MetroLab

Data Use Rights and Data Sharing Agreements

06.20.23 | 10 min read

This is a section of the Model Data Governance Policy & Practice Guide for Cities and Counties. Learn more about the report and find the other sections here.

Section Notes

Purposes. Cities and counties regularly engage in “data sharing” in many ways, including through Open Data Programs that make selected types of Data publicly accessible; in agreements with vendors, research organizations, or other for-profit or non-profit organizations of various types; in arrangements with other cities or counties, or with state or federal law enforcement or other agencies; and “internally” where two or more city or county departments or agencies identify data sharing requirements, needs, or potential benefits.  

Prominent Challenges Addressed. The initial working group that led to the MetroLab Data Governance Task Force identified several scenarios, challenges and considerations regarding “Data Use Rights” and “Data Sharing Agreements,” including:

• Negotiating policies and strategies with private companies—and building data governance terms and conditions into “Requests for Proposals” (RFPs) for technology  procurements (e.g., software procurements). 
• Determining who “owns” Data and what permitted or prohibited uses the Data owner and other parties may or should have.
• Exploring “opt-in” versus “opt-out” approaches to constituent consent to collection and use of their data.
• Dealing with vendor “opacity.”
• Addressing special considerations with “hidden data” (e.g., metadata).
• Promoting inter-departmental Data sharing and opportunities from “overlays.”
• Considering special arrangements when the Jurisdiction shares data with research organizations.
• How to approach formalization of arrangements with Data intermediaries.
• The importance of a team approach to Data Sharing Agreements in which Jurisdiction Legal Counsel and Information Technology personnel are among the team members.
• Special considerations regarding Open Data Programs.
• Special considerations with law enforcement Data
• Monitoring performance and compliance on Data sharing and permitted vs prohibited uses and remedies for related breaches of contract.

Special considerations regarding residents’ rights regarding their Data acquired by a Jurisdiction are addressed in the Data Governance Principles in Section 2 of this Guide, and Data sharing through Open Data Programs is addressed in Section 3.C.  Both a Jurisdiction’s “Internal Data Sharing” (e.g., among Jurisdiction departments) and Data sharing with other governments are addressed in Section 5.B.  This Section 4 focuses on Data sharing provisions included in documents for technology procurements from vendors (e.g., in RFPs) and negotiated Data sharing agreements with other non-governmental “external” parties, such as parties whose activities are subject to regulation by the Jurisdiction or organizations involved in research that might help inform Jurisdiction policies and practices or otherwise promote public good.  

For a list of several sources providing background, and sample policies and practice tools associated with the issues addressed in this Section 4, see the Data Sharing Agreements and Additional Background Readings sections of the Resources Library.   

Data Sharing Challenges/Common Considerations and Principles

Context and Threshold Guiding Principles

With the volume, velocity, and variety of data expanding exponentially, Jurisdictions are increasingly employing Data sharing to innovate, fill knowledge gaps, and facilitate other parties’ public good initiatives. For the purposes of this Guide, Data sharing, and acceptable use considerations are focused on Data the Jurisdiction (i) collects directly, (ii) receives through an agreement with a Data Intermediary or other Applicable Third Party engaged to collect the Data for the Jurisdiction, or (iii) has obtained from an Applicable Third Party and has permission to share.

The key to effective and appropriate Data sharing is for all impacted parties to have a common understanding of what Data will be shared, why Data sharing is warranted, the intended outcomes of the Data sharing, permitted and non-permitted uses of the Data,  the Data management approach to be employed, and the roles and responsibilities of each party. The parties involved, and associated guiding principles, include:

• Data Owners: the onus is on the Data owners to specify the allowed uses and expected handling as well as to manage communications with other impacted parties.
• Data Recipients: Data recipients need a clear use case for the requested Data, robust processes to ensure that Data management expectations are met, and the ability to demonstrate appropriate use of the Data.
• Data Subjects: in the event the Data contains information about people, those persons should be notified prior to such Data sharing and should also be able to learn the outcomes of that Data sharing.

In line with Section 2, those parties and guiding principles should be considered and intentionally addressed when negotiating Data Sharing Agreements and Data Use Rights. Included below are a few additional comments related to principles and practices around ethical Data use and risk management. 

Ethical Data Use and Risk Management

Ethical Data use means using the Data to improve lives without introducing greater risk to those lives. While ethical Data use can be relatively straightforward for the Jurisdiction when collecting information in order to provide a service, the considerations are different when such administrative Data will be put to different uses through Data sharing. To determine if the Data sharing will result in continued ethical Data use, the following questions should be among those asked:

• Was the Data collected for a purpose that is similar to how it will be re-used? Dissimilar purposes may mean the Data will not inform the new use case.
• Is the Data quality suitable for the re-use purpose? Responses needed to fulfill a service request may be less rigorous than those sought to inform, e.g., trend analysis.
• Do the Data sharing use cases align with the Jurisdiction’s priorities? Distinguish Data sharing that serves the public good from those with private financial or other purpose and ensure you have a public message around the Data sharing that aligns with your Jurisdiction’s priorities.
• Does the data satisfactorily represent the Jurisdiction’s community? Survey Data for which responses were received from predominantly one or two segments of the Jurisdiction’s community may not be suitable for determining community perspectives as a whole.
• Does the Data sharing use case further an equitable community? Apply due diligence in understanding communities that benefit or may be excluded.

Risk appetite varies among Jurisdictions, with some being highly risk averse and others willing to accept some risk for potentially greater community rewards. Data sharing has a risk management component that needs to be aligned with the Jurisdiction’s tolerance for risk. One consistent output of all Data sharing should be public communications – what Data sharing is occurring, why, and to what benefit?  When managing risk, consider how the Data sharing message will be perceived by constituents and the Jurisdiction’s leadership.

Data Sharing Provisions in Procurements

This subsection addresses provisions pertaining to Data sharing in the context of a Jurisdiction’s procurements of technology from vendors of three types:

• “Primary Vendors” offering broad services to the jurisdiction including substantive Data Handling to support the services (generally  persons and entities that deal in large quantities and diverse types of Data and/or are providing major Data Platforms or Data Platforms support to the Jurisdiction).  Examples range from cloud-base administrative systems such as financial or permitting software to GIS, data warehouse, or data management platforms.

• “Secondary Vendors” offering services in specific data analytics or other targeted Data services (generally persons and entities that deal with Datasets more limited in nature than  Primary Vendors). Examples include consulting firms engaged to perform analysis within a specific policy area and [not sure what else

• “Miscellaneous Vendors” that do not fit in with the previous two categories, but  are engaged to provide goods and services, or are otherwise entering into  agreements with the jurisdiction, in circumstances that are likely to produce significant  Data that could be productively used by the Jurisdiction.

The Jurisdiction’s procurement processes for engagements that directly or indirectly involve any aspect of Data Handling (“Data Handling Procurements”) should follow the same principles, policies, and guidelines that apply to Data management within the organization.  Accordingly, Data Handling Procurements,  and related requests for proposals (“RFPs”), requests for information (“RFIs”), and requests for  quotes (“RFQs”) should reflect the following principles and practices: 

1. The Jurisdiction shall recognize that the products and services it buys have inherent social,           human, health, environmental and economic impacts, and that the Jurisdiction should          accordingly make procurement decisions that embody, promote, and encourage a                 commitment to the community it serves. 
2. Procurement officials and associated Jurisdiction employees shall apply due diligence in seeking to prevent or mitigate harm or inequity resulting from Data Handling. 
3. To the extent deemed applicable by the Controlling Authority in the particular request regarding a Data Handling Procurement, require that respondents communicate how they will adhere to the Data Governance Principles adopted by the Jurisdiction and the additional guiding principles specific to Data use and Data sharing set forth in Subsection 3.B above. 

In addition, the following specific measures and questions drawn from three sources shared by Task Force members might be considered for inclusion in RFPs, RFIs, and RFQs, as applicable:

From City of Asheville, NC Technology Procurement Governance Checklist:

Asheville uses a checklist to evaluate whether a vendor’s product meets the City’s data, security, accessibility, and other standards and makes the checklist available to vendors. See the “Questions” and “Why is it Important?” explanations associated with each of the twenty-one following named “Items” addressed in Asheville’s checklist:¹

• Data Ownership & Rights
• Data Privacy
• Confidentiality 
• Data Center Security (SaaS)
• PCI Compliance
• Exit strategy (avoid lock-in)
• Data Standards
• Accessibility 
• Software Usability
• Open, Published APIs
• Financial Integration
• Other Data Integration Needs
• Public Record Law
• Data backup and disaster recovery
• Service Level Agreement
• On-Premise infrastructure requirements
• Access needed to on-premise infrastructure to our network
• Webforms
• Equity and Digital Inclusion
• Portfolio Alignment or Duplication
• Administrative Rights

From Platform Urbanism Data Sharing Policy Guidelines: 

While the context of Platform Urbanism Data Sharing Policy Guidelines² is regulation of sharing economy platforms, the following seven named guidelines it sets out can also have relevance to a Jurisdiction’s procurements as well:

1. Justify and focus data sharing requirements by defining government objectives and documenting use cases.
2. Commit to minimizing platform data collection to the least invasive information needed to meet program objectives.
3. Specify fields and frequencies to cater data granularity appropriately.
4. Require machine-readable, open formats and standards, and consider appropriate data transfer approaches.
5. Commit to program transparency, public oversight, and ongoing feedback.
6. Establish organizational structure for [data sharing requirements] implementation, including roles, responsibilities, and enforcement mechanisms.
7. Classify, protect, and permission Sensitive Data.

Sources underlying those seven guidelines and “Example Policy Language” are available in the PUDS Policy Guidelines site.³

Some Additional Recommendations for Data Sharing in the Procurements Context:

Also consider incorporating each of the following in planning and setting the proposed terms of a technology procurement that will involve Data Handling:⁴

• Involve the Jurisdiction’s Legal Counsel throughout the process of fashioning Data sharing and related provisions in the applicable procurement documents. Include in their review and analysis responsibilities due diligence in pursuit of the goal that none of the collection, storage use and/or disseminated of the applicable Data will conflict with applicable law or with guiding principles adopted by the Jurisdiction regarding Data sharing.  Require Legal Counsel to engage with IT Staff in those due diligence efforts. 
• Clearly define what constitutes a Data breach and what the responsibilities of the vendor are in relation to lessening the risks of a data breach and in relation to potential liability as a consequence of a data breach.
• Address how the Jurisdiction and the vendor will implement their performance obligations after a contract is signed, including, as applicable, reporting and monitoring obligations.⁵

Data Sharing Agreements with External Parties in Other Contexts

This subsection addresses Data Sharing Agreements which do not involve any payment by the Jurisdiction to an “external” party of the either of the following types:

• “Private or Non-Profit Sector Parties” that (i) are subject to regulation by the Jurisdiction or (ii) provide data to the Jurisdiction and/or receive data from the Jurisdiction for the purpose of jointly providing a new or improved service to the community for the public good.
• “Academic Parties” that generate data on behalf of the jurisdiction and/or process jurisdiction data and typically resourced by grants and other public funding.

Regardless of which of those types of parties are involved, the overarching considerations are common to both, and essentially mirror the considerations addressed in Subsection 4.C above regarding Data sharing provisions in technology procurement processes and documents—and implicate the same issues to address and due diligence and other recommendations made in that subsection.  

In general, the fact that context does not involve a financial payment by the Jurisdiction to the one or more other parties in the Data sharing arrangement does not render any of those recommendations irrelevant.  Indeed, some Task Force members expressed the opinion that special types of Data Sharing Agreements for arrangement with nonprofits or in other non-procurements settings are unnecessary. However, other Task Force members felt that there is value in having special forms/templates for non-procurement scenarios, as there can be some additional considerations to take into account in such situations. Such additional considerations might include, for example:

• Specialized licensing terms/use rights that take into account the nature of the collaborators (e.g., where they are educational institutions or nonprofit entities serving public benefit roles.
• In research collaborations, special attention to Institutional Review Board compliance or similar requirements to which one or more of the participating organizations are subject, and to the fact that some research collaborations may span long periods of time.
• Special provisions for parties serving as Data Intermediaries may be in order.
• Crafting measures of damage for breach of obligations that are not informed by contract payments.

For references to some resources containing sample Memorandum of Understanding (MOU) approaches to multi-party data collaborations among government agencies and nonprofits on matters involving education, homelessness, housing, and other issues, see the Data Sharing Section of the Resources Library.