Minimum you need to do
Assess the level of risk of the data you collect or that your service generates, to appropriately store, use and share it
Assess data sensitivity
Understand the nature of the data you’re dealing with to apply the right processes to the way you store, use and share it.
Identify whether you will collect, or if your service generates, personal or health information. You will need to comply with privacy legislation and principles.
Be aware that the data you’re collecting could become personal or health information if combined with other data. This could result in individuals being identified. Strict legislative requirements exist around personal and health information.
Use the ‘Five Safes’ (an international risk management model) to ensure you protect sensitive data so it’s used by or shared with trusted stakeholders for approved purposes. See Appendix E of the Internet of Things Policy Guidance
Classify and label for use
You need to align the level of security for your data and information storage with its information classification.
See the Information Classification, Labeling and Handling Guidelines to determine the sensitivity of the data and apply appropriate protections.
Most official data will not need increased security. However, personal, health or otherwise sensitive information needs increased protection.
Only use the data for the purpose for which you collected it. Once you collect it (personal or de-identified) you have obligations on the way you hold and allow access to it.
Sharing and releasing data
Data.NSW provides guidance and advice on sharing data with government agencies and the general public.
Before you share data, you must:
For example, removing personal identifiers or suppressing individual records or data elements. Determine if you need a formal agreement to share your data such as a memorandum of understanding.
If the data doesn’t contain personal or sensitive information, you may release it as open data on Data.NSW.
Choose a secure storage method
You need to decide on suitable storage of data that you generate or collect. You should do this throughthe design and management of your product or service.
Storage options include on premises, government data centres, and in the cloud. Fog or edge computing may also be used.
See the Cloud Policy and Cloud Guidance for information on preparation, contracting and management. See also the Australian Cyber Security Centre’s Cloud Computing Security Considerations.
The storage you choose will depend on your data requirements. Consider things like:
- how soon you need the data or insights (for example, real-time)
- type of data (for example, video)
- level of connectivity
- level of security required.
Remember that if you’re collecting and storing personal and health information you need to apply extra protections to keep it secure.
Use access controls to authenticate and authorise individuals to access the information they can see and use. This will help to manage risk and keep your data secure.
For information on risk management controls and data handling requirements, see:
How to show you've met the need
You will have:
assessed and classified the level of risk or sensitivity of the data you collect, or your service generates
applied appropriate protections to sensitive and personal data in line with your agency’s policy or the NSW Government Information Classification, Handling and Labeling Guidelines
used the data for the purpose you collected it (as outlined in your data needs and requirements assessment)
applied safeguards to your data before sharing and releasing it
used an appropriate storage method for your data and information in proportion to the level of risk. Documented any security risks with your storage method and how you will mitigate them.