As stressed throughout these PUDS Policy Guidelines the collection of private platform user data comes with serious responsibilities for relevant government parties to handle such data with appropriate care by ensuring best practices in data privacy and security. As discussed in guideline #2, this starts with a data minimization mindset and with avoiding the collection of unnecessary data, including any data for which risks posed by agency collection and handling are greater than potential benefits. For data that is collected to advance government objectives, PUDS Policies should build off of existing agency privacy policies to ensure that any personally identifiable information (PII), or other sensitive data that might pose concerns for re-identification or privacy issues are classified and safeguarded accordingly. This should include working with IT staff to ensure cybersecurity protocols are in place for sensitive data in rest and in transit, and to ensure that data is firewalled against access by those without appropriate permissions granted. Agencies should review PUDS roles and responsibilities (guideline #6) as well as PUDS data use cases (guideline #1) in order to set permissions for access to the most sensitive information in raw/granular form to only those who require access. Where such data is concerned, others who may have data use cases that do not require raw access should be permissioned to access only derivative or summary datasets that have undergone de-identification and aggregation, batching, or fuzzing of sensitive fields like timestamps and GPS location coordinates. In accordance with relevant privacy policies, it may make sense to require background checks or other pre-qualification requirements for those agency staff granted access to sensitive information, and such individuals should be subject to appropriate audits, monitoring or other checks and balances to provide accountability mechanisms in accordance with local laws and privacy procedures.
Department legal and policy advisors should be consulted to review relevant open records laws and consider disclosure obligations that may pose privacy risks for information that is substantively sensitive, but administratively not covered by open-records exemptions. Classification can help with this concern, and it is similarly recommended that data be labeled, formatted, etc. in ways that will support records act disclosure compliance without revealing detailed information about platform users. Records retention policies should similarly be reviewed, and can help set storage limits and timelines that can help reduce the risks and liabilities of storing sensitive user information.
For many legitimate government objectives and use cases, some data may need to be shared with other departments or even with outside agencies. In most instances, data aggregation and de-identification will allow for the sharing of non-sensitive derivative platform data. However, PUDS programs should require the establishment of clear processes and procedures for reviewing and documenting instances of data sharing and data access requests that may arise from time to time. Such processes should commit to transparency (guideline # 5) by keeping publicly available records of what requests for data access have been made and granted, to whom, and for what purposes. Depending on the context, it may also be appropriate to employ a standard license or data sharing agreement for such instances of data sharing that commits other departments or third parties to adhering to privacy requirements and limits use of information to predefined permitted purposes that align with stated government program objectives.
Importantly, unless otherwise compelled by law or court order, PUDS programs should firewall data against sharing with departments that deal with criminal justice issues for which privacy risks are particularly harmful, such as police departments or immigration services.
