Over the past twenty years, the issue of personal privacy has increased in importance as relationships, transactions, and even the voting franchise has been enabled and recorded by new technologies that are broadly interconnected and heavily promoted. Government and public services have evolved, creating a need to understand and advocate for commitment to data privacy. The challenge is complicated because the appropriate limits on data exposure vary with the context of the service and the type of data being used.
Cities, particularly, face a unique combination of data security responsibilities as critical public service providers. First, they must protect the privacy of residents who request and receive public services. Second, they must maintain detailed and auditable records of how taxpayer dollars are spent. This natural conflict creates an opportunity for IT and Security leaders to help solve two disparate problems with a single, integrated response. Permitting and prohibiting access to private data now requires a tailored approach, where data privacy is an enabler and an outcome.
City IT leaders should keep the following data privacy capabilities in mind:
- Categorization: All data is not created equal, nor are all requirements for data privacy. IT leaders must advocate for a citywide understanding of the benefits of classifying the necessary protection levels for information that is collected. With this information, appropriate levels of data privacy can be applied, optimizing the impact of IT security spending.
- Control: For all of services accessing or acquiring private data, leaders must have confidence in the mechanisms used to authenticate, request, capture, transmit, and/or store that data. These controls provide the means of both limiting and better understanding all interactions with the public’s private data.
- Auditability: For all services and operations that access private data, all interactions must be monitored and recorded. This comprehensive visibility enables consistent reporting and, when needed, analysis in the case of any data breach or credential compromise.
- Awareness: All outbound connections must be monitored to quickly identify and interrupt any ongoing exposure of private data. Recognizing atypical patterns of data communications or known malicious destinations for network traffic provide the opportunity to first disrupt, and then investigate, attempted exposure of private data.
As we emphasize data privacy during our national Data Privacy Week, we can take the opportunity to share its importance with our stakeholders and peers. Data privacy underlies the controls we use to access critical services, to offer online and automated constituent services, and to ensure the sanctity of our relationship with citizens for functions from paying their taxes to casting their votes. People rely on an informed government to understand and serve them, and they rely on that same government to protect their privacy.
NLC has partnered with industry-leading cybersecurity providers NuHarbor Security, Splunk, and Tenable to provide a comprehensive strategy to cities’ Information Security Programs. Read more about the partnership between NuHarbor Security and NLC, and how NuHarbor can benefit your community.
About the Author
Jack Danahy is the VP of Product and Engineering at NuHarbor Security.