Procurement plays a central role in the successful delivery of infrastructure projects, and it is critical to clearly address data requirements in contracts with service providers. Contracts need to address the matters outlined in this section as well as any other relevant policies, including the Cloud Policy and the Smart Infrastructure Policy.
What good looks like
- Clarity on data governance for infrastructure projects – particularly data sharing arrangements;
- Faster, more consistent tender preparation;
- Less complexity and improved tender responses (more due diligence);
- Informed tender assessment; and
- Smooth project start-up.
How to achieve good practice
- Develop an agreed commercial and legal framework for infrastructure data;
- Develop a standardised approach with template documents;
- Establish scalable, integrated procurement processes fully integrated with existing NSW Government assurance frameworks;
- Utilise guidance and technical support for infrastructure data procurement; and
- Utilise expertise to support project initiation.
Data handling
Infrastructure systems often need multiple service providers to provide hardware, software, and connectivity. Health checks should be conducted at key stages of the lifecycle. Agencies need to require service providers to perform due diligence and identify all parties involved in developing and delivering these products and services. This due diligence includes following applicable NSW Government policies including the Asset Management Policy (TPP 19-07). The applicable policies and frameworks may vary for each project and so it is important to identify the required assurance processes such as the Infrastructure Investor Assurance Framework (IIAF) and ICT Assurance Framework.
The majority of infrastructure data that agencies manage relates to management of existing infrastructure assets. This data will not be required for investment decision making, but to support how best to maintain the existing agency asset portfolio. Service providers must be transparent about their data handling and storage practices so that there is full visibility of all parties who have access to the data generated by service providers across all phases of the asset lifecycle.
Data ownership and rights
This section should be considered in conjunction with Section 7.4 for data privacy and security as restrictions on the usage of data are intertwined with ownership.
Agencies should determine whether data is owned by a vendor, and if so, in what circumstances when developing an infrastructure system. This determination should include an assessment of the sensitivity of the data. For projects where a vendor owns data, agencies should ensure their contract enables them to have reasonable control over government data contributed as part of a project. Agencies should define data governance requirements in contractual approaches and stipulate their requirements for what data is being collected, where it is stored, who can access it, at what granularity and for what purpose.
In circumstances where the service provider owns the data, agencies should identify whether they are entitled to sell the data contributed by them to a third party, and understand any contractual rights to see, use and monetise this data. If this use is unacceptable, agencies should look for other service providers who have data policies that allocate ownership, use and reuse rights to the purchaser. Refer to NSW Crown Copyright policy for more information.
Organisations that provide infrastructure often have direct legal responsibilities to customers or users affected by the operation of the infrastructure, even if the use of the infrastructure is by other entities (such as third-party service providers). The rights and responsibilities of each entity within a data ecosystem need to be clearly stipulated in the contract. Contracts should specify who the data controller is and create appropriate restrictions, controls and safeguards as to the roles and responsibilities of the other entities. Information access rights in relation to infrastructure data assets, especially where government agencies are contracting with third party service providers, are covered by section 121 of the GIPA Act and agencies are reminded to consider this provision when entering into outsourcing arrangements.
As infrastructure assets often have multiple service providers managing the asset across the full lifecycle, it is critical that custodianship of the data is agreed to and clearly documented in associated metadata. This is a negotiation process between project partners and needs to be flexible and adaptable as new asset data is generated.
The data custodian holds overall accountability and responsibility for the dataset and is responsible for ensuring the collection or creation of data complies with legislative and policy requirements. The data custodian ensures that appropriate privacy, security and data quality protections are built in from the outset of the asset lifecycle. Further information on custodianship is available in the Data and Information Custodianship Policy.
Key considerations in relation to data custodianship are:
- Data sovereignty, including the need to provide appropriate protections under Australian law to maintain the rights of the Data Custodian to access, protect and maintain the security of the data, and the inclusion of appropriate measures to ensure notification of data breaches.
- Data custodianship should also be incorporated into contract arrangements to ensure data remains available for the life of the infrastructure. Contracts should specify who the data owner is, and create appropriate restrictions, controls and safeguards as to the roles and responsibilities of other entities. Other uses and users of the data should also be considered, and access arrangements across the data spectrum (from closed data to data that is shared in limited circumstances to publicly open) need to be established in line with agency data governance.
- Agencies should consider the value of data as an asset at all times, including the value of openly available data as a public asset. Creative Commons BY licensing (see Table 1) should be used for open data as per the NSW Open Data Policy.
- Intellectual property attribution in data and trained machine learning models may also need to be addressed in your contract arrangements. For more information, refer to the NSW Intellectual Property Management Framework.
Service providers should fully comply with all data management and ownership requirements of the Cloud Policy or equivalent.
All contracts and design processes should make clear that exclusive rights to use of data generated by NSW Government agencies cannot be granted.
Where fair to affected individuals and reasonably practicable, data about public activities of citizens that government agencies cause or facilitate to be generated should be treated as a public asset and made available as open data as widely as possible, for example NSW public transport patronage data. Further advice is available in the NSW Open Data Policy.
A new dataset may be generated as part of an infrastructure initiative that is a combination of data from several sources. It is very important to define ‘ownership’ (through rights of control to the exclusion of others) of data sources and confirm this is clear to all parties so that respective rights of use of new datasets are clear and understood by all parties.
The creation of new datasets should consider all business perspectives, including technical, financial, commercial, and whole of life requirements (e.g. type of operational phase data) to inform what type of data needs to be procured.
Note that rights and obligations under NSW privacy laws (where personal and/or health information is involved), the GIPA Act, as well as the State Records Act apply to new datasets.
Data retention and destruction obligations
All government data held by a service provider should be contractually required to be returned to government (in a format specified by government) at the end of a contract, or when a service or relationship with a service provider is discontinued. The retention and destruction of data must be compliant with relevant legislation and policies including the State Records Act 1998.
Alternatively, evidence must be provided to government of data destruction if legal data retention requirements have been met and data destruction has been authorised. Contracts should make clear whether this also includes removing all data and artefacts, including knowledge, rules and machine learning models extracted from the data.
Data privacy and security
Contracts must ensure that no personal data can be used by service providers for a purpose other than what is specified in the contract. Service providers must limit their data collection to only the approved purposes agencies have specified.
Depending on the nature of the data collected and used, agencies may want to address monitoring and mitigation responsibilities for software and hardware vulnerabilities in their contract. If these vulnerabilities lead to data insecurity or privacy impacts, liabilities and responsibilities should be defined in the contract.
Refer to Section 7.4 Data Security for further information on specific requirements, including privacy by design, reporting requirements, the NSW Cyber Security Policy and information classification guidance.
Last updated 15 Jul 2024