MetroLab

Privacy and Other Data Governance Principles

06.20.23 | 9 min read

This is a section of the Model Data Governance Policy & Practice Guide for Cities and Counties. Learn more about the report and find the other sections here.

Section Notes

Purposes. This Section offers recommendations on privacy protection principles as well as other Data Governance core principles and discusses the role of resolutions in establishing such principles.

Prominent Challenges Addressed. The initial working group that led to the MetroLab Data Governance Task Force identified several categories of challenges and considerations relating to privacy protection and other principles for city or county Data Governance, including: 

Privacy Principles and Resolutions

“Rules are not necessarily sacred, principles are.”

– Franklin D. Roosevelt

Privacy is an essential component of Data Governance. It is the right that determines the protection of an individual’s information.1 Depending on the level of data governance maturity and resources, there are three approaches to building in privacy as a key Data Governance pillar:

  1.   Establishing privacy principles by way of resolution.
  2. Conducting privacy impact assessments.
  3. Establishing privacy policies.

Privacy Principles

While cities, counties and states use many rules and regulations, a common first step is to establish privacy principles, often by way of resolution passed by the Jurisdiction’s governing body. Beginning in 2015, cities started publishing privacy principles to help establish trust with the community and express a commitment to using data for good and seeking to avoid unintended consequences. Or, as Columbus, Ohio says it, “the Data Privacy Plan starts with a statement of principles that illustrates Smart Columbus’ commitment to the ethical use of data. 

For a comparative look at (simplified/edited) city privacy principles, please see the below table:

Portland, OR (available here)Kansas City, MO (available here)Columbus, OH (available here)
Transparency: managing and collecting information in a described way clearly, accurately, and shared in an accessible way.Kansas City values privacy and considers risks to the well-being of the public before collecting, using, or disclosing personal information.Smart Columbus is as open to the public as it can about how it collects personal data.
Data will be secured and protected throughout its lifecycle.The City will only collect information that is needed to deliver city services, and the data will be kept only as long as legally required or valid for a business purpose.Smart Columbus will notify individuals when it collects their information.
Prioritization of the needs of marginalized communities regarding data and information management.When appropriate, the City will disclose how personal data will be used and give the option to choose how it is used whenever possible.Smart Columbus will use an individual’s information only for the purposes stated in the notice, and to which the individual consented.
Fair stewardship of data and information with non-discriminatory protections and understanding impacts of unintended consequences.The City will restrict improper access to data, securing cyber systems and storage resources.Smart Columbus projects will collect only the minimum amount of personal information that they need to accomplish their purpose.
Third parties working with city data must not expose confidential or private information.Business partners and contracted vendors who collect or receive personal data must agree with city privacy requirements.Smart Columbus will apply robust information security controls that take into account the sensitivity of project data and the risk of individuals that it poses if released.
The City will create procedures for reviewing, sharing, assessing, and evaluating automated decision system tools around equity, fairness, transparency and accountability.Residents should have an effective and responsive mechanism for exercising privacy complaints. The City will receive, investigate, and respond to individuals’ complaints.Smart Columbus will ensure that the data it releases on the Smart Columbus Data Portal does not contain information about identifiable individuals.
All data must bring value to the City, the City will collect only the minimum amount of personal information to fulfill a well-defined purpose.Smart Columbus will institute the processes necessary to ensure that it follows and meets each above principle.

For examples from other Jurisdictions, see the Privacy Principles section of the Resources Library. 

While the language varies, there are consistent themes across city and county privacy principles. These themes include:

Key takeaway: Privacy principles are a way to establish a commitment to privacy values that will provide guidance and parameters as the Jurisdiction moves forward in developing its privacy practices. Use these central themes as a guiding list to consider and employ best practices for community engagement described in Section 5.

Privacy Impact Assessment

Another way to protect resident privacy is to build a privacy review into IT processes by conducting  privacy impact assessments. The following language comes from the City of Seattle, WA:3

“A Privacy Impact Assessment (“PIA”) is a method for collecting and documenting detailed information collected in order to conduct an in-depth privacy review of a program or project. It asks questions about the collection, use, sharing, security and access controls for data that is gathered using a technology or program. It also requests information about policies, training and documentation that govern use of the technology. The PIA responses are used to determine privacy risks associated with a project and mitigations that may reduce some or all of those risks. In the interests of transparency about data collection and management, the City of Seattle has committed to publishing all PIAs on an outward facing website for public access.” 

The centralized IT department asks questions of the department seeking to procure the specific technology. Questions addressed in these assessments include some of the following:

Regularly asking departments to understand these detailed aspects of technology and data use allows for a thorough analysis of privacy risks. 

For other source of guidance on Privacy Impact Assessments see the Privacy Impact Assessments section of the Resources Library.

Privacy Protection Resolutions

In addition to privacy principles, Jurisdictions can consider resolutions that support privacy-forward processes. This includes: 

In addition to these processes, consider when additional notice should be given when Data is shared internally to a Jurisdiction.  For example, if a parks department gives Data to a policy department, a new data use or shift in resident expectation (that wasn’t shared at the onset of data collection) has potentially occurred. Intentionality should be at the core of Data collection. Jurisdictions often fail to address the “why” of Data collection. Data minimization is key to protecting residents’ privacy rights; accordingly, being intentional about why and how resident Data is collected is of paramount importance. Municipalities should standardize Data collection requirements and justification for the same. In considering the  recommendations offered in this Section 2 and in Section 3, one should be mindful that there are three conditions that justify data collection: 

  1. Mandated by law. 
  2. Requirement imposed by an external funder of a program. 
  3. Required to ensure optimal allocation of resources.

In addition to considering a resolution, staff can develop internal core principles for a Jurisdiction’s   leadership and staff to exercise appropriate care and diligence.   Some suggested internal principles: 

Other Data Governance Principles and Resolutions

“The basis of our governments being the opinion of the people, the very first object should be to keep that right; and were it left to me to decide whether we should have a government without newspapers, or newspapers without a government, I should not hesitate a moment to prefer the latter.  But I should mean that every man should receive those papers and be capable of reading them.”

Thomas Jefferson (Letter to Edward Carrington, January 1787)

As discussed in the Preamble to this Guide, in addition to protection of Data privacy, the Task Force embraces the use of Data by cities and counties to address complex challenges and improve government services. Moreover, as addressed in Section 5 of this Guide, local government can and should engage the communities they serve in well-informed ways to collectively leverage properly available data for public good. Accordingly, in addition to the Privacy Principles and Resolutions discussed in Subsection B. above, it is recommended that Jurisdictions consider adopting by resolution principles along the following lines: 

The Task Force has identified various resources supporting the value of a Jurisdiction adopting those two principles and containing descriptions of practices to implement them that users of this Guide are encouraged to consider—see the Open Data Policies section of the Resources Library

In particular, we wish to highlight Washington DC’s data policy reflecting the intentional effort of using Data as a tool to improve services. 

From “Purpose” in D.C. Data Policy:9

“3. The greatest value from the District’s investment in data can only be realized when enterprise datasets are freely shared among District agencies, with federal and regional governments, and with the public to the fullest extent consistent with safety, privacy, and security. ‘Shared’ means that enterprise datasets shall be:

  1. Open by default, meaning their existence will be publicly acknowledged, and further, if enterprise datasets are not shared, an explanation for restricting access will be publicly provided;
  2. Published online and made available to all at no cost;
  3. Discoverable and accessible;
  4. Documented;
  5. As complete as can be shared;
  6. Timely;
  7. Unencumbered by license restrictions; and
  8. Available in common, non-proprietary, machine-readable formats that promote analysis and reuse.

By so sharing, the District can:

  1. Improve the quality and lower the cost of government operations;
  2. Make government more open, transparent, and accountable;
  3. Enhance collaboration between public bodies, with partner organizations, and with the public; and
  4. Further economic development, social services, public safety, and education by making data available to work with and study.”
1
See the definition of “Privacy” in the online version of Black’s Law Dictionary (2ND Ed.) at https://thelawdictionary.org/privacy/: “The right that determines the nonintervention of secret surveillance and the protection of an individual’s information.”
2
Cf. NYC Guidelines for the Internet of Things at https://iot.cityofnewyork.us/privacy-and-transparency/ (Privacy + Transparency).
3
Available at https://seattle.gov/tech/initiatives/privacy/privacy-reviews.
4
Cf. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation-“GDPR”). Paragraph 32, available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC.
5
Many commentators have suggested that consideration be given to the development of better approaches to meaningful informed consent to the capturing and use of personal data—i.e., beyond clicking “accept” to complex/dense descriptions in terms of use. Reviewers of this Guide are encouraged to post at the MetroLab Data Governance Website suggestions and references to resources pertinent to this challenge.
6
Cf. Seattle Open Data Policy at https://www.seattle.gov/Documents/Departments/SeattleGovPortals/CityServices/OpenDataPolicyV1.pdf.
7
Based on “opting out” provisions in The California Consumer Privacy Act of 2018-see https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
8
Based in part on City of Charlotte, Open Data Policy Jan. 1, 2015, at page 1, available through https://charlotte.maps.arcgis.com/home/item.html?id=7c88b8633b034ddcbbd6badb1b7076fe. See also NYC Guidelines for the Internet of Things at https://iot.cityofnewyork.us/privacy-and-transparency/ (Privacy + Transparency).
9
See “D.C. Data Policy” at https://opendata.dc.gov/pages/data-policy#legalpolicy. Cf. KCMO Open Data Policy at Section 2-2132, stating: “(a) Whenever possible, technology shall be procured and efficient processes shall be used in a way that advances the policy of making public data and information open and available through the use of open data standards and formats. (b) To the extent prudent and practical, public data shall be published online and made freely available to all in a machine-readable open format, in both its raw and processed form, including a description of the source and quality of the data, all of which can be easily retrieved, downloaded, indexed, sorted, searched, analyzed and reused utilizing readily-available and free web search applications and software.”