Keeping information safe

Smart places collect information with a clear purpose, manage it responsibly and use insights appropriately.

Customers are better able to trust smart places when they can see the benefits that can be generated through information and have a voice to shape what is captured and how it is treated. Data collected by smart places must be managed lawfully and according to its level of sensitivity. Anyone involved in collecting smart places data must understand legal obligations and be transparent about and accountable for what is collected, how it is managed, used, stored, secured and disposed of, and who has access. Cyber security measures are an important part of keeping information safe.

What this principle will achieve

  • Information is collected lawfully, with customer consent, and only to provide clear insights or to drive benefits.
  • Customers understand how data is used and know who to contact to report issues or make enquiries about collection and use of data from smart technology.
  • Insights from smart places factor in potential discrimination bias so the needs of all in the community are considered in decision making.
  • Smart places data is proactively managed to address evolving risks, including cyber security and the potential for de-personalised information to become individually identifiable (unless permitted by law).

How to follow this principle

The NSW Government has developed the Smart Places Data Protection Policy which brings together legislation and policies relevant to the full lifecycle of smart places data and information. It upholds best practice from related policies and relevant laws, including the NSW Privacy and Personal Information Protection Act 1998. NSW Government agencies involved in smart place initiatives will adhere to the Smart Places Data Protection Policy. Organisations embedding the Customer Charter in their own strategies, policies and programs should aspire to a similar level of best practice.

Those relying on data from smart places should also consider how insights are formed to support decision-making. This means acknowledging the potential discrimination and bias in algorithms and insights generated from data and recognising that the needs of some minority groups may not be represented in trends or averages.

Data protection measures should take care to respect First Nations cultural practices and Indigenous Cultural and Intellectual Property (First Nations peoples’ rights to their heritage and culture) which is not always covered by copyright laws. Information security and ethical considerations should be part of any third party agreements.

Resources

Resources to support organisations in implementing this principle:

NSW Data Protection Policy
Information and Privacy Commission NSW Information protection principles
Privacy impact assessments
NSW Internet of Things Policy Guidance
NSW Smart Infrastructure Policy
NSW Artificial Intelligence Ethics Policy
NSW Cyber Security Policy
NSW Cyber Security Strategy