Storing, using, sharing data

Assess data sensitivity

Understand the nature of the data you're dealing with to apply the right processes to the way you store, use and share it.

Identify whether you will collect, or if your service generates, personal or health information. You will need to comply with privacy legislation and principles.

Be aware that the data you're collecting could become personal or health information if combined with other data. This could result in individuals being identified. Strict legislative requirements exist around personal and health information.

Use the 'Five Safes' (an international risk management model) to ensure you protect sensitive data so it's used by or shared with trusted stakeholders for approved purposes. See Appendix E of the Internet of Things Policy Guidance

Classify and label for use

You need to align the level of security for your data and information storage with its information classification.

Most official data will not need increased security. However, personal, health or otherwise sensitive information needs increased protection.

Using data

Only use the data for the purpose for which you collected it. Once you collect it (personal or de-identified) you have obligations on the way you hold and allow access to it.

Sharing and releasing data

Data.NSW provides guidance and advice on sharing data with government agencies and the general public.

Before you share data, you must:

make it safe to do so
make sure data you share is transferred securely.

For example, removing personal identifiers or suppressing individual records or data elements. Determine if you need a formal agreement to share your data such as a memorandum of understanding.

If the data doesn't contain personal or sensitive information, you may release it as open data on Data.NSW.

Choose a secure storage method

You need to decide on suitable storage of data that you generate or collect. You should do this throughthe design and management of your product or service.

Storage options include on premises, government data centres, and in the cloud. Fog or edge computing may also be used.

See the Cloud Policy and Cloud Guidance for information on preparation, contracting and management. See also the Australian Cyber Security Centre's Cloud Computing Security Considerations .

The storage you choose will depend on your data requirements. Consider things like:

how soon you need the data or insights (for example, real-time)
type of data (for example, video)
level of connectivity
level of security required.

Remember that if you're collecting and storing personal and health information you need to apply extra protections to keep it secure.

Use access controls to authenticate and authorise individuals to access the information they can see and use. This will help to manage risk and keep your data secure.

For more information on risk management controls and data handling requirements