Approaches in Seattle & New York City
New York City’s Internet of Things privacy document, which deals only with the governance of IoT data, is longer and more specific, but sets forth similar principles. There are a number of issues—surveillance, transparency—which are significantly more salient with the sensors required by IoT, but there are many common themes between the two policies. NYC lists their principles as 1. Privacy and Transparency; 2. Data management; 3. Infrastructure; 4. Security; and 5. Operations and Sustainability.
The Seattle and New York City approaches focus on establishing the spirit of the law rather than specific requirements which can be followed to the letter. There are positives and negatives to this approach, which puts the impetus on employees to react to specific situations. This could mean more tailored, sensible approaches to different technology projects, but it also forces citizens to rely on the city government to accurately evaluate each circumstance. That could be difficult for employees to manage and difficult for residents to check. In these policies is the assumption of basic trust in government to follow the spirit of the law when the letter is absent.
Trading Less Information for More Privacy
Both Seattle’s and New York City’s approaches imply that privacy and governance start before the data hits the city servers. They emphasize not just careful handling of data, but also transparency, openness, and careful deliberation surrounding data collection. I believe it is the attention to data collection that really indicates a new level of maturity in technology or data initiatives in cities. It recognizes that cities that hold data have a responsibility to keep it secure. Some could argue that the technical ability to safeguard data has not grown as quickly as the ability to collect large amounts of data inexpensively. This issue is particularly relevant in regard to IoT devices, which generally have the ability to gather almost continuous measures. For cities, the decision becomes less about how much data they want to collect and more about about how much data they will discard.
Growth in the Internet of Things means cities open themselves up to new innovations, but also to a tempting, but potentially dangerous approach to data collection: “if we can get it, we may as well’ could create difficult questions about requirements for maintaining data, opening data up to the public, and keeping data secure. The ability to capture large amounts of data easily and cheaply is both a boon and a possible danger for local governments.
Both Seattle and NYC have a framework for thoughtful decision making about information collection. New York in particular requires data collection in projects be designed toward specific purposes and addressing specific problems. The importance of these policies rests on a couple of assumptions: that residents give up privacy when their data is collected, even if that data are not technically Personally Identifiable Information (PII), and that the only way for data to be truly protected is for data not to be collected in the first place. I think these are both valid assumptions, though ones that should be weighed against the value of the data collected, or, more importantly, the potential value of the data not collected. This move to push departments to think through all the future implications of data collection is an important step in the maturation of tech in government.
There are drawbacks to being selective in data collection. It’s not always clear ex ante what data will be the most valuable. Valuable research can be done with data that was collected but never used. Requiring exacting rationales for data collection risks losing the possibility for some of those discoveries, particularly as it becomes easier to facilitate discovery and use of government collected data. In some ways this was a main premise of the early open data movement--cities had data they weren’t using and didn’t necessarily know what to do with, and they put it online for transparency’s sake, but also with the expectation that citizens would make use of it in new and surprising ways.
What’s next for privacy policies?
It seems likely that more and more local governments will be coming out with privacy and governance policies for their data in the coming years — both general policies (like in New York City & Seattle) or project-tailored policies (like in Chicago). Larger cities may follow the path of New York and create ones dealing solely with the IoT, but it is less clear what form these policies will take. There are clearly trade-offs between specificity, clarity, and freedom. Structural decisions may come down to who the policies are designed for, residents or experts, and how much cities are willing to hem themselves in. I’m not sure there’s a correct answer here, but I absolutely think these are questions every city should be sure they’ve asked themselves before writing a policy.
The proper design of a data governance policy may look very different in different cities. Large cities with significant internal resources and expertise may be more able to put forth generalist policies which put the impetus on departments to make specific decisions. Small cities, on the other hand, may not feel they have the ability to leave the process ad-hoc and must instead mandate a one-size-fits-all policy. Pushing the other direction, however, small cities may have more freedom to allow individual deviation because of their less bureaucratic structures, while larger cities have less of an ability to make certain the spirit of non-specific policies is being adhered to.
As more cities create policies, and hopefully engage with residents around them, more insight can be gained about what citizens want and expect from their government in this area. What level of specificity do they require? How much trust do they have in government to do the right thing and how much do they require continued oversight? How do residents view the trade-off between privacy and data use?