Data privacy audit in Seattle reveals a city getting most things right
A data privacy assessment shows that Seattle’s privacy programs, policies and data publishing strategies may serve as a reference point for open data initiatives in other cities.
The data privacy analysis, conducted by a consultancy known as the Future Privacy Forum (FPF), audited Seattle’s open data program in January, giving high marks for initiatives that were accelerated in 2014 when Mayor Ed Murray directed the creation of a Privacy Advisory Committee, which eventually led to the launch of Seattle’s Privacy Program in 2015 and the creation of a chief privacy officer position in 2016.
Those efforts allowed the city to develop one of the most advanced open data privacy operations in the country, the FPF said.
David Doyle, the city’s open data manager, said Seattle Information Technology contracted FPF to perform the audit to comply with the city’s open data policy established in 2016. The goal was to verify the city has done everything it could to protect residents’ personal information from advertisers, prowlers and data brokers in the private the sector.
“We’ve been really diligent about having several building blocks in place that help us have a strong data ecosystem,” Doyle said. “I think all of those things combined help, along with our efforts to leverage outside expertise instead of developing privacy policies and processes in isolation.”
On a scale of 1 to 6, Seattle earned a 6 in the category of privacy leadership and program management. FPF praised Doyle for his leadership in designing and deploying “a comprehensive, strategic, and citywide plan.” Specifically, this meant training staff regularly on open data privacy, creating a network of open data leaders and applying a set of privacy principles to Seattle’s data publication process.
“We have protocols so that any open dataset, before it goes on our portal, goes through a privacy review,” Doyle said.
Other areas where the city excelled were in the areas of data quality, a category that weighed the city on its ability to ensure data can not be used, directly or when combined with other datasets, to identify residents. The report gives Seattle a 5 rating here.
The report also rated the city with a 5 for its use of open data for transparency and public engagement.
For privacy overall, the Future Privacy Forum rated Seattle with a 4, since privacy processes were implemented and documented but not reviewed more frequently.
“While the city’s Open Data Program appears less mature in other technical and policy domains, such as consistently applying benefit-risk analyses, deploying more sophisticated de-identification tools, and engaging in data fairness reviews, Seattle appears to be ahead of the curve in comparison to other municipal data programs today,” the report states.
Doyle said the city is still reviewing the report’s dozens of recommendations, but sees the positive findings as an affirmation of previous work. In 2018, he said the main privacy goal is training so departments can submit cleaner datasets for publication that require fewer privacy checks.
For other cities that may consider duplicating Seattle’s data privacy strategies, Doyle advised that whether the city is big or small, it should think of data privacy in the long term.
“We invested a lot in 2017 in internal infrastructure to make sure everything in terms of workflow is streamlined,” Doyle said. “It’s not a one-time effort, it’s a continual effort.”