MetroLab

The “Operationalizing How”: Oversight, Organization, Inter-Departmental Process, and Community Engagement

06.20.23 | 20 min read

This is a section of the Model Data Governance Policy & Practice Guide for Cities and Counties. Learn more about the report and find the other sections here.

Section Notes

Purposes. Data is an asset only if it is responsibly used to enhance the efficiency of cities and counties and improve residents’ quality of life. While protecting data from outside threats is a major concern in a Jurisdiction’s Data Governance, just as important is standardizing internal departmental procedures to safeguard data throughout its lifecycle. Such procedures should ensure data integrity, interoperability, accessibility, and security from the prying eyes of unauthorized individuals–even unauthorized individuals who work for a Jurisdiction department or agency.  

Prominent Challenges Addressed. The initial working group that led to the MetroLab Data Governance Task Force identified several categories of challenges and considerations in “operationalizing” city or county Data Governance, including: 

Some Threshold Considerations on Operationalizing Data Governance:

Roles and Responsibilities of Jurisdiction’s Primary Data Governance Personnel 

It is recommended that a city or county have a “Data Governance System” to provide consistently applied processes, with checks and balances, for managing all aspects of Data Handling by the Jurisdiction and Applicable Third Parties. The Jurisdiction should adopt, implement, and maintain mechanisms for oversight of its Data Handling System to ensure compliance with its Data Governance Principles and Data Security Policy, and consider including in its Data Governance System, in addition to any other components it deems appropriate, the interdependent roles, responsibilities and processes set forth in the following provisions of this Section 5. 

Chief Data Officer. The Controlling Authority should designate a Chief Data Officer to oversee all significant aspects of Data Handling and compliance with this Policy on a day-to-day basis,  and also  appoint an Open Data Programs Manager to oversee the implementation and management  of the Jurisdiction’s Open Data Programs and related policies and infrastructure.  In some municipalities, the duties and functions of the Chief Data Officer may be shared with a “Chief Information Officer” or other Jurisdiction employee responsible for overseeing data security and data integrity measures, or the same person may hold both positions. The roles and responsibilities of the Chief Data Officer should include, in addition to such other matters as the Controlling Authority may designate:2

  1. Managing the safeguarding of the Jurisdiction’s Sensitive Data. 
  2. Ensuring that the data and network security provisions described in Section 3, including, without limitation, the tests and audits described therein, are implemented. 
  3. Help Jurisdiction departments/agencies make better use of available Data. 
  4. Connect citizens with Jurisdiction Data to promote public benefits. 
  5. Maintaining and keeping up-to-date systems designed to ensure compliance with Privacy Laws, Public Disclosure Laws, and other applicable laws and regularly engaging with Jurisdiction Legal Counsel and Information Technology (IT) Staff in those efforts—including on matters of encryption, cybersecurity, and evolving best practices in view of the evolution of pertinent technologies. 
  6. Designating and training a Unit Data Steward for each Jurisdiction department and agency, with input from each such unit on such designation and training. 
  7. Coordinating with, as applicable, the “Chief Innovation Officer,” “Chief Information Officer”, and/or “Chief Technology Officer (as applicable with respect to matters relating to data security), the Open Data Programs Manager, and all Unit Data Stewards and creating systems and structures that promote teamwork and feedback loops to help reap the benefits of Data gathering and analytics in a manner consistent with the Jurisdiction’s Data Governance Principles,  and in accordance with consistently applied quality assurance, accountability, and ethical standards.3 Among other things, this coordination function should include attention to intra and inter-departmental data sharing (“Internal Data Sharing”). Data sharing with external parties such as vendors and educational institutions is addressed in Section 4 above. However, as part of data governance,  Internal Data Sharing can be equally challenging. External data sharing standards should be applicable to internal data sharing as well especially if the department is independent or quasi-independent such as the police department. Diligence regarding Internal Data Sharing before it occurs should include:
    • Reaching agreement on purposes for which the requested data can be used and making sure they are consistent with the Jurisdiction’s Data Governance Principles.
    • Ensuring that the requested Data use clearly demonstrates the benefits and value of data sharing. 
    • Committing to a retention duration and ensuring that Data is deleted post expiration of the retention period.
    • Agreeing on the degree of access the department personnel will have to the data. 
    • Determining whether there are special considerations to address when the Internal Data Sharing may involve particular types of governmental operations—such as city or county law enforcement, relationships with state or federal law enforcement (e.g., taxing or immigration law authorities), or public schools.    

Examples of approaches to Internal Data Sharing appear in several resources cited in the Resources Library. 4

Open Data Programs Manager. The Open Data Programs Manager – who in some Jurisdictions might be the same individual as the Chief Data Officer – would manage the Jurisdiction’s Open Data Program, and in performing that function:  

Unit Data Stewards. The Chief Data Officer will designate a Unit Data Steward for each  department and agency (each a “Unit”), in each case in consultation with  the Unit. A Unit Data Steward must be a Jurisdiction employee with other significant duties  within the applicable Unit or significant prior experience with the particular functions  and practices of that Unit. The responsibilities of a Unit Data Steward include: 

  1. Developing and maintaining a concrete understanding of:
    • the inner workings and outer relationships of the Unit regarding Data Handling;
    • the ability to recognize and classify Sensitive Data collected or generated by the Unit; and 
    • familiarity with the requirements of Privacy Laws and Public Disclosure Laws that may apply to the Unit’s Data Handling.  
  1. Updating the Chief Data Officer on new data availability, data issues, and system changes.
  2. Making recommendations to the Open Data Programs Manager as to what  Data collected or generated by the Unit the City should make available to  the public as Open Data.  
  3. Offering suggestions to other personnel in the Unit as to ways responsible and unbiased analysis of Data available to the Unit can improve the efficiency, quality, and positive impact of the work of the Unit. 

A general overview of the foregoing organizational structure follows (Source: Authors):

For other examples of Data Governance organizational structures adopted by Jurisdictions, see resources listed in the Data Management, Data Governance Policy, and Operationalization sections of the Resources Library.6

Comprehensive Oversight Model. 

This subsection provides an example of a comprehensive model for Data Governance oversight. It includes multiple layers and groups of staff and external stakeholders, including community members. Elements of these groups could be implemented in different ways depending on the Jurisdiction’s resources and organizational capacity. Subsection D. below provides additional recommendation on how to involve the community in the design, maintenance, accountability, and oversight of the Jurisdiction’s Data Governance System.  

Data Governance Oversight Committee

The Jurisdiction should create a “Data Governance Oversight Committee” comprised of the Chief Data Officer, the Chief Information Officer, and the Open  Data Programs Manager, Legal Counsel (e.g., a designated City Attorney), and the Community Advisory Body (CAB) “Convener” described in D.  below, and have the following authority, responsibilities, and general operating rules: 

  1. Act as an “executive committee,” chaired by the Chief Data Officer, in overseeing adherence to all significant elements of the Jurisdiction’s Data Governance mechanisms, including, without limitation, making  recommendations on matters that allow for optional means of compliance or expressly contemplate  discretionary actions. 
  2. Recommend (i) modifications to the Jurisdiction’s Data Governance System when the  Committee deems such modifications necessary to better adhere to the Jurisdiction’s Data Governance Principles or to respond to developments in technology or  other circumstances that necessitate such modifications to facilitate such adherence, and (ii) steps to clearly communicate such modifications to Jurisdiction personnel (including unit-level Data Stewards), to other participants in the Data Governance System, and to the public.  
  3. Review all Jurisdiction audit reports relating to Data Handling and make any recommendations to the Chief Data Officer deemed  appropriate based on such reports. 
  4. Periodically review the Jurisdiction’s training programs relating to Data Handling and      provide recommendations to the Chief Data Officer regarding such programs.
  5. Provide advisory input to the Chief Data Officer on other matters or decisions regarding Data Handling on which it is asked to provide such input by the Chief Data Officer or by the Community Advisory Board (CAB).  
  6.  In its work on significant Data Handling matters actively engage the CAB to  gather               informed and timely community input and channel it to the Committee, and then deliver such community input, together with any observations or  recommendations it makes based thereon to the Chief Data Officer. 
  7. Hold regular periodic meetings to facilitate performance of its functions and hold special meetings, whenever the Chief Data Officer or a majority of the Committee deems necessary or appropriate and develop other operational rules the  Committee deems appropriate to perform its functions in a manner consistent with  the Jurisdiction’s Data Governance Principles.

Community Advisory Board (CAB)7

The Jurisdiction should create a “Community Advisor Board (CAB)” consisting of a “Convener,” who shall be a non-voting ex officio member of such Board, and a reasonable number of regular Board members. The regular Board members should be or represent diverse community stakeholders. Accordingly, efforts should be made to  include as regular Board members representatives of: neighborhood  associations, educators from varied disciplines (including, among others,  human sciences such as ethics, philosophy, psychology, and sociology), the  business community, the technology community, and nonprofit  organizations that promote public health and safety, workforce  development, and equitable opportunities for well-being for vulnerable  populations such as disabled, aging, and low-income residents.  

Functions of the CAB

  1. The CAB’s primary function is to provide the Data Governance Oversight Committee with informed, timely, and diverse community input and recommendations on Jurisdiction Data Handling matters and decisions (i) on  which the Data Governance Oversight Committee requests such advisory  input and (ii) that the CAB determines should be brought to the attention of the Data Governance Oversight Committee.8 In performing its primary function, the CAB shall seek to
    • (i) advance adherence to the Jurisdiction’s Data Governance Principles, and
    • (ii) develop systems and methods for gathering,  memorializing, and reporting to the Data Governance Oversight Committee informed, timely and diverse community input and recommendations that are well designed and tailored for particular Data Handling matters and decisions it is addressing (i.e., not “one-size-fits-all”).
  2. The CAB should all also collaborate with the Community End User Testing Group described in subsection 5.D to facilitate diversity and timeliness in participation by  community stakeholders in that Group’s work.         
  3. The CAB should have regular meetings, at appropriate intervals determined by the Jurisdiction, as well as special meetings when called by the Convener (with  notice reasonable in the circumstances presented). The CAB shall fix its own  operating rules and procedures in a manner appropriate for its above-described functions.  

Designation and Functions of the Convener:

  1. Subject to 3. below, the Convener should be an individual designated by the Controlling Authority under such process and for such term of service as the Controlling Authority determines.9
  2. Subject to 3. below, the regular Board members should be individuals designated jointly by the Chief Data Officer and the Convener to serve for such term of service as is determined by the Controlling Authority.10
  3. In no event should any person be appointed as Convener or a regular Board member if such individual is (i) an employee of the City; (ii) a contractor  with the City; (iii) an owner, officer, employee, agent, or representative of  a for-profit business engaging or seeking to engage in a contract or other  commercial relationship with the City; or (iv) a spouse, parent, child, sibling  (including those related by marriage) or significant other of, or any person  who resides with, a person described in (i), (ii), or (iii). 
  4. The Convener should:  
    • Present an annual budget for the CAB to the Controlling Authority to secure resources needed for the CAB to operate.
    • Set the agenda for each CAB meeting, with input from the regular Board members.
    • Call special meetings of the CAB as and when needed.
    • Administer the conduct of all CAB meetings.
    • Manage the process of having the Board prepare and deliver reports its  input and recommendations to the Data Governance Oversight Committee.  
    • Serve on the Data Governance Oversight Committee and, in that  connection, monitor the extent to which the CAB’s input to that  Committee is taken into account in its work, and report to the regular CAB  members on the disposition of its input and recommendations. 
    • Prepare and deliver to the CAB and the Data Governance Oversight Committee an annual report summarizing the activities and impact of the  CAB for the reporting year. 

Civic End User Testing Group (CEUTG)11

The practice of having a “Civic End User Testing Group” can serve important purposes that relate to Data Governance but also advance a Jurisdiction’s public service objectives in the context of testing operations where “data” is not the primary focus.  In essence, such a group can bring a diversity of community perspectives to bear in the co-design of improvements to Jurisdiction systems with which community members interact. 

Under the direction of the Data Governance Oversight Committee, the Jurisdiction should create a Civic End User Testing Group (“CEUTG”). The CEUTG would provide feedback regarding the use and accessibility  of the Jurisdiction’s Open Data resources, websites, applications, and other citizen interfaces. 

  1. The CEUTG should be composed of community users possessing a variety of    technological  skill levels. The CEUTG will seek input from the Community Advisory Board (CAB) on  inclusiveness and diversity of community users. 
  2. The Jurisdiction would solicit participation in user testing through its existing websites and  applications or other means, with advisory input from the CAB, and in doing so may pose  eligibility questions to ensure participants represent a variety of skill levels. 
  3. The Jurisdiction might incentivize participation in the CEUTG testing by providing testers with  small monetary awards for completing applications and testing.12
  4. The CEUTG would report feedback from its user testing activities directly and  simultaneously to the Data Governance Oversight Committee and the CAB.

For other examples and practice tools regarding end-user testing as part of city or county Data Governance Systems, see resources listed in the Community Engagement and Resident Feedback section of the Resources Library

Community Engagement Needs and Methods.

Community participation in a city’s, or county’s Data Governance is essential for Data to become a community asset. Oftentimes, Data-related policymaking can be opaque or unaccountable to those experiencing the greatest risks of Data harms. There are important opportunities for communities to contribute to the design of Data Governance policies and practices, help hold organizations accountable, and improve communications. Creating spaces for communities to meaningfully contribute requires resources, time, and relationship building. These investments will improve Data Governance impacts and outcomes. A Community Advisory Board (CAB) as described in Subsection 5.C above would obviously be one key element of community engagement—one that we recommend can and should play role in supporting it—but the need for community engagement extends well beyond the oversight function of that body.

Engagement Planning

It is recommended that a Jurisdiction begin with proactive planning for any interaction or request of a community member’s time. Community members (and staff) have limited time and overlapping urgent priorities. Before designing an engagement, identify the goal and what can be provided to the participating community members in terms of how their input will be used and how the Jurisdiction will report back on the final impact of their participation. Depending on the identified goals of the community engagement, different forms of public participation may be necessary or useful:

The Jurisdiction might in this connection review Facilitating Power’s Spectrum of Community Engagement to Ownership or the International Association for Public Participation’s Spectrum of Public Participation for more details on different types of participation. Being explicit about the Jurisdiction’s Data Governance goals and how they relate to the ways community members interact with the Jurisdiction allows communities to know what to expect and how they can participate. 

Data Governance has many components. Information sharing events and materials may help prepare a variety of audiences to be able to sit at the same table for more collaborative engagements and involvement in the Jurisdiction’s Data Governance practices. Design presentations or materials with accessible language and examples that connect to community member’s daily lives or common interactions they have with the city or county. For example, community members are often required to share personally identifiable information (PII) when paying a bill or perhaps share anonymous demographic information about themselves when accessing a new service. Understanding how that Data is managed, who has access to it, and a clear reason for how and why you will use that Data are outcomes of Data Governance that will benefit community members. 

Data that the city or county is collecting or managing through its Data Governance System is often about and from communities. Community members are experts on their lived experiences. Knowledge and expertise of community members most susceptible to harm from Data are also required to disrupt existing harmful Data collection and analysis practices. By partnering with communities and leading with community driven needs, challenges, and strengths, the Jurisdiction may be able to prioritize where to focus Data Governance efforts if resources are limited. Here are several examples of Data Governance practices that would be served well by collaborative, co-design, or defer to styles of community engagement:

If throughout the development and implementation of Data Governance community engagement, the types of approaches utilized all fall on the informing or consulting end of the engagement spectrum, trust and partnership with communities may not be improved. It may require more staff time and resources to design interactions on the involve, collaborate, and defer to end of the spectrum, but the potential to thereby increase trust is also much greater. Note that there may be other aspects of existing Data Governance structures and/or leadership preventing meaningful contribution from communities. Identifying such impediments is necessary to find solutions or to communicate these limitations directly with community members.

Accountability

As Data Governance policies and practices are adopted, communities can play several roles for accountability. 

Section 5.C of this Guide details a comprehensive oversight model with a formalized Community Advisory Board and Civic End User Testing Group. This model requires that budgets available for the groups, stipends, and staff resources to adequately support the groups. Committee members in voluntary oversight or advisory bodies may quit if commitments are burdensome. To be effective, committee members need information and support. 

If a group is an advisory body, there needs to be clarity on who is ultimately the decision maker and how these decisions are made. This supports understanding of how information provided by committee members is or is not used. If a group is an oversight body, they need access to information about how implementation is going, where challenges are arising, and authority to make sure commitments are met. For example, a 2019 City of Portland Audit found that “if a government body commits to public oversight, it must work to ensure that participation is meaningful because ineffective participation can jeopardize public trust and waste resources and time.”

Accountability with communities may also be achieved through implementing other types of engagements. Accessible information sharing and meaningful education opportunities to create awareness about adopted Data Governance Principles and Data Governance practices are first steps. If these are implemented along with a clear contact at the organization, a community member or community-based organization can raise a flag if they see a practice being violated by staff. This places the burden on civic engagement and advocacy to flag but could be a minimum starting point. 

Community Involvement and Partnership

Community involvement and collaboration-style engagements can also be used for accountability touchpoints. This would require staff to prepare accessible report outs on implementation progress and what decision points communities can weigh in on to help assess the Jurisdiction’s Data Governance. Active involvement of communities in the design of Data Governance policies and practices allows communities to be able to identify if and how community needs they know were shared are being incorporated or not. 

One last model that could be incorporated into any of the above pieces is a community-government partnership model where community leaders are hired and paid as consultants. For example, the City of Portland Smart City PDX has implemented several iterations of this model documenting lessons learned from each year. Qualifications for community leaders can come from a range of experience including volunteering, organizing, or work. Below are examples of how Smart City PDX defines community leader excerpted from the 2021 Request for Qualifications: 

“As a Community Lead, you are eager to build inclusive technology and collaborative decision-making spaces through thoughtful partnerships between frontline communities and the Smart City PDX program. You are a connector – ready to think about how to link digital justice with the many priorities communities are already navigating. You are an organizer – ready to bring your community and their voices into the digital justice movement. Most of all, you are excited to work with a team of people who each have different skills, visions, and perspectives on what digital justice looks like.”

In this model, community leaders become a part of the Jurisdiction’s team to help design and implement new practices of centering community. These leaders have existing relationships with impacted communities. These positions help expand the team. They could be used to support a successful advisory committee body. Community leads can help design and implement engagement events that may bring new participants, beyond those who would attend events designed and led by staff alone. This same model could be achieved by contracts with community-based organizations to help build new relationships, expand involvement, and ultimately achieve data governance that serves your communities. 

For other examples of collaboration-style community involvement in the design of Data Governance policies and practices see resources listed in the Community Engagement and Resident Feedback section of the Resources Library.  

Liability Limitations, Governmental Immunity, and Cyber-Insurance

As indicated earlier in this Section 5, it is essential that a Jurisdiction’s Legal Counsel be regularly and closely involved in its Data Governance System and related oversight mechanisms. A city or county attorney’s roles should include, among other things, identifying potential risks of liability and recommending measures to help eliminate or mitigate the Jurisdiction’s exposure to liability associated with its Data Handling. 

Liability Limitation Measures

The Jurisdiction, with advice from its Legal Counsel, should in its Data Handling activities adopt and adhere to appropriate terms of use, disclaimers, exclusion of warranties, and other limitation of liability statements or provisions, monitor the effectiveness of such provisions, and seek to modify them when deemed necessary or appropriate based on experiences, technological developments, or other circumstances.  These types of provisions of course must take into account applicable laws and should seek to follow best practices.  Readers are encouraged to review relevant sections in resources listed in the Data Management, Open Data Policies, and Data Governance Policies sections of the Resources Library.  

Governmental Immunity and Cyber-Insurance.To the extent, if any, that the Jurisdiction’s Legal Counsel determines that “Governmental  Immunity” does or may not apply to any part(s) of the Jurisdiction’s Data Handling endeavors, or that it is otherwise desirable, the Jurisdiction might consider purchasing appropriate cyber-insurance for coverage related to loss or damage resulting from a Data hack/breach or spillage of Data.  Issues relating to whether or not a city or county has “Governmental Immunity” against liability for damages caused by Data hacks or breaches are quite complex, and can vary among Jurisdictions by reason of differences in state laws and other circumstances. A Jurisdiction should have its Legal Counsel explore them as well as the terms and implications of obtaining cyber-insurance.

For additional background in this connection, see relevant readings listed in the Additional Background Reading section of the Resources Library.  

1
For some examples of Data inventory and Data log approaches, see Data Policy Section V (Enterprises Dataset Inventory, Classification & Prioritization), Section VII (Data Catalogs—addressing both Open Data Catalog and Internal Data Catalog) and “Enterprise Dataset Inventory” and “Other Data Catalogs” parts of D.C. Data Policy at https://opendata.dc.gov/pages/edi-overview; and San Francisco Data Management Policy at 1.0 (Database and Data Inventories) at https://sf.gov/sites/default/files/2021-05/Data%20Policy_APPROVED%201.17.2019_0.pdf and San Francisco “Dataset inventory” at https://data.sfgov.org/City-Management-and-Ethics/Dataset-inventory/y8fp-fbf5.
2
Some elements of the following are based on the description of suggested roles for a government Chief Data Officer set forth on pages 3 and 4 (in Introduction by Sonal Shai and William D. Eggers) of The Chief Data Officer in Government: A CDO Playbook (Deloitte Insights – Beeck Center: Social Impact + Innovation at Georgetown University, 2018) available at https://www2.deloitte.com/content/dam/insights/us/articles/4577_CDO-playbook_DATA-act/CDO%20playbook.pdf.
3
Cf. San Francisco Data Management Policy at https://sf.gov/resource/2021/data-management-policy and Citywide Data Classification Standard at https://sf.gov/resource/2021/data-classification-standard (read together defining and addressing coordination among people in the positions of “Chief Data Officer”, “City Chief Information Officer”, Cybersecurity Officers and Liaisons”, “Privacy Officer”, “Data Coordinators”, “Data Stewards”, “Data Custodians”, and “Data Users”).
4
See, e.g., “Data Management Strategy Overview” section of City of Dallas Data Management Strategy 2019-2022 at https://dallascityhall.com/departments/ciservices/DCH%20Documents/Data-Management-Strategy.pdf#search=data%20privacy; and D.C. Data Policy at Section VIII (Streamlined Processes for Interagency Data Sharing) at https://opendata.dc.gov/pages/data-policy.
5
Cf. Section 2-2134 of the KCMO Open Data Policy at https://library.municode.com/mo/kansas_city/codes/code_of_ordinances?nodeId=PTIICOOR_CH2AD_ARTXVIOPDAPO.
6
For example, see City of Dallas, TX Data Governance Structure graphic in Figure DGS 1 at https://dallascityhall.com/departments/ciservices/DCH%20Documents/Data-Management-Strategy.pdf#search=data%20privacy.
7
The following description of the Community Advisory Board is based on an amalgamation of study of various advisory or similar boards created in Chicago, Kansas City, MO, San Francisco, Seattle, and other cities, interviews or other discussions with individuals involved in such initiatives, and observations made by students, faculty, government personnel, and various collaborators in the Draft Data Handling Policy project through several semesters of the interdisciplinary UMKC Law, Technology, and Public Policy course described in the Preamble to this Guide. A regional approach to the CAB might be efficient and appropriate in some regions—i.e., one independent body that could help gather and channel informed and timely input from multiple community stakeholders to Data Governance decision makers or a city or county advisory board in any city or county in the region.
8
Cf. Seattle Community Technology Board statement at https://www.seattle.gov/community-technology-advisory-board/what-we-do/committees (“Issues are referred by the Mayor and Councilmembers or come from community input.”).
9
The time commitment of the Convener would be substantial, and it is presumed compensation would be paid.
10
A question to consider here is whether the Board members could/would be unpaid volunteers. As reflected in Subsection 5.D below it is recommended that a Jurisdiction strongly consider paying community members involved in its Data Governance System for their associated time.
11
Cf. Chicago City Tech Collaborative Civic User Testing Group (CUTGroup) described at https://www.citytech.org/resident-engagement and KC Digital Drive, Code for KC, and Missouri Western University launch of Kansas City’s first civic UX testing group at https://www.kcdigitaldrive.org/article/get-your-community-websites-apps-tested-by-kcs-first-civic-ux-group/. “CUTGroups” have been organized in several other cities as well—see, e.g. https://datadrivendetroit.org/blog/2018/03/23/cutgroup/ (Detroit); https://medium.com/@seattle.cutgroup/establishing-a-seattle-civic-user-testing-group-48ea6ef58b86 (Seattle).
12
One of the ways the Chicago CUTGroup has engaged their community in its activities is by giving participating residents who test civic websites and apps gift cards. See https://irp-cdn.multiscreensite.com/9614ecbe/files/uploaded/TheCUTGroupBook.pdf at page 1.