Principle 4. Promote Responsibility for Data Governance Among Multiple Layers of Nested Enterprises.

Ostrom’s original principle: Build responsibility for governing the common resource in nested tiers from the lowest level up to the entire interconnected system.

In the sections above, we provided recommendations for the improved governance of smart city data. This section seeks to provide guidance on who should be implementing the above suggestions.

Cities must create internal capabilities at multiple levels in order to understand, support, and delegate responsibility for decisions around smart city data. Designate specific people to make decisions around data, and elevating their roles to positions of power. Educating those already in positions of power about data. Efforts should occur at multiple levels of governance (i.e., city, agency, project, individual), and these multiple parties should be enabled to collaborate or make collective decisions (i.e., through working groups, councils, or committees). This is crucial for shared learning, tracking best practices, and ensuring a coordinated approach between all levels.

Managing data governance in a smart city includes the following responsibilities:

• Evaluating and approving new technologies for the city to develop or adopt;
• Handling public complaints about data and technology projects, and arbitrating data disputes;
• Formulating and monitoring compliance with privacy policies and other relevant legislation;
• Advising and providing internal policy and education within public agencies;
• Increasing public awareness and educating communities on relevant issues; and
• Developing strong relationships with other agencies, NGOs, academia, local communities, the private sector, as well as facilitating communication and convening meetings between these stakeholders.

City-level

Data leadership takes very different forms across different city governments, featuring a range of titles, organizational locations, and responsibilities. At least 16 cities have a Chief Data Officer, who sits everywhere from the Mayor's Office in San Francisco to the Department of Innovation and Performance in Pittsburgh. Several cities also have a Chief Privacy Officer, Chief Information Officer or Chief Technology Officer. Most of these titles lack standard definitions. A description of the various roles of city data officers is available here, or via an overview of New York City’s ecosystem in Appendix 1.

However, evaluating and approving new technologies is not generally a function of these leadership positions, and there is no city-level approval process for technology adoption. As a result, publicly elected city-council members are often in the dark about new technologies their city agencies use, or partnerships that agencies enter into. The results of this awareness gap are painfully apparent in light of recent controversies like the use of the Clearview AI facial recognition app by various law enforcement agencies and Amazon’s Ring’s secret partnerships with over 500 police departments.

One solution is to delegate the role to an enumerated body. For example, thirteen cities have passed surveillance ordinances requiring their city council to approve any city acquisition of technology that meets their definition of “surveillance.” It is important that this oversight covers not just formal acquisitions of technology, but also free software (i.e., Clearview AI) or informal partnerships (i.e., Amazon Ring).

While a city council may make the final decision, cities could also create or use expert groups to advise the council’s decision making. For example, Oakland’s standing Privacy Advisory Commission (OPAC) is made up of community experts who provide advice and technical assistance on best practices to protect citizen rights in connection with the City’s purchase and use of technology that collects or stores citizen data. A city may also tap a party with some pre-existing expertise, notably a Chief Privacy Officer, to play a greater role in the technology adoption process. A city may also want to invest in programs like civic fellowships, or lean more heavily on NGOs and foundations already working on these issues.

Agency-level

City agencies and departments that routinely roll out smart city technology, or even those that do not, may wish to create their own officer position, informal working group, or advisory committee to evaluate new technologies and data policies prior to adoption.

The U.S. Department of Justice urges all law enforcement agencies collecting personally identifiable information (PII) to have a Privacy Officer, and New York City’s Identifying Information Law requires each agency head to designate an individual to act as its privacy officer that will compile and report information about their agency’s collection and disclosure of identifying information, as well as their privacy practices. However, these officers’ roles largely relate to reporting. While transparency is important, in the case of technology adoption it is also crucial for these individuals or committees to have decision making power—perhaps working—closely with or inside procurement departments.

Project-level

Each smart city project must also take responsibility for key data governance issues. Each project should have a designated leader responsible for developing project-wide data governance practices and policies, and dealing with any conflicts that arise. The city government could facilitate the creation of this role by making this designation a prerequisite of project approval, providing advisory support to project teams, or connecting the team to NGOs that could help in an advisory capacity.

Individual-Level

At the lowest level, individuals should have input into the activity through public comment periods, town halls, proceedings open to the public or as part of a multistakeholder proceeding like a working group open to the public. (As elaborated upon in Principle 1.)