Kansas City, in collaboration with the University of Missouri and other local governments, has created a model to tackle the policies and procedures needed to manage sensitive data in communities as tech use grows.
MetroLab Network has partnered with Government Technology to bring its readers a segment called the MetroLab Innovation of the Month Series, which highlights impactful tech, data and innovation projects underway between cities and universities. If you’d like to learn more or contact the project leads, please contact MetroLab at email@example.com for more information.
In this month’s installment of the Innovation of the Month series, we explore the work of the University of Missouri-Kansas City (UMKC) and the cities of Kansas City, Mo. (KCMO), and the Unified Government of Wyandotte County and Kansas City, Kan. (Unified Government), on a Draft Model Data Handling Policy, with several collaborators.
MetroLab’s Ben Levine gathered information about the development of the project from Tony Luppino, a UMKC Professor involved in multi-disciplinary and multi-institution civic entrepreneurship initiatives and a leader of the project; Kate Garman, senior associate at Cityfi (and formerly an innovation analyst with KCMO, and smart city coordinator and technology policy adviser with the city of Seattle); Alan Howze, chief knowledge officer of the United Government; Abigail Eccher, Performance and Innovation Project Manager at the Unified Government; and Aaron Deacon, Managing Director of KC Digital Drive. Levine also obtained perspectives on the project from several participants in a session Luppino and Deacon organized to gather feedback on an annotated draft of the Model Data Handling Policy at the MetroLab Network annual Summit in late 2019.
Ben Levine: Can you describe the origin and objective of the Model Data Handling Policy project and who has been involved in it?
Tony Luppino: Teams of students and faculty primarily from the School of Law and the School of Computing and Engineering at UMKC developed the Model Data Handling Policy (MDHP) project in an interdisciplinary graduate-level course administered by the law school, with input from several collaborators with the course, including interested community members, government and educational institutions. The draft MDHP contains a set of principles, policies, procedures and checklists addressing a city’s responsibilities and opportunities with data handling. It covers the collection, creation, storage, use, transfer and dissemination of data, as well as the use of data platforms and related security, risk mitigation and breach damage containment measures. The current objective is to refine the draft with collaborators across the MetroLab Network and create a next iteration that we hope will be useful to cities throughout the U.S. that might embrace some of its principles or implementation suggestions, tailored to their specific circumstances.
The project began when Kate Garman, then working in KCMO’s Innovation Office on Smart City initiatives, sought research input from UMKC’s Law, Technology and Public Policy course to help inform the city’s consideration of both privacy laws and sunshine laws from the citizen perspective, and best practices in associated policies and in communications with the public.
Kate Garman: As the city was considering new technology in the right of way, it was paramount to understand privacy implications and how to balance that with transparency. Working with the UMKC School of Law was a natural fit, and they were an excellent partner to take on such a project.
Alan Howze: Programs like the Law, Technology and Public Policy course at UMKC, and the student interest they inspire, are a tremendous catalyst to civic innovation programs and initiatives in the region. Student and university interest in these public projects continues to increase, providing opportunities for collaboration and growth, and delivering real value to local governments and the communities they serve.
Abigail Eccher: Having worked on the project as a law student before graduating and entering a position in the Unified Government, I believe students who engage with “real world” municipal problems succeed by commingling a traditional legal education with interdisciplinary concepts such as change management and ecosystemic thinking to overcome chronic obstacles. In a world that is often defined by case law, statutes and treatises, students in the Law, Technology and Public Policy program are turning to use cases, case studies and stakeholder input to solve problems most cities have experienced for decades. Applying these fresh, collaborative insights and strategies to “legacy predicaments” often results in a much-needed shakeup of legacy processes.
Luppino: Across several semesters and teams, the project evolved into development of the multi-faceted draft MDHP. The draft was based on research on various legal and policy issues, study of relevant initiatives in several other cities, exploration of data handling in KCMO, and review of data sharing agreements from some other cities as well. It sets out core principles, operating procedures, policies on uses of data for public benefit, risk mitigation and audit measures, and a recommended governance/oversight structure that includes mechanisms for informed and timely community input. In appendices, the draft provides checklists for negotiating and evaluating data-sharing agreements with different types of collaborators and vendors.
Courtesy of Prof. Tony Luppino, University of Missouri-Kansas City.
Levine: Who has participated in the advancement and vetting of the project?
Luppino: In between phases within the UMKC course, the project was advanced by the Legal Technology Laboratory, a UMKC-led initiative supported by the Ewing Marion Kauffman Foundation. After incorporating feedback from local government and community representatives in the Kansas City region, a revised and annotated draft was vetted at a roundtable session at the MetroLab Summit in 2019. The featured speakers in that roundtable, each of whom commented on the Draft, included Denise Linn Riedl, chief innovation officer of South Bend, Ind., Eric Jackson, data and analytics program manager in Asheville, N.C., Almis Uldrys, deputy chief of staff for innovation and policy for the city of San Diego, and Amie Stepanovich, executive director of the Silicon Flatirons Center for Law, Technology and Entrepreneurship at the University of Colorado-Boulder. The session elicited input from those featured speakers, as well as representatives of several other cities and universities in the MetroLab Network in attendance.
Denise Linn Riedl: Cities are experiencing so many common challenges when it comes to data, it only makes sense that we would collaborate together to workshop shared solutions. As chief innovation officer, I often tap into the expertise and best practices seen in other cities. The more city teams and privacy experts shape and vet this model policy, the stronger it becomes.
Levine: Tell us about the need for this project. What risks are presented when cities lack a data-handling model?
Luppino: When we asked participants at the MetroLab Summit about their concerns around data handling and privacy, their responses validated several of our own concerns. There was discussion around citizen perceptions of lack of transparency on data collection, usage and sharing, and insufficient attention to community input; the need for enhanced data and network security design and audit protocols; desirability of cross-department coordination on data-handling standards and practices, and on sharing of data to improve effectiveness and equity in delivering public services; and risks of inadequate checks and balances on data sharing decisions. Moreover, several participants confirmed our observation that while many cities have adopted policies for “open data portals,” it does not seem many have adopted a comprehensive policy addressing, with a duty-of-care mindset, the many types of data a city collects, stores and transmits on a daily basis — but are now seeing the need for such a comprehensive policy.
Levine: What are some examples of data you considered in your project? Are certain types of data more important to consider for privacy and security than others?
Aaron Deacon: The starting point for this project was an increasing array of sensors and communications technology either owned by the city or deployed on city infrastructure. Photos of license plates or video of faces, MAC addresses of devices accessing public Wi-Fi points, tracked interactions with public kiosks — in the private sector, we have grown accustomed to ubiquitous data collection, but there is still a lot of work to do to translate that to the public sphere. Beyond personally identifiable information, the document loosely defines a category of “sensitive data.” This classification is a good example of where we are seeking additional feedback on how different cities are classifying and treating different types of data.
Almis Udrys: In San Diego, we categorized data into public and non-public classifications to ensure consideration of privacy and security, and then sorted it further as high-value public and non-high-value public based on our understanding of data the public and/or our own workforce would be interested in accessing in a machine-readable way.
Amie Stepanovich: Collection, retention and use of data about people’s daily lives can have broad negative impacts, from risks of manipulation to outright discrimination, particularly for traditionally marginalized or vulnerable communities. Because of these impacts, any move to integrate technology should be postponed until robust legal protections and safeguards are in place, including transparency and accountability mechanisms. Given the advances in machine learning tools that can be used to reveal personal information from data points that may appear not sensitive, these protections should apply to any data linked or reasonably linkable to a specific person or household.
Levine: How do you make this a usable tool for leaders in cities of varying sizes and resources?
Luppino: While the draft policy was designed to be of potential value to any city in the U.S., feedback at the vetting sessions to date have raised questions about whether cities with less staffing and resources than others might have difficulty in implementing all components of it. For example, the oversight system it lays out requires a combination of staffing with varying levels of training in data handling. As we approach the next iteration with collaborators, we are looking to make it more distinctly modular, so that a given city seeing particular value in certain parts can adopt those parts. We also plan to explore using technology to make the policy more accessible and implementable, which has been an aspirational part of the project (see the project’s description here).
Riedl: The model policy is ambitious, but I believe many of its recommendations can be right-sized to accommodate the context of smaller cities. We're talking about this now in South Bend. While smaller cities have smaller staffs and smaller budgets to operationalize this work, it can also be easier for smaller cities to institute cross-departmental change. That's what this model policy is truly about: an institution-wide commitment to better data management and sharing practices.
Levine: If data is managed well and security is robust, what does a data- and technology-enabled city look like? What are the most important problems that will be solved?
Eric Jackson: There is a significant danger of seeing smart city technology and data-driven decision-making as essentially technical tools. Obviously they have technical aspects, but those are comparatively straightforward. What is really critical is to ensure that data governance explicitly ties the use and handling of data and analytics to the core values of the community. In Asheville, that means that we must lead with equity, that we scrutinize whether data adequately represents everyone impacted by its use, and that we always prioritize concerns about potential harm. When anchored this way, data governance becomes a powerful tool for rebuilding trust with the community and tackling our toughest challenges, from economic mobility to environmental sustainability.
Levine: What are the next steps? What are your goals for this project?
Luppino: From early on, we felt MetroLab Network would be an exceptionally valuable community of practice for civic leaders interested in using technology in people-first, creative, and responsible ways. As discussed at the Roundtable Session at the 2019 MetroLab Summit, the next step is to create an expanded working group to crowdsource a revised iteration of the draft MDHP, including representatives of cities and educational institutions in the network who have already expressed interest in participating, and others who would like to join the group and produce a helpful tool for municipalities across the country. So we are inviting all MetroLab members and other parties potentially interested in becoming part of this collaboration to contact me, Tony Luppino, at firstname.lastname@example.org, to request a review copy of the draft policy.