D.C. releases draft data policy with new security safeguards, key open data changes
Washington, D.C’s IT department is showing off its new data policy, soliciting public input on a document governing both data security and open data efforts in the nation’s capital after the District’s new chief data officer got a chance to put his stamp on the draft.
Mayor Muriel Bowser first unveiled a preliminary version of a policy specifically addressing open data when she hired Chief Technology Officer Archana Vemulapalli in January, and posted the draft online. But when Vemulapalli tapped Barney Krucoff as the city’s new CDO this summer, he broadened the scope of the process to include information security practices in the policy as well.
At a meeting of the District’s “Open Government Advisory Group” Thursday, Krucoff unveiled the results of his changes, imploring the transparency advocates to review the new policy themselves and encourage others to do the same.
“We want as many people promoting this as possible,” Krucoff said.
Krucoff told StateScoop in August that he was hoping to design a more “comprehensive data policy” focused not only on open data, but also on how the city’s agencies are “moving secure data inside” the government.
Indeed, the new policy that Krucoff and the rest of the Office of the CTO has crafted is considerably more focused on data security than before. The order would compel each city department to establish an “agency information security officer” within 30 days of its passage, and lays out a host of security protocols that those officers would help their agencies follow for handling sensitive information.
Gone is the provision stipulating that the District’s data should be “open by default,” and that “agencies must justify why data should not be released publicly in its most complete form rather than the public being obligated to justify why data should be released.”
Instead, the new version of the policy lays out four different levels of classification for data. Those range from “restricted confidential” information that agencies believe “could potentially cause major damage or injury, including death” to residents or city workers if disclosed, to purely “open” data sets that agencies have raised no objections to proactively posting online.
The policy even changes the definition of “data” itself. The first document defined it as “statistical, factual, quantitative, or qualitative information in structured formats” without any qualifications — the new policy retains that definition, but specifies that “records of determinations, measurements, or transactions made by covered governmental entities and related to the mission of those entities” should be treated as data while “documents, emails, messages, videos, recordings, or hard-copy records” should not be afforded that classification.
For transparency advocates in attendance at Thursday’s meeting, that distinction proved quite troubling.
“That’s crazy talk,” said Alex Howard, a senior analyst at the Sunlight Foundation. “All operations of government should be represented as data. This looks like an amazing carve out for government to shield data from disclosure law.”
Howard charged that such a provision is “not an acceptable approach” for the District to take, and pointed to the policy’s sections surrounding its intersection with public records law as another potential cause for concern.
Namely, the document notes that the city’s Freedom of Information Act and “this policy shall be distinct but complementary practices,” though it does concede that “FOIA request-tracking data can inform agencies about the demand for and priority of publishing certain datasets.”
Still, Howard would rather see the city move away from this “bifurcated approach,” and adhere more closely to the provisions of its first draft of the policy, which directed agencies to evaluate how often a data set is targeted by public records requests as staff prioritizes data for release.
“FOIA and open data should be connected together, not pulled apart,” Howard said.
[Read more: D.C. leaders urge civic hackers to throw support behind open data legislation]
However, he did laud the Office of the CTO for including a requirement that the agency work with the attorney general’s office to “operate and improve a citywide tool for managing and tracking FOIA requests.” He was also encouraged that the department would then post data about the request in an open format after a delay of 14 business days.
Though some in attendance raised concerns about that piece of the policy, pointing to the debate at the federal level about the “release to one, release to all” standard agencies are considering adopting for data released through FOIA, others were confident that delay in posting information would prove sufficient to allay any concerns.
“That’s going to allow any requester ample opportunity to review the data before it’s released,” said Traci Hughes, the director of the District’s Office of Open Government.
Krucoff also urged that, these concerns about transparency and openness aside, he wanted the policy to reflect the worries he’s heard about both “security and privacy” as he’s circulated the document for review.
“The Office of Victims Services [and Justice Grants], they expressed a lot of concern about the previous version,” Krucoff said. “They’re really concerned about protecting data on victims.”
He said he also took the policy to other city agencies, like the Office of the Chief Financial Officer and the Office of the City Administrator, and he expects others to weigh in in the coming weeks too.
But he noted that he recently showed it off at a meeting of D.C.’s chapter of Code for America as well, and he’s hoping to include a broader perspective as the city tries to finalize the policy.
“The review process so far has been coming from the people we looked up and sought out,” Krucoff said. “Now we want it to be more public.”