As cities begin to see big data as an essential part of governing, more are examining and formalizing their handling of data, and of the Internet of Things (IoT) in particular. There is a growing expectation that governments deal with data in a systematic way and embrace responsibilities beyond encryption of personally identifiable Information (PII). As an Ash Center Summer Fellow at the Smart Chicago Collaborative, I’ve had the opportunity to witness Chicago’s process before the deployment of the Array of Things. As feedback rolled in on the Array of Things Governance and Privacy Policy, it seemed an ideal time to explore how other cities have dealt with this issue in comparison, and the direction or directions in which the conversation is moving. Recent examples include Seattle’s Technology Privacy Policy and New York City’s Internet of Things Privacy Policy.
In late 2013, in response to resident concerns over several public failures of data transparency, Seattle launched the City’s Privacy Initiative. According to CTO Michael Mattmiller, its goal was “driv[ing] consistency across the city” and helping departments evaluate their data handling and governance on a project by project basis. Seattle Information Technology led the process by creating a Privacy Advisory Committee of local experts and academics from the University of Washington. The effort culminated in the adoption of six Privacy Principles as City Council Resolution 31570 and a Privacy Policy directing city departments to follow a more in depth Privacy Statement. The principles outlined in the document are 1. We value your privacy; 2. We collect only what we need; 3. How we use your information; 4. We are accountable; 5. How we share your information; and 6. Accuracy is important.
Instead of focusing on creating a set of static requirements, Seattle created a process which forces individuals and departments to fully to think through the implications of their data-related actions for individual projects. Staff must consider these privacy principles when creating a new service, as well as create a privacy impact assessment for new technologies. The choice to structure the privacy policy in this way both requires and relies on future care, effort, and thoughtfulness of employees across the city.
New York City’s Internet of Things privacy document, which deals only with the governance of IoT data, is longer and more specific, but sets forth similar principles. There are a number of issues—surveillance, transparency—which are significantly more salient with the sensors required by IoT, but there are many common themes between the two policies. NYC lists their principles as 1. Privacy and Transparency; 2. Data management; 3. Infrastructure; 4. Security; and 5. Operations and Sustainability.
The Seattle and New York City approaches focus on establishing the spirit of the law rather than specific requirements which can be followed to the letter. There are positives and negatives to this approach, which puts the impetus on employees to react to specific situations. This could mean more tailored, sensible approaches to different technology projects, but it also forces citizens to rely on the city government to accurately evaluate each circumstance. That could be difficult for employees to manage and difficult for residents to check. In these policies is the assumption of basic trust in government to follow the spirit of the law when the letter is absent.
Both Seattle’s and New York City’s approaches imply that privacy and governance start before the data hits the city servers. They emphasize not just careful handling of data, but also transparency, openness, and careful deliberation surrounding data collection. I believe it is the attention to data collection that really indicates a new level of maturity in technology or data initiatives in cities. It recognizes that cities that hold data have a responsibility to keep it secure.
