DATA PRIVACY PRINCIPLES Enterprise Committee February 6, 2020 Courtesy of Meet Minneapolis
Overview • Data privacy principles – Data associated with individuals – High-level – Aspirational – Guide decision-making – Balance with other values – Extend existing work – Embrace, extend existing law
Individuals Contributors • Carol Bachun • Ginger Bigbie Departments • Stacie Blaskowski • City Attorney • Mageen Caines • City Clerk • Casey Carl • City Coordinator • Beth Cousins • CPED • Council Member Fletcher • Health • J. P . Heisel • Human Resources • Joshua Johnson • Information Technology • Eero Kilkson • Internal Audit • Lisa Lamor • Police • Andrea Larson • Public Public Works • Susan Trammell • roundtable Ward Offices • Tracy Turner participants • David Zaffrann
The Principles • We value and prioritize your data privacy. • We do not collect data unless there is a reason to do so. • We do not keep data longer than we need to. • We strive to be transparent about when, why, and how we collect and use data on individuals. • We protect your data. • We want your data to be accurate. • We leverage our partnerships to support data privacy. • We educate the public about their rights.
Questions?
We value and prioritize your data privacy. • We recognize that maintaining data privacy is very important and is a priority of city staff. • While we are bound by federal and state laws governing data and record retention, we consider risks before collecting, creating, or using data on individuals, such as names, addresses and other contact information, or driver’s license numbers. We also consider how pieces of data that are not directly associated with a person might be combined to identify individuals. • Note: This principle explicitly acknowledges the importance of data privacy in City decision- making. It has three main elements. – It recognizes the importance of privacy. Beyond complying with specific laws related to data, nothing has previously embedded privacy considerations in City-decision making. Compliance with the law is a minimum. This principle is intended to ensure privacy is appropriately prioritized amongst other considerations. For example, privacy concerns should be part of discussions regarding new technology systems, business practices, vendors, and partnerships. – It sets the primary focus on “data on individuals” which means all data in which any individual is or can be identified as the subject of the data. This term is defined and used in the MN Government Data Practices Act and elsewhere in MN law. It is Minnesota’s equivalent to the concept of Personally Identifiable Information (or PII) but using “data on individuals” harmonizes with other MN law. – It explicitly includes information that could be combined to reveal data on individuals. This is already part of the law but stating it here clarifies the concept without having to refer to external sources.
We do not collect data unless there is a reason to do so. • We weigh the risks of creating and collecting data with the potential benefits of using that data. We do not create or collect data on individuals unless there is a reason to do so. • Before adopting new technology, services, or processes, we consider the impact on data privacy. • Note: This principle restates existing legal requirement limiting collection of data on individuals and encourages but supports an additional notice when collecting public data. State law largely defines the balance between privacy and transparency. One tool the City can use to limit exposure of data on individuals is to limit the data we create, collect, and use. This principle supports data minimization while leaving room to leverage data where appropriate. • This principle underlines the existing legal requirements that “collection and storage of all data on individuals and the use and dissemination of private and confidential data on individuals shall be limited to that necessary for the administration and management of programs specifically authorized by the legislature or local governing body or mandated by the federal government.” Minn. Stat. 13.05 subd. 3. As stated, it extends the consideration beyond data on individuals to all data (which, for example, could include data on companies or other organizations). • It specifically highlights adoption of new technology or deploying new services/lines of business as times where new types of data are more likely to be created or collected. It does not specify technologies, such as facial recognition, so to remain relevant over time as technological concerns change. Further policy on specific technologies may be considered separately.
We do not keep data longer than we need to. • We seek to keep data on individuals only as long as legally required or needed for a legitimate City purpose. • Note: Existing law limits the collection and storage of data on individuals but allows destruction only pursuant to an authorized retention schedule. This principle, along with the previous principle, acknowledges both limits to collection/use as well as limits to how long we keep data on individuals. This requires the City to ensure data on individuals are included in the retention schedule and take steps to destroy the data once it is eligible for destruction. • This language leaves open the option to anonymize data (if no individual can be identified the data is no longer data on individuals), such as for trend analytics. Given the first and second principles (valuing data minimization and considering the possibility that data sets can be combined to identify or de-anonymize data), even this merits care.
We strive to be transparent about when, why, and how we collect and use data on individuals. • When there are legitimate practical purposes for us to collect or create data on individuals to do the work of the City, we strive to be transparent about the data being collected or generated by our activity, the reason for doing so, who will have access to it, and the planned duration of data storage. • When feasible, we inform you if the data we collect from you could or must be made publicly available. • Note: This principle encourages transparency into the City’s collection, creation and use of data on individuals. • It echoes existing law which requires certain disclosures when collecting private and confidential data as well as requires disclosing an inventory of the types of private or confidential data on individuals that the entity maintains. This principle encourages similar transparency around data on individuals that the law classifies as public and beyond data collected from the individual (e.g., to data created by the City). • All the principles are aspirational but explicit language here (“strive” and “when feasible”) recognizes logistical difficulties in this principle. For example, there are not always mechanisms to provide disclosure regarding public information. Further, much data can be at least arguably linked to an individual when combined with other data, making an exhaustive inventory a massive undertaking. The language signals that the principles intent is to guide the city over time towards increased transparency about the city’s collection, creation and use of data on individuals.
We protect your data. • We protect private and confidential data on individuals while it is in our possession. We ensure that this data is only accessed and used by those with a legitimate purpose. • We will tell you as soon as possible when a breach has occurred. Knowing that data about you has been compromised is your first step to minimizing the risks that may come from it • Note: These three elements (protecting private and confidential data on individuals; limiting access/use to those with a business need, and informing data subjects if a data breach has occurred) are required under current law. This statement affirms those requirements and underscores the importance of effective data protection both as an element of privacy and as a part of every decision involving private and confidential data.
We want your data to be accurate. • When we need to collect and keep data on individuals, we want this data to be accurate and up-to-date. When possible, we allow individuals to correct inaccurate data about themselves. • Note: This principle acknowledges the existing right of data subjects to correct erroneous data about themselves and is already required under current law. Generally, it is fulfilled by a combination of data requests and challenging the accuracy of the data. Based on community feedback, a “right to be forgotten” was considered but is in conflict with state law about how municipalities retain data.
We leverage our partnerships to support data privacy. • The City prioritizes data policies, protection, and privacy when engaging with or evaluating partners, vendors, and third-party services seeking permission or license to operate in Minneapolis. The City will leverage our power to encourage them to protect data on individuals and uphold the spirit of these principles. • Note: This principle expresses a goal of extending the impact of the privacy principles beyond the City government. The language does not identify any specific requirement but underscores that data management, protection, and privacy are important considerations when making decisions with or about third parties.
Recommend
More recommend