Cities should collect, store and release geospatial mobility data in accordance with existing policies and practices for personally identifiable information (PII).

NACTO guidance emphasizes why cities should treat geospatial mobility data as they treat personally identifiable information (PII).


Background (Show)

Lesson Learned

Geospatial trip data can easily become PII. While cities have held and managed personally identifiable and other sensitive information for centuries, the volume of data and the ease with which geospatial data can now be gathered, combined, and analyzed is unprecedented. To protect the people they serve, cities should work to ensure that their policies and practices are updated to treat geospatial trip data as PII and that private operators follow good practice to protect the privacy of their customers.

The responsibility for protecting privacy does not end with the public sector. In addition, as part of the terms for operating a business in the public right-of-way, companies must prove that they are responsible stewards and protectors of the data they gather. For example, companies could commit to retaining individual trip level data only for the duration of time necessary to carry out the legitimate mobility-related purposes of cities and private-sector partners.

The following lessons outline suggested actions for cities to best protect the people they serve:
  • Treat geospatial mobility data as PII in policy and practice, and work with their legal departments to develop or update protocols for how they handle, store, and protect such data. Such protocols should include policies for handling public disclosure requests that recognize the private nature of mobility data.
  • Ensure that their data policies and practices are routinely updated and, at a minimum, include modern digital security methods, protocols for storage, access, retention and deletion, data breach plans, and cybersecurity insurance.
  • Update data privacy and insurance policies to limit city liability. At a minimum, ensure that PII is redacted in all public records requests if possible under state law.
  • Require mobility companies and vendors to prove that they are in compliance with contractual requirements, industry standards, and laws regarding data privacy and consumer data protection. These include, but are not limited to: modern digital security methods, protocols for storage, access, retention, and deletion, and data breach plans.
  • Coordinate with other cities to establish best practices for government and private companies to maintain individual trip records for the shortest time needed, for the purpose originally stated, and to apply, analyze, aggregate and anonymize mobility data.

Lesson Comments

No comments posted to date

Comment on this Lesson

To comment on this lesson, fill in the information below and click on submit. An asterisk (*) indicates a required field. Your name and email address, if provided, will not be posted, but are to contact you, if needed to clarify your comments.


NACTO Policy 2019: Managing Mobility Data

Published By: National Association of City Transportation Officials

Source Date: 04/01/2019

URL: https://nacto.org/wp-content/uploads/2019/05/NACTO_IMLA_Managing-Mobility-Data.pdf

Other Lessons From this Source

Lesson Contacts

Lesson Analyst:

Kathy Thompson


Average User Rating

1 (21 ratings)

Rate this Lesson

(click stars to rate)

Lesson ID: 2019-00904