As the volume of data created on the public right-of-way and exchanged between parties grows, cities and private transportation providers need a common framework for sharing, protecting, and managing data. The National Association of City Transportation Officials (NACTO) and the International Municipal Lawyers Association have set out principles and best practices for city agencies and private sector partners to share, protect, and manage data to meet transportation planning and regulatory goals in a secure and appropriate manner. While this document focuses mainly on the data generated by ride-hail and shared micromobility services, the data management principles can apply more broadly.
Geospatial trip data can easily become PII. While cities have held and managed personally identifiable and other sensitive information for centuries, the volume of data and the ease with which geospatial data can now be gathered, combined, and analyzed is unprecedented. To protect the people they serve, cities should work to ensure that their policies and practices are updated to treat geospatial trip data as PII and that private operators follow good practice to protect the privacy of their customers.
The responsibility for protecting privacy does not end with the public sector. In addition, as part of the terms for operating a business in the public right-of-way, companies must prove that they are responsible stewards and protectors of the data they gather. For example, companies could commit to retaining individual trip level data only for the duration of time necessary to carry out the legitimate mobility-related purposes of cities and private-sector partners.
The following lessons outline suggested actions for cities to best protect the people they serve:
- Treat geospatial mobility data as PII in policy and practice, and work with their legal departments to develop or update protocols for how they handle, store, and protect such data. Such protocols should include policies for handling public disclosure requests that recognize the private nature of mobility data.
- Ensure that their data policies and practices are routinely updated and, at a minimum, include modern digital security methods, protocols for storage, access, retention and deletion, data breach plans, and cybersecurity insurance.
- Update data privacy and insurance policies to limit city liability. At a minimum, ensure that PII is redacted in all public records requests if possible under state law.
- Require mobility companies and vendors to prove that they are in compliance with contractual requirements, industry standards, and laws regarding data privacy and consumer data protection. These include, but are not limited to: modern digital security methods, protocols for storage, access, retention, and deletion, and data breach plans.
- Coordinate with other cities to establish best practices for government and private companies to maintain individual trip records for the shortest time needed, for the purpose originally stated, and to apply, analyze, aggregate and anonymize mobility data.