Data security and privacy on nsw.gov.au
Learn how nsw.gov.au protects personal information and keeps data secure.
How we protect customer data
At the OneCX Program, protecting personal information is a key priority.
We use a security-by-design approach when building nsw.gov.au, and follow leading security and privacy frameworks to minimise risk.
Here are the key ways we safeguard data.
Security
Security is embedded in every step of the website's development.
We follow leading security frameworks that significantly reduce the likelihood of security incidents, helping to ensure a safe online environment.
We follow the NSW Cyber Security Policy, and complete regular penetration and Distributed Denial of Service (DDoS) testing.
Our SIEM (Security Information and Event Management) system monitors the website 24/7 for potential threats.
Our cloud infrastructure ensures information protection, identity management, and risk and access controls.
We employ threat-protection protocols, and secure architecture to help safeguard data.
Our dedicated security team uses health checks, alerts, and a suite of development and threat-protection tools to monitor the platform's security in real time.
This proactive approach helps us detect and mitigate potential threats early.
We provide ongoing support to government agencies to enhance their privacy and security practices across their services, ensuring alignment with the latest recommendations and standards.
We proactively upgrade the technology used on nsw.gov.au to help ensure our software is secure, in the interests of the user, the NSW Government and its agencies.
Privacy
Guiding principles
We manage personal information in line with the Privacy and Personal Information Protection Act 1998 (NSW).
The OneCX Program has robust procedures and processes in place to ensure personal information is handled in a way that's:
- Legal: We collect personal information only when it relates to an agency’s function and is necessary for that purpose.
- Direct: We collect information directly from the person unless authorised otherwise.
- Transparent: We tell people why we’re collecting their information and how we’ll use it.
- Relevant: We keep information accurate, complete, and up to date.
- Minimal: We collect only what’s needed.
- Limited: We use information only for the purpose it was collected.
- Secure: We keep information secure during storage and retention.
How we manage privacy
We conduct regular privacy impact assessments (PIAs) to identify and reduce risks when collecting personal information.
An independent PIA for nsw.gov.au is also carried out each year to confirm ongoing compliance and good practice.
All data is transferred and stored securely, with encryption protocols.
Our systems comply with strict security standards, and personal information is never transmitted by email.
It’s strongly recommended that data be stored in Australia using a secure system approved for government use.
Every webform that collects personal information on nsw.gov.au must include a privacy collection notice.
This notice tells people why their information is being collected, how it will be used, and whether it will be shared.
What agencies need to do
To maintain our customers' privacy, agencies must:
- complete a PIA for each new or updated webform that collects personal information or may create privacy risk
- add a link to the PIA in Drupal
- not transmit personal information by email
- store all data securely – preferably in Australia
- include a link to the nsw.gov.au privacy statement explaining why personal information is collected and how it will be used.
Performance and monitoring
We're continuously improving the website's security, performance, and reliability through:
- regular stress and performance testing
- advanced analytics to optimise search and content quality
- ongoing monitoring to keep the site responsive, efficient, and secure.
About data management at nsw.gov.au
Driving insights
We collect anonymous information (not personal details) using tools like Google Analytics and Search Console, Hotjar, and Microsoft Power BI. We use this data to understand how people use the website and fix their pain points.
Working across government
We use connected systems such as SharePoint that let different government agencies safely share information. This helps us create the website based on what people really need.
Sharing data safely
When data needs to move between government services, we use secure technology (called APIs) that meets strict government and industry security standards.
Automating trending topics
We work with the Data Analytics Centre to analyse user comments and feedback. We also track popular content and automatically surface trending topics, making it easier for people to find relevant information quickly.