The influx of these new and potentially intrusive tools threatened to create more and more personally identifiable and sensitive information that privacy advocates, the mayor and city representatives believed needed increased oversight. In response, the mayor, and city council tasked the chief technology officer with creating a privacy program to address the issues associated with data privacy to rebuild trust in how we handle the public’s information.
Seattle's Privacy Program: Current State
In fall of 2014, a review of our current state determined that while no data was vulnerable, we had some work ahead of us to get to a one-city approach to privacy. Privacy practices and commitments across departments about how we handled information varied widely. Few departments explained or provided notice about data collection or use, retention policies and data sharing were inconsistently managed, and third parties and vendors’ data management practices often diverged widely from our expectations. As in many enterprises, each department had developed its own data management practices based on individual program missions, creating a dizzying array of practices and processes.Program Deliverables
In building the Privacy Program, we identified three deliverables that form the basis of the program. The first is a statement of Privacy Principles, providing a framework for an ethically based approach to developing all policy, processes and standards for dealing with the public’s data. This was passed as a city council Resolution in 2015 and remains the basis for all future privacy legislation. The next deliverable was the City Online Privacy Statement. This is a one-city statement of commitments and notice about all aspects of data management. Finally, the City Privacy Program, staffed with four full-time employees including a chief privacy officer (CPO), provides details about executing against these public commitments and includes an internally available online toolkit of resources about the program, a privacy review process, a citywide annual awareness training and a network of privacy champions.Meeting once a month to discuss a variety of privacy related topics, these individuals dedicate part of their time to privacy, representing all city departments and act as departmental privacy resources. Seventeen of these champions are scheduled to sit for the International Association of Privacy Professional’s Certified Information Privacy Professional U.S. privacy certification this fall.
Role of CPO in Municipal Government
The role of Seattle’s chief privacy officer is to ensure that the city is compliant with its privacy commitments. I lead the team that is responsible for carrying out the elements of the Privacy Program. This includes conducting privacy reviews of new technology acquisitions, cross-city training and education, new and existing project consultation and outreach and awareness outside of the city about municipal privacy. My staff consists of a privacy program manager and two senior privacy specialists.Privacy Environment
Cities exchange a lot of information. Municipal governments issue building and business permits; provide services to low income and vulnerable individuals; issue traffic and parking tickets, maintain roads and signaling; collect city taxes, process court proceedings, provide emergency response; and provide innumerable other services that require collecting and managing enormous amounts of information. If someone wants to know details about how individuals interact with their community and fellow residents, city records provide a wealth of information.Public Records Act: Unique Case for Washington State
While tasked with collecting information required to provide needed or requested services, city governments are also subject to public records laws. Instituted to ensure transparency about governments activities and use of information, public records laws vary widely across the country. The Washington State Public Records Act is exceptionally open, providing very few, narrow exemptions to what any member of the public may request from all governmental entities in the state. Almost all records, therefore, regardless of how sensitive or personal they may appear, are eligible for a records request. While private companies may choose what to collect, and may protect it from outside access or use, municipalities must collect information to deliver services and then are likely not able to control access or use if a public records request is made. This limits our ability to protect some information under our control.Federated Environment
An interesting and challenging aspect of the municipal environment is the federated nature of most city governments. Seattle is composed of over 30 departments with a wide range of missions. This equates to a varied approach to information technology and different commitments to customers, contracts and data sharing partners. While Seattle is at the tail-end of a three-year IT consolidation project, clean-up and integration of purchasing and review processes continues, leaving process gaps from privacy review and oversight.The Unique Issues of Smart City Technology
The rapid growth in so-called smart city technologies has created innovative opportunities for cities to improve service access and performance. Sensors that can be used to determine open parking places throughout the downtown core, improve traffic and cross-walk timing direction and provide detailed environmental conditions can improve our interaction with our urban environment. Analytics that assist in urban planning projects like bike lanes and other alternative travel options improve service delivery and quality of life for all residents. New technologies are being invented or are being adapted daily from the private sector for city purposes, but they introduce unique issues for privacy.Untried Technology
Much of the innovation seems to be coming from startups with untried technologies and business plans. New equipment or software needing in-field polish to detect and fix bugs does not lend itself necessarily to city purposes, where uninterrupted service is required, and security and privacy concerns are unique and can involve critical infrastructure. We require solid and secure technology to deliver required services and to protect people and property.Unknown or Evolving Business Models
As new companies propose city solutions, in many cases their business models are still evolving. For Seattle this has resulted in discussions with companies with unclear data collection practices and inadequately documented uses of the personal information. Often, the terms of use include unlimited selling or sharing of collected data with unspecified third parties for targeted marketing purposes. Some startups are collecting data for which they do not have a defined purpose. In at least two recent occasions, companies proposing solutions or partnering opportunities did not have a privacy policy at all and asked the city to assist in creating an acceptable one for them. These conditions, while understandable in a start-up environment, are not optimal for delivering reliable, dependable and mature services required for city use.Public Perception
New and somewhat volatile innovation is acceptable in the private sector. Many individuals will gladly install privacy-invasive technologies such as cloud-based home service devices in exchange for the novelty or convenience of the devices’ capabilities. People will bypass privacy notices about use of the data collected by phone apps to try the latest and greatest technologies, despite clear indication that data is shared or sold to third-parties and used for other purposes.This willingness to accept such privacy terms changes significantly in the context of government data collection. In addition to public skepticism about how government collects and accesses data, even the perception of misuse or overreaching into residents’ lives and information is troublesome to many concerned with personal privacy. Governments are held to a higher standard than private entities and need to be both more transparent and aware of this difference.
Ethical Policy Decisions
There is also an ethical tension around the municipal government’s role in brokering the public’s data. When a city partners with a company to deliver a service, like bikeshare services, it appears that the city is endorsing the service and terms of use. This raises serious policy questions that cities need to address before they engage in public-private partnerships: Should we be involved with third-party service or technology contracts that share the public’s personal information? When this involves the collection of vast amounts of data that we know will be used for a variety of marketing and analytics purposes, are we complicit in data brokering?Even if the privacy statement involved clearly states the intended uses of data, it is an acknowledged truth that many people do not read these in adequate depth to understand their implications, so what is the responsibility of the city to protect vulnerable or unwitting users from these data use practices?
Service Provider Agreements and Conflicts with GDPR
In addition to ethical concerns about third-party data collection, most national and international technology service providers and companies have spent the past few years preparing for compliance with the EU’s newly enforced General Data Protection Regulation, or GDPR. While municipal governments find little direct intersection with these requirements themselves, there are concerns about fulfillment of regulatory requirements that may result in individuals requesting that their data be deleted or ported to alternative vendors. This may conflict with public records acts requiring that all government generated or received data must be retained for specific periods of time, usually ranging from six to 20 years. City governments are currently considering what this may mean for data solutions offered through GDPR-compliant entities.Performance Metrics
Performance-driven decisions are not just for the private sector anymore. Increasingly, city management and government leadership are turning to detailed metrics to determine program efficacy and whether departments are meeting their mission objectives.More Data about Individuals Required
Focusing on performance metrics means that departments and programs are finding it necessary to collect more and more information about their clients and the services they receive. While it may not be necessary to collect race or ethnicity data to provide an arts grant, a housing or food subsidy, or grant access to a public garden patch, that information is important to determine whether the program is meeting its equity objectives and reporting this information may be required to continue to receive state or federal funding. If this data is collected in a manner that is linked to an identifiable individual, the data is available for other uses beyond those originally intended.Using Existing Data
When direct data collection is not possible, joining data sets or mining them for the desired information becomes an attractive option. This presents concerns when the data is personal in nature, either linked or linkable to an identifiable individual. Information collected to register for a class at the Parks Department, for example, may be necessary in identifying age requirements or language preferences. Using that information for purposes other than its original intention is a concern, however, especially if taken out of context or if it becomes part of a public records request.Demographics and Secondary Uses
Finally, collecting detailed demographics may be useful for targeting services appropriately, but when combined with location or contact information can become a target for secondary uses. Seattle has passed Executive Order EO 2016-08 in 2016 prohibiting city employees from collecting immigration status from city service recipients. While this information is no longer collected, proxies for immigration, such as country of origin and preferred language are collected to facilitate communication with residents. When combined with address information, this can be a privacy concern. As an example, Seattle City Light and Washington State Licensing data have been requested several times over the past 18 months as part of ICE immigration investigations. Cities must consider that data collected for one purpose is also eligible for unforeseen government or privacy-sector activities that may be counter to city policy goalsUsing Private-Sector Technology
One of the most difficult issues we face is adapting technology that was developed and intended for use by private-sector businesses or individual users. Anything from cloud storage options to phone apps to marketing contact software have city privacy implications because of public record requests and the sensitive nature of information that is collected.Security: Hardening for critical infrastructure concerns
Cities are the endpoint for the delivery of many critical infrastructure services. Bridges, roadways, traffic signaling, electricity and water delivery are all managed and maintained by local governments. Using technologies, like drones, to inspect bridges or other infrastructure requires specialized attention to information security. Communications and image capture technology must be hardened against hacking and malicious purposes in a way that is not often considered for civilian use. This same attention is critical for computer and software technology as cities become more reliant on these solutions.Marketing Technologies
Software tools, like customer relationship management (CRM) systems and the data they collect, are critical to companies that market and sell services and goods. As municipal governments contemplate how to ensure that their important services are made available to residents, they are turning to these technologies to assist in developing targeted communications and outreach campaigns. Unfortunately for cities, privacy companies for whom CRM systems were originally created do not have to consider city and state record management laws. We have run into software systems that do not have automatic deletion utilities resulting in over-lengthy storage of information and those that delete data too quickly, both concerns for record retention requirements. In addition, CRM solutions provide a one-stop database for a vast range of personal information that is vulnerable to unintended uses.
Conclusion
As cities look to the private sector for innovative new technologies to better reach residents and provide services, city leadership must proactively address the unintended consequences of the resulting increased data collection. Instituting a privacy program to communicate data management and use, determining policy positions about third-party data collection and sharing and understanding the real implications of public disclosure laws in the age of information is critical to building and maintaining trust about municipal data management. With the adoption of Europe’s GDPR and California’s 2018 Data Privacy legislation, the private sector is being forced to increase transparency about data use. Governments should expect to be held equally accountable about their public data privacy practices.Ginger Armbruster has been Seattle's chief privacy officer since 2017. Prior to her current position, she has worked in sales and marketing for Fortune 500 companies, including IBM, Hewlett-Packard and Johnson & Johnson, as well as several medical technology startup companies. She has a master's degree in infrastructure planning and management from the University of Washington, focusing on critical infrastructure cyber-resiliency.
Editor's note: This article has been corrected to reflect that Ginger Armbruster attended the University of Washington, not the University of Michigan.