These guidelines provide a framework to help government and our partners use connected devices and IoT technologies in a coordinated, consistent and responsible manner. They are intended to supplement – not replace – existing laws, rules, and regulations that apply to these systems. Special circumstances and concerns may also exist for IoT systems and/or data related to public safety, security and law enforcement.

These guidelines provide a framework to help government and our partners use connected devices and IoT technologies in a coordinated, consistent and responsible manner.
We define the Internet of Things (IoT) as any physical objects that are connected to the Internet to send and receive information. As such, IoT encompasses both the physical objects and the software systems that support them.
If you are looking to deploy an IoT solution in a public space (e.g. parks, public buildings, etc) or using City assets (e.g. City government funding, light poles, etc), these guidelines apply to you. Special circumstances and concerns may exist for IoT systems and/or data related to public safety, security and law enforcement.
These guidelines do not replace existing City policies and laws – they are intended to supplement and support them, and in many cases may reference these related policies and laws (e.g. open data laws) directly.
The New York City Mayor’s Office of Technology and Innovation, in coordination with the City of New York Technology Steering Committee, oversees the citywide implementation and broad enforcement of the IoT guidelines.  City agencies are responsible for implementing and enforcing the guidelines when deploying and managing IoT projects.
The Mayor’s Office of Technology and Innovation, in partnership with IDC, surveyed City agencies and governments, companies, and key stakeholder groups around the world to collect best practices.  Working with subject matter experts, the guidelines were condensed into the form presented here.
We will continue to collect feedback and publish updates on a semi-annual basis.
We welcome feedback from members of the public, subject matter experts, private sector and research partners, City agencies, and anyone who wishes to contribute to the guidelines.  We also encourage other cities, governments or groups to adopt and endorse these guidelines.


As used in the Infrastructure section, a “conduit” is a duct that provides a protected path for network cables.  These cables, like fiber optic cable, can be fragile and need to be protected from pressure, animals or water.  These cables are most often used to transmit data for Internet connections, phone and cable TV service, or electric power.
As referenced in the Data Management section, “metadata” describes and gives information about other data, making that data easier to find, use and work with. “Contextual metadata” is metadata that provides information about significant properties and characteristics of the data, such as the data’s accuracy and quality, or whether it is time-sensitive, and is important to include so that other people can correctly interpret a data set.
As mentioned in the Security section, an “established framework” is a widely used set of controls and rules that takes into account multiple, different regulations and standards and provides a basis for developing security protocols, such as ISO 27001.
As mentioned in the Data Management section, storing data in a “federated way” means that data may be stored in different locations, databases, and services, but that they can be viewed or accessed together via a portal of APIs
The “Internet of Things” (IoT) represents the idea of connecting devices to the Internet to send and receive information and using that information to make better decisions and provide new services. “Things” can include cell phones, wearable devices like Fitbits, sensors, coffee makers and almost any object with an on/off switch.  They can even be parts of machines, like the engine of a car or bus. They can send information about themselves, i.e. the engine needs a repair, or about the world around them, like air quality sensors which determine level of pollutants in the air.
As referenced throughout the guidelines, “deployment” is the process of setting up the Internet of Things to the point where it is live and functioning. This would include activating and installing devices, Internet connectivity, and any other hardware or software so information can being to be sent, received and used. A “deployment” also refers to a fully-installed system.
An IoT “device” is anything with an on/off switch and which is connected to the Internet to send and receive data.
An IoT system includes all parts of the IoT that enables collecting, analyzing and using information.  This includes the devices, hardware, Internet connectivity, software, people and services that generate and use the information
As used in the Operations section, systems that utilize “modular structure” are made of separate and distinct parts that can work together.  These components or parts may be provided by different companies but can link and work together or be replaced and upgraded as necessary without requiring the replacement of an entire system.
As referenced in the Operations and Data Management sections, “open standards” are written requirements for technical systems that are free and available for all to read and use.  The use of open standards, which are developed collaboratively, enables interoperability and data exchange and are used by many organizations.
Of greatest importance in the Privacy + Transparency and Security sections, “personally identifiable information” refers to information which can be used alone or when combined with other personal or identifying information to determine or trace an individual’s identity such as their name, social security number etc. Combinations of data that can be linked to a specific individual, such as date of birth, mother’s maiden name, may result in information being classified as PII even if alone it may not be considered PII.
As referenced in the InfrastructureSecurity, and Operations sections, a “public asset” is something owned by the city of New York, and as such, by the public. In talking about the IoT, most of the assets referenced are physical assets, like city-owned street lights, parking meters or buses. Other assets could be public parks or historic landmarks
As mentioned in the Infrastructure section, the City uses and has a preference for suppliers that use “sustainable device disposal procedures” – methods for the reuse, repair, recycling, and disposal of electronics so that negative environmental impacts are reduced
In the context of the Security and Privacy + Transparency sections, “unauthorized use and disclosure” refers to cases in which information has been accessed, used or shared in a way that is not approved or permitted or by persons who are not permitted to do so.


These guidelines are designed to continually evolve and improve over time — we welcome and appreciate all feedback. We also invite cities to join the effort by committing to our guiding principles for the responsible and equitable deployment of smart city technologies. Contact us to learn more.

Contact us