Procurement

Agencies should determine whether data is owned by a vendor, and if so, in what circumstances when developing an infrastructure system. This determination should include an assessment of the sensitivity of the data. For projects where a vendor owns data, agencies should ensure their contract enables them to have reasonable control over government data contributed as part of a project. Agencies should define data governance requirements in contractual approaches and stipulate their requirements for what data is being collected, where it is stored, who can access it, at what granularity and for what purpose.

In circumstances where the service provider owns the data, agencies should identify whether they are entitled to sell the data contributed by them to a third party, and understand any contractual rights to see, use and monetise this data. If this use is unacceptable, agencies should look for other service providers who have data policies that allocate ownership, use and reuse rights to the purchaser. Refer to NSW Crown Copyright policy for more information.

Organisations that provide infrastructure often have direct legal responsibilities to customers or users affected by the operation of the infrastructure, even if the use of the infrastructure is by other entities (such as third-party service providers). The rights and responsibilities of each entity within a data ecosystem need to be clearly stipulated in the contract. Contracts should specify who the data controller is and create appropriate restrictions, controls and safeguards as to the roles and responsibilities of the other entities. Information access rights in relation to infrastructure data assets, especially where government agencies are contracting with third party service providers, are covered by section 121 of the GIPA Act and agencies are reminded to consider this provision when entering into outsourcing arrangements.

As infrastructure assets often have multiple service providers managing the asset across the full lifecycle, it is critical that custodianship of the data is agreed to and clearly documented in associated metadata. This is a negotiation process between project partners and needs to be flexible and adaptable as new asset data is generated.

The data custodian holds overall accountability and responsibility for the dataset and is responsible for ensuring the collection or creation of data complies with legislative and policy requirements. The data custodian ensures that appropriate privacy, security and data quality protections are built in from the outset of the asset lifecycle. Further information on custodianship is available in the Data and Information Custodianship Policy.

Key considerations in relation to data custodianship are:

• Data sovereignty, including the need to provide appropriate protections under Australian law to maintain the rights of the Data Custodian to access, protect and maintain the security of the data, and the inclusion of appropriate measures to ensure notification of data breaches.
• Data custodianship should also be incorporated into contract arrangements to ensure data remains available for the life of the infrastructure. Contracts should specify who the data owner is, and create appropriate restrictions, controls and safeguards as to the roles and responsibilities of other entities. Other uses and users of the data should also be considered, and access arrangements across the data spectrum (from closed data to data that is shared in limited circumstances to publicly open) need to be established in line with agency data governance.
• Agencies should consider the value of data as an asset at all times, including the value of openly available data as a public asset. Creative Commons BY licensing (see Table 1) should be used for open data as per the NSW Open Data Policy.
• Intellectual property attribution in data and trained machine learning models may also need to be addressed in your contract arrangements. For more information, refer to the NSW Intellectual Property Management Framework.

Service providers should fully comply with all data management and ownership requirements of the Cloud Policy or equivalent.

All contracts and design processes should make clear that exclusive rights to use of data generated by NSW Government agencies cannot be granted.

Where fair to affected individuals and reasonably practicable, data about public activities of citizens that government agencies cause or facilitate to be generated should be treated as a public asset and made available as open data as widely as possible, for example NSW public transport patronage data. Further advice is available in the NSW Open Data Policy.

A new dataset may be generated as part of an infrastructure initiative that is a combination of data from several sources. It is very important to define ‘ownership’ (through rights of control to the exclusion of others) of data sources and confirm this is clear to all parties so that respective rights of use of new datasets are clear and understood by all parties.

The creation of new datasets should consider all business perspectives, including technical, financial, commercial, and whole of life requirements (e.g. type of operational phase data) to inform what type of data needs to be procured.

Note that rights and obligations under NSW privacy laws (where personal and/or health information is involved), the GIPA Act, as well as the State Records Act apply to new datasets.