MetroLab

Privacy and Other Data Governance Principles

06.20.23 | 9 min read

This is a section of the Model Data Governance Policy & Practice Guide for Cities and Counties. Learn more about the report and find the other sections here.

Section Notes

Purposes. This Section offers recommendations on privacy protection principles as well as other Data Governance core principles and discusses the role of resolutions in establishing such principles.

Prominent Challenges Addressed. The initial working group that led to the MetroLab Data Governance Task Force identified several categories of challenges and considerations relating to privacy protection and other principles for city or county Data Governance, including: 

• Ensuring focus on both constituent right to privacy and constituent right to data protection. 
• Mindfulness of both “consumer protection” principles traditionally associated with activities in for-profit commerce and the public service responsibilities of cities and counties.
• Staying up to date with requirements of the Freedom of Information Act (FOIA), public disclosure/open records and other transparency/disclosure laws and dealing with tensions between those and privacy laws and “preemption” issues.
• Being mindful of international rules/standards, such as the European Union’s General Data Protection Regulation (GDPR)
• The need to establishing clear equity and ethics principles and guidelines that can be operationalized and consistently applied.
• The value of embracing “Data minimization”—collecting only what’s needed.

Privacy Principles and Resolutions

“Rules are not necessarily sacred, principles are.”

– Franklin D. Roosevelt

Privacy is an essential component of Data Governance. It is the right that determines the protection of an individual’s information.¹ Depending on the level of data governance maturity and resources, there are three approaches to building in privacy as a key Data Governance pillar:

1.   Establishing privacy principles by way of resolution.
2. Conducting privacy impact assessments.
3. Establishing privacy policies.

Privacy Principles

While cities, counties and states use many rules and regulations, a common first step is to establish privacy principles, often by way of resolution passed by the Jurisdiction’s governing body. Beginning in 2015, cities started publishing privacy principles to help establish trust with the community and express a commitment to using data for good and seeking to avoid unintended consequences. Or, as Columbus, Ohio says it, “the Data Privacy Plan starts with a statement of principles that illustrates Smart Columbus’ commitment to the ethical use of data. 

For a comparative look at (simplified/edited) city privacy principles, please see the below table:

For examples from other Jurisdictions, see the Privacy Principles section of the Resources Library. 

While the language varies, there are consistent themes across city and county privacy principles. These themes include:

• Minimal and intentional collection of Data: the best form of Data protection is at the onset. 
• Transparency and notice: when possible, describe for what purpose the Data is being collected.²
• Equity: consider the collection of key demographic Data and the relationship to race and social justice efforts.
• Ethical and non-discriminatory use of Data: Data is used only for its intended and described purpose.
• Data openness: maintaining transparency on the type of data collected and when appropriate, publishing on open Data.
• Cyber security: ensure the protection of Data.
• Contracting with outside parties: consider privacy protections and transparency requirements for third parties.
• Ongoing accountability: put measures into place that allow for regular accountability.  

Key takeaway: Privacy principles are a way to establish a commitment to privacy values that will provide guidance and parameters as the Jurisdiction moves forward in developing its privacy practices. Use these central themes as a guiding list to consider and employ best practices for community engagement described in Section 5.

Privacy Impact Assessment

Another way to protect resident privacy is to build a privacy review into IT processes by conducting  privacy impact assessments. The following language comes from the City of Seattle, WA:³

“A Privacy Impact Assessment (“PIA”) is a method for collecting and documenting detailed information collected in order to conduct an in-depth privacy review of a program or project. It asks questions about the collection, use, sharing, security and access controls for data that is gathered using a technology or program. It also requests information about policies, training and documentation that govern use of the technology. The PIA responses are used to determine privacy risks associated with a project and mitigations that may reduce some or all of those risks. In the interests of transparency about data collection and management, the City of Seattle has committed to publishing all PIAs on an outward facing website for public access.” 

The centralized IT department asks questions of the department seeking to procure the specific technology. Questions addressed in these assessments include some of the following:

• Describing the purpose and benefit of the technology.
• Who is using the technology?
• What legal standards or conditions must be met (e.g., for criminal justice data systems, etc.).
• What information is being collected?
• What measures are put in place to minimize inadvertent or improper collection of data?
• Who can access the data collected?
• If operated or used by another entity than the jurisdiction, link the memorandums of agreements.
• How will data be stored? What is the data retention policy?
• How will the department owner consider the audit process to maintain compliance? 
• Explain how the technology/project checks the accuracy of the information collected?
• Describe what privacy training is provided to users?

Regularly asking departments to understand these detailed aspects of technology and data use allows for a thorough analysis of privacy risks. 

For other source of guidance on Privacy Impact Assessments see the Privacy Impact Assessments section of the Resources Library.

Privacy Protection Resolutions

In addition to privacy principles, Jurisdictions can consider resolutions that support privacy-forward processes. This includes: 

• When feasible, the Jurisdiction shall provide public notice available to the affected person about the collection, use and sharing of personal information at the time of collection. This includes instructions about opting out of this collection, whenever reasonably feasible.⁴
• Facilitate informed consent⁵ when information imputing a privacy interest of the  citizen is       collected or disseminated. Informed consent refers to a person’s  agreement to allow PII or other personal Data to be provided for research, reporting, and  statistical purposes after being apprised of all material facts the person needs  know in order to make the decision to provide such agreement intelligently,  including awareness of any material risks involved, potential uses and users of such Data, and of alternatives to providing or allowing the collection of such Data.
• Adhere to the Data retention schedule recommended from time-to-time by the Data Governance Oversight Committee or recommended or mandated by applicable laws and ordinances and approved by the Controlling Authority  and dispose of or De-Identify information as required by such retention schedule.
• Maintain public documentation explaining privacy practices that are in compliance with its privacy principles and policies.  
• Provide individuals with the opportunity to correct Data inaccuracies.⁶

In addition to these processes, consider when additional notice should be given when Data is shared internally to a Jurisdiction.  For example, if a parks department gives Data to a policy department, a new data use or shift in resident expectation (that wasn’t shared at the onset of data collection) has potentially occurred. Intentionality should be at the core of Data collection. Jurisdictions often fail to address the “why” of Data collection. Data minimization is key to protecting residents’ privacy rights; accordingly, being intentional about why and how resident Data is collected is of paramount importance. Municipalities should standardize Data collection requirements and justification for the same. In considering the  recommendations offered in this Section 2 and in Section 3, one should be mindful that there are three conditions that justify data collection: 

1. Mandated by law. 
2. Requirement imposed by an external funder of a program. 
3. Required to ensure optimal allocation of resources.

In addition to considering a resolution, staff can develop internal core principles for a Jurisdiction’s   leadership and staff to exercise appropriate care and diligence.   Some suggested internal principles: 

• As stewards of data, we aim to protect and preserve the digital and physical environments.
• We aim to foster a culture that recognizes responsibility and duty to do so rests on the shoulders of government, residents,  citizen groups, educational organizations, and businesses alike. 
• We shall maintain ethical standards and maintain compliance with all local, state, and federal privacy laws that preserve and protect Data.
• We understand the importance of Data Governance starting at the point of collection – aiming to minimize the collection of PII whenever possible. 
• Whenever possible, we shall provide the possibility for an individual to exercise the right to “opt out”  or exercise the right not to have their PII disclosed or sold absent  consent lawfully provided on their behalf by an authorized person.⁷
• We will emphasize and maintain transparency with the public on the usage and collection of data  where it is prudent and reasonable.⁸

Other Data Governance Principles and Resolutions

“The basis of our governments being the opinion of the people, the very first object should be to keep that right; and were it left to me to decide whether we should have a government without newspapers, or newspapers without a government, I should not hesitate a moment to prefer the latter.  But I should mean that every man should receive those papers and be capable of reading them.”

– Thomas Jefferson (Letter to Edward Carrington, January 1787)

As discussed in the Preamble to this Guide, in addition to protection of Data privacy, the Task Force embraces the use of Data by cities and counties to address complex challenges and improve government services. Moreover, as addressed in Section 5 of this Guide, local government can and should engage the communities they serve in well-informed ways to collectively leverage properly available data for public good. Accordingly, in addition to the Privacy Principles and Resolutions discussed in Subsection B. above, it is recommended that Jurisdictions consider adopting by resolution principles along the following lines: 

• The Jurisdiction is committed to maintaining a robust, dynamic, and easily accessible Open Data Program to both (i) serve the public’s right to public information and (ii) facilitate community engagement and collaborative civic innovation in the delivery of public services and in actions that enhance the quality of life and opportunities for prosperity for residents and organizations and protect the physical environment in which they reside. 
• The Jurisdiction shall employ Data management and Data governance practices designed to ensure that Data it seeks to use is of sufficient integrity and is accessible to appropriate parties in proper and efficient ways that facilitate informed decision-making in pursuit of fulfilling its duties to the public and implementing its strategic plans for public benefit. 

The Task Force has identified various resources supporting the value of a Jurisdiction adopting those two principles and containing descriptions of practices to implement them that users of this Guide are encouraged to consider—see the Open Data Policies section of the Resources Library. 

In particular, we wish to highlight Washington DC’s data policy reflecting the intentional effort of using Data as a tool to improve services. 

From “Purpose” in D.C. Data Policy:⁹

“3. The greatest value from the District’s investment in data can only be realized when enterprise datasets are freely shared among District agencies, with federal and regional governments, and with the public to the fullest extent consistent with safety, privacy, and security. ‘Shared’ means that enterprise datasets shall be:

1. Open by default, meaning their existence will be publicly acknowledged, and further, if enterprise datasets are not shared, an explanation for restricting access will be publicly provided;
2. Published online and made available to all at no cost;
3. Discoverable and accessible;
4. Documented;
5. As complete as can be shared;
6. Timely;
7. Unencumbered by license restrictions; and
8. Available in common, non-proprietary, machine-readable formats that promote analysis and reuse.

By so sharing, the District can:

1. Improve the quality and lower the cost of government operations;
2. Make government more open, transparent, and accountable;
3. Enhance collaboration between public bodies, with partner organizations, and with the public; and
4. Further economic development, social services, public safety, and education by making data available to work with and study.”