MetroLab

Data Integrity and Data Protection/Cybersecurity

06.20.23 | 9 min read

This is a section of the Model Data Governance Policy & Practice Guide for Cities and Counties. Learn more about the report and find the other sections here.

Section Notes

Purposes. Doing public good with Data requires that the Data is of sufficient quality/integrity, is properly accessible, and is stored safely. Recent cybersecurity incidents faced by city and county  governments very clearly highlight the importance of strong information security and privacy preserving practices when governments collect sensitive personal information.  This Section 3 offers recommendations regarding data quality/integrity and data protection and security standards and practices, as well as measures to lessen risks of damage from data breaches or cybersecurity attacks, in relation to intra- and inter-departmental data processing activities. Note: various levels of designated Data classifications require different and unique process considerations. Please refer to Section 1 for recommendations regarding Data classifications.

Prominent Challenges Addressed. The initial working group that led to the MetroLab Data Governance Task Force identified several scenarios, challenges, and considerations in connection with Data integrity, Data Protection, and cybersecurity, including:

• Adopting measures to promote sufficient “quality” of useable Data.
• “Data Minimization” (collecting only what’s needed).
• Being mindful of international rules/standards (e.g., the EU’s GDPR)
• Employing  approaches to risk assessment that keep pace with emerging technologies (e.g., on risks of “re-identification” through aggregation of multiple “anonymized” datasets) 
• Having clear policies and practices on storage and retention. 
• Establishing Data security and network security measures/standards/protocols.
• Utilizing processes/checklists for dealing with “incidents” and “breaches.”

Quality and Security Measures, Compliance, and Audit Mechanisms

Note: cybersecurity is a complex endeavor with several processes to consider. This section is a high-level overview, with auditing being a particularly key tool to ensure cybersecurity measures are in place.  

Data Quality and Integrity

“Data Quality” is critical to avoid garbage in garbage out. Once data is acquired, every data pipeline should go through a Data quality check. A Data quality check includes assessment of Data accuracy, validity, timeliness, and completeness. Jurisdictions  can set up review processes and steps to assess Data quality. Baseline Data assessment should include the following:

• Completeness – check for empty/null value or missing values.
• Uniqueness – check for duplicate values. 
• Accuracy – check for anomalies such as a string value in a numeric dataset or vice versa.
• Timeliness – check Data frequency (collected daily, weekly, monthly etc.) and ensure that it is  up to date.

As capacity allows, Jurisdictions can embed the baseline quality checks and other auxiliary tests in the acquisition process itself. Datasets that fail baseline assessment should trigger a warning to the Data owner and initiate a review and correction process.¹

“Data Integrity” goes beyond Data Quality which is primarily limited to checking for errors or anomalies in the dataset. Ensuring Data Integrity requires ensuring (to the best of your ability) that the Data is internally consistent and as free of bias as possible.²

Data Security Policy

The Jurisdiction should adopt a formal, written “Data Security Policy” for establishing and communicating  Data security requirements across all Jurisdictions departments and agencies. The Data Security Policy  should: 

• Classify all Data provided to, collected by, or derived by the Jurisdiction or its representatives. See Section 1.C for guidance on Data classification. 
• Establish separate criteria for access to and use, modification and  deletion,  reproduction, disclosure, and storage and retention of each classification of  Data. 
• Establish mechanisms for controlling and managing the access to and use,  modification and deletion, reproduction. disclosure, and storage and  retention of all Data according to its classification criteria. 
• Establish indicators and measurements to monitor compliance with the provisions of the Data Security Policy and detect unauthorized access and malicious use in  violation of the Data Security Policy.
• Require position-appropriate Data security training for (i) all Jurisdiction employees  and (ii) all personnel of Applicable Third  Parties who will be handling Sensitive Data.
• Maintain plans to remedy or mitigate violations of the Data Security Policy and plans to respond to system failures and breaches.³
• Require periodic audits of all Data Handling control and management mechanisms  to ensure compliance with the Data Security Policy. 
• Require periodic updates to the Data Security Policy to ensure alignment with all   applicable laws, regulations, and city/county objectives and plans. 

Data Handling Systems

All Data or data systems (hardware or software)used by the city or county, its representatives, and Applicable Third  Parties, or interconnected to the Jurisdiction’s network(henceforth referred to as a “Data Handling System”) shall provide mechanisms for compliance with the Jurisdiction’s  Data Security Policy.  Such mechanisms should include, without limitation, the following: 

a. All Data Handling Systems shall be subject to a security assessment and  tested for vulnerability to unauthorized access or use prior to deployment. These scans should be done on regular schedule as determined by the Chief Data Officer. If a  Data Handling System employs any means of credit card transactions or  interfaces with third party systems that employ such transactions, such Data Handling System shall comply with the provisions of industry standards such as the Criminal Justice Information Standard (CJIS) or the Payment Card  Industry (PCI) Data Security Standard.

b. The city/county shall take additional precautions with respect to all Internet-accessible  Data Handling Systems to safeguard against unauthorized information  access or manipulation by outside actors. The Chief Technology Officer (or other appropriate leader of security and/or Information Technology on a city-wide basis) shall from time  to time promulgate a series of tests using up-to-date federal standards for  information assurance to ascertain the security of all Data  Handling Systems against: 

• Unauthorized access to Data sources to access, alter, or erase Data. 
• Malicious use of any internet technology designed to deceive or give  misinformation to any users.
• Potential malware, malicious code, or hacking with the intent of compromising system integrity.
• Re-Identification of previously anonymous or De-Identified PII.⁴
• Any other foreseeable risks that utilize flaws in the design of web  applications or the implementation of the system to gain unauthorized  access or hinder legitimate use of the system. 
• All Data Handling Systems shall utilize design standards for encryption of  Sensitive Data and implement or mandate standards on all relevant components  of such systems. 

Compliance

A compliance approach is necessary by supporting a structured team or implementing a standard process. Working with IT department teams to ensure that those requirements are implemented, and documentation is maintained is critical. This is a significant amount of work. If capacity is restricted, consider whether this is internal or external compliance (i.e., holding vendors accountable to requirements and audit checks).  

The Jurisdiction’s Data Security Policy and Data Handling Systems shall comply with all applicable laws,  regulations and the Jurisdictions policies and practices. The city/county shall comply fully with applicable Public Disclosure Laws.⁵ Legal notices and copyrights shall be included for disclosure purposes. 

Security Audits

The city/county should conduct a periodic “Security Audit” at such intervals as are determined by the Controlling Authority and under the supervision of a recognized independent audit authority approved by the Controlling Authority.  The primary functions of the Security Audit are to evaluate all  Data Handling Systems  and other mechanisms in place to ensure compliance with the Data Security Policy, protect  information assets, and properly dispense information to authorized parties. Security Audits shall  include evaluation of each pertinent system’s internal design. Such evaluation must include, but  is not limited to, efficiency and security protocols, development processes, and governance or  oversight. Installing controls is necessary but not sufficient to provide adequate security. Security  Audits must include a report on the implementation of this Policy. The auditor must consider  whether the controls are installed as intended, if they are effective if any breach in security has  occurred and, if so, what actions can be taken to prevent future breaches. These inquiries must  be answered by independent and unbiased observers employed by the auditor performing the  task of information systems auditing. The following principles and actions should be among those  included in each Security Audit: 

• Ensure Timeliness through continuous inspection regarding potential susceptibility  to known weaknesses. 
• Provide Financial Context through transparency of private or commercial  development and funding for clarification. 
• Facilitate Scientific Referencing of Learning Perspectives by noting vulnerabilities  and innovative opportunities.
• Foster Literature-Inclusion by compiling a list of references in each audit report.
• Maintain Relevant User Manuals & Documentation by checking and updating manuals and technical documentations during the audit.
• Identify References to Innovations by testing with high priority applications that  allow both messaging to offline and online contacts, such as chat and email.
• Include, without limitation, the “Web Presence Audit” and “Network and  Communications Systems Audit” components described in the following two  subsections of this Section 3.B. 

Web Presence Audits

The extension of the Jurisdiction’s presence beyond its internally controlled Data Handling Systems, network, and management domain (e.g., the adoption of social media by the enterprise along with the proliferation of cloud-based tools such as social media management systems) requires the city/county  to incorporate Web Presence Audits into the Security Audit. The purposes of such Web Presence Audits are to ensure that the Jurisdiction and Applicable Third Parties are taking the necessary steps to: 

• Prevent the use of unauthorized tools. 
• Minimize damage to individual or entity reputation.
• Maintain regulatory compliance. 
• Prevent information leakage. 
• Minimize risks of harm from insufficient social media governance.
• Mitigate risks of harm from unanticipated or unintended consequences. 

Network and Communications Systems Audits⁶

The city/county should audit its network, including all interfaces and interconnections with third party  networks and infrastructure, and its communications systems, whether controlled internally or  purchased as a service, for compliance with the Jurisdiction’s Data Security Policy. The “Network and  Communications Systems Audit” should ensure that the Jurisdiction’s network and communication systems: 

• Adhere to stated policies adopted by the Jurisdiction.
• Maintain regulatory compliance.
• Follow policies designed to minimize the risk of hacking or phreaking.
• Prevent information leakage.
• Mitigate risks of harm from unanticipated or unintended consequences. 

For sample approaches to Data Security Policies, Data Handling Systems, cybersecurity, and  related policies and practice tools, see the resources linked in the Data Management and Cybersecurity sections of the Resources Library.

Special Provisions for Open Data Programs

With respect to all of its Open Data Programs, it is recommended that the Jurisdiction:⁷

1. Make Data it collects discoverable and accessible to the public only through Data platforms that adhere to its adopted Data Governance principles and comply with its policies on Data quality and Data Integrity and its Data Security Policy.
2. Assess the Datasets to publish as Open Data, in accordance with standards and procedures established from time-to-time by a Data Governance Oversight Committee of the type described in Section 5 of this Guide), to identify risks of harm to personal privacy or personal safety and take steps to mitigate such risks. 
3. Document the process for reviewing new Open Data requests, including who approves or denies the request and the rationale for the decision, and make the request, decision, and rationale available to the public.  
4. Perform an annual risk assessment of the Open Data Program and the content available to the public pursuant thereto and present such report to the Data Governance Oversight Committee for its review, comments, and recommendations as to efficacy and risk mitigation strategies.
5. Provide a public process to allow individuals to review and contest Data that concerns their own individual personal information, whether or not such information is PII.
6. Provide to the Data Governance Oversight Committee an annual “Open Data Program Plan” and annually report on the assessment of progress towards achievement of the goals described in the Open Data Program Plan for the previous year.
7. Include in its Open Data portal and any similar Jurisdiction-maintained mechanism for publishing Open Data appropriate Limitation of Liability Provisions.⁸
8. To the extent prudent the Jurisdiction should:
   • Publish high quality, public Data with documentation online.
   • Ensure publishable Data is in the public domain and can be easily retrieved.
   • Minimize limitations on disclosure of public information while safeguarding Sensitive Data.
   • Encourage innovative uses of publishable data by agencies, the public, and other partners.