devices or an
interpreter;
(f) digital photo cameras;
(g) digital instruments, apparatus, devices or equipment in substitution for words.
(4) The Department is responsible for the oversight of electronic data collection and storage
by public bodies, including when a public body converts any data collected in non-electronic
form into electronic form.
(5) Without prejudice to any other law, the Head of Department may authorize or direct a
public body or a person engaged by a public body under a contract to collect and store
specific electronic data for a particular purpose.
(6) An authorization or directive commences on the day it is issued and ends on the day
specified in the authorization or directive.
59. ELECTRONIC DATA OWNERSHIP
(1) All electronic data stored as backup in the Central Electronic Data Repository is the
property of the State.
(2) To avoid doubt, Subsection (1) extends to electronic data that is collected and stored by a
person under a contract with a public body.
(3) A person under Subsection (2), who receives written request by a public body, fails to
make available electronic data collected and stored commits an offence.
60. ELECTRONIC DATA INTEGRATION
(1) A public body must comply with the standards for electronic data integration made under
this Act.
(2) Subject to Subsection (3), the electronic data integration standards must -
(a) prescribe matters relating to the use of open APIs, closed APIs and hybrid APIs by
public bodies to share electronic data for service delivery, including APIs that are-
(i) machine readable;
(ii) publicly accessible;
(iii) stable and scalable;
(iv) available to other public bodies;
(v) able to function on different platforms using multiple languages; and
Commented [IK11]: Can we insert an offending Section
here and perhaps insert penalty as well.
GDT Bill (Draft I January 2021)
48
(b) comply with the National Cyber Security Policy and Guidelines developed by the
Department in consultation with NICTA and other relevant public bodies.
(3) The APIs used by a public body must -
(a) be properly documented with sample code and sufficient information for
developers to make use of, if appropriate; and
(b) if appropriate, have their life-cycle made available by the public body owning it;
and
(c) be backward compatible with at least two earlier versions; and
(d) comply with national security policies, laws, guidelines and specifications; and
(e) enable a public body, if appropriate, to use an authentication mechanism to enable
service interoperability on a single sign-on system; and
(f) promote easy and transparent integration and interoperability of electronic data;
and
(g) promote safe and reliable sharing of electronic data and information to enable
delivery of digital services; and
(h) encourage and enable innovation; and
(i) promote open standards of software interoperability across public bodies; and
(j) ensure easy access of information collected by public bodies.
(4) A public body using one or more systems must make available to the Department the
specifications of the APIs used by the public body to deliver digital services.
(5) The Department must establish a register of APIs used by public bodies and keep it up to
date.
61. ELECTRONIC DATA MANAGEMENT
(1) A public body must comply with the standards for electronic data management
(2) The Department must establish the Electronic Data Register to record the types of
electronic data collected, stored and shared by public bodies, and keep the register up to date.
(3) To avoid doubt, the Electronic Data Register may be used for cataloguing electronic data
collected, stored and shared by public bodies.
62. ELECTRONIC DATA SHARING
(1) A public body must comply with the standards for electronic data sharing made under this
Act.
GDT Bill (Draft I January 2021)
49
(2) When sharing electronic data, a public body must take the necessary precautions to ensure
that the sharing of the data will be done in a secured manner without causing data privacy
violations or leaving the data open to being hacked.
(3) For the purposes of facilitating data sharing across government, the Department must
establish and manage a data sharing and exchange data centre.
63. ELECTRONIC DATA IN PROVINCES AND DISTRICTS
(1) The Department must for the purposes of electronic data governance and the delivery of
digital services in provinces and districts discharge its functions as a public body mandated
by Section 106 of the Organic Law on Provincial Governments and Local Level
Governments 1998.
(2) The Department must, in the discharge of its functions under this Act, work in
collaboration with any other public body mandated by law to deliver services in provinces
and districts with respect to the generation, collection, processing, storing, securing, using
and sharing of electronic data.
64. NEW CONTRACTS RELATING TO ELECTRONIC DATA
(1) This Section applies to a contract or agreement with a public body relating to the
generation, collection, processing, storage, security, use or sharing of electronic data if the
contract or agreement is entered into on or after the commencement of this Act.
(2) Electronic data under a contract or agreement to which this Section applies must be
generated, collected, processed, stored, secured, used or shared in accordance with this Act
and the regulations, standards and specification made under this Act, despite any provisions
to the contrary in the contract or agreement.
GDT Bill (Draft I January 2021)
50
PART VII – OFFENCES AND PENALTIES
65. OFFENCES
(1) A person commits an offence if the person intentionally, knowingly or recklessly, or
without lawful excuse or justification, or in excess of a lawful excuse or justification -
(a) discloses electronic data or electronic records accessed in the course of the
person’s employment or engagement with a public body; or
(b) accesses or downloads electronic data or electronic records from a public body’s
system or digital infrastructure; or
(c) accesses or downloads any unauthorized material by the use of a public body’s
system or digital infrastructure; or
(d) disseminates or transmits electronic data or electronic records of a public body
through unauthorized channels; or
(e) removes, destroys, alters or damages electronic data or electronic records of a
public body; or
(f) removes, destroys, alters or damages a public body’s digital infrastructure,
software or hardware, or a system.
(2) If a person is convicted of an offence, the person is liable on conviction -
(a) in the case of an offence under Paragraph (1)(a),(b),(c) or (d) -
(i) for a natural person, to a fine not exceeding K25,000.00 or imprisonment for a
period not exceeding 3 years, or both, and
(ii) for a body corporate, to a fine not exceeding K125,000.00; and
(b) in the case of an offence under Paragraph (1)(e) or (f) -
(i) for a natural person, to a fine not exceeding K100,000.00 or imprisonment for a
period not exceeding 10 years, or both; and
(ii) for a body corporate, to a fine not exceeding K500,000.00.
(3) To avoid doubt, the imposition of a penalty under this Section does not prevent -
(a) disciplinary action being taken against a natural person; or
(b) the cancellation or suspension of a body corporate’s operational licence, permit,
approval or certificate under any other law.
GDT Bill (Draft I January 2021)
51
(4) If a person is convicted of an offence under this Section or an offence referred to in
Section 66, a court may, in addition to any penalties prescribed in this Act, order the person
convicted to pay to the State a sum equal to the cost of repairing any damage resulting from
the commission of the offence.
66. PENALTIES
If a person contravenes a provision of this Act, for which no specific penalty is provided, the
person commits an offence and is liable on conviction to -
(a) in the case of an offence by a natural person, a fine not exceeding K 5,000.00; and
(b) in the case of an offence by a body corporate, a fine not exceeding K25,000.00.
GDT Bill (Draft I January 2021)
52
PART VIII – MISCELLANEOUS
67. DELEGATION
(1) The Head of Department may delegate any of his or her powers or functions under this
Act to an officer of the Department.
(2) A delegation must be in writing signed by the Head of Department.
68. COMMITTEES
(1) The Department may form specialist committees to assist it in the performance of its
functions and prescribe their terms of reference.
(2) A committee is to regulate the conduct of proceedings at its meetings as it thinks fit.
69. IMMUNITY
A person engaged in the administration or enforcement of this Act is not personally liable for
anything done or omitted to be done in good faith in the performance or exercise, or
purported performance or exercise, of a function or power under this Act.
70. PENALTIES NOT TO AFFECT OTHER LIABILITIES
The penalties that may be imposed under this Act are in addition to and not in derogation of
any liability in respect of the payment of compensation or penalties for breach of licence or
permit conditions or other laws and regulations relating to ICT.
71. REGULATIONS
(1) The Head of State, acting on advice of the Minister, may make regulations prescribing
matters -
(a) required or permitted by this Act to be prescribed by the regulations; or
(b) necessary or convenient to be prescribed for carrying out or giving effect to this
Act.
(2) Without limiting Subsection (1), the regulations may prescribe matters relating to all or
any of the following -
(a) digital government infrastructure integration;
(b) digital government infrastructure interoperability;
(c) websites of public bodies;
(d) social media platforms of public bodies;
(e) internet services of public bodies;
GDT Bill (Draft I January 2021)
53
(f) digital infrastructure;
(g) critical digital infrastructure;
(h) digital services;
(i) government ICT infrastructure projects;
(j) cyber security of public bodies;
(k) government communication command and control centres;
(l) measures to protect the generation, collection, processing, storage and usage of
electronic data by public bodies;
(m) measures to protect the security of personal data of individuals that is generated,
collected, processed, stored, used and shared electronically by public bodies;
(n) measures to protect the privacy of personal data of individuals that is generated,
collected, processed, stored, used and shared electronically by public bodies;
(o) fees and charges for services provided;
(p) smart contracts;
(q) penalties for offences against the regulations not exceeding a fine of K2,000.
(3) The regulations may make provision in relation to a matter by applying, adopting or
incorporating any matter contained in an instrument or other writing as in force or existing
from time to time.
72. STANDARDS, SPECIFICATIONS, GUIDELINES AND FORMS
(1) The Head of Department may make standards, specifications and guidelines for the
purposes of this Act.
(2) The standards, specifications and guidelines may make provision in relation to a matter by
applying, adopting or incorporating any matter contained in an instrument or other writing as
in force or existing from time to time.
(3) The standards and specifications are subordinate legislative instruments.
(4) A guideline is an instrument of an advisory nature and is not mandatory.
(5) The Head of Department may prescribe forms for the purposes of this Act.
GDT Bill (Draft I January 2021)
54
73. CODE OF PRACTICE RULES
(1) The Department may, after consultation with the Public Service ICT Steering Committee,
develop Code of Practice Rules to govern interagency working relationships amongst public
bodies for the purposes of digital government, critical digital infrastructure and public digital
services.
(2) The Code of Practice Rules take effect on the date certified by the Minister.
(3) The Code of Practice Rules is a subordinate legislative instrument.
74. CERTAIN EXISTING ICT CONTRACTS
(1) This Section applies to a contract or agreement relating to conducting ICT business with a
public body if the contract or agreement was in force immediately before the commencement
of this Act.
(2) A person conducting ICT business with a public body under a contract or agreement to
which this Section applies has 2 years from the commencement of this Act to ensure the
services provided to the public body under the contract or agreement comply with this Act
and the regulations, standards and specification made under this Act.
(3) A contract or agreement to which this Section applies is null and void and unenforceable
if Subsection (2) is not complied with.
(4) If data, information or a document -
(a) is collected by a public body under a contract or agreement to which this Section
applies; and
(b) on and after the commencement of this Act, is inputted into an electronic database
system owned and operated by another party to the contract or agreement,
the data, information or document remains the property of the contracting public body and
the State, despite any provisions to the contrary in the contract or agreement.
(5) On and after the commencement of this Act, if -
(a) information is paid for by a public body under a contract or agreement to which
this Section applies; and
(b) payment in full is made under the contract or agreement by the public body; and
(c) the source code of the information is necessary for the public body to access
services,
the source code must be made available to the public body when payment is made in full.
(6) On and after the commencement of this Act, if a contract or agreement to which this
Section applies is declared null and void and unenforceable by a court, any electronic data
GDT Bill (Draft I January 2021)
55
stored, generated or secured under the contract or agreement by a person other than the
contracting public body must be returned to the public body, despite any provisions to the
contrary in the contract or agreement.
(7) A court must take judicial notice of the following -
(a) an unenforceable contract or agreement referred to in Subsection (3);
(b) the State must not under that contract or agreement -
(i) compensate any person for any damage, other than compensation on fair
market value for work done; or
(ii) enforce any rights or obligations in breach of this Act.