• August 23, 2022
• City Administration

Local government earns trust when it performs critical services well. But trust depends on more than just the results—it also means residents have confidence in the steps it took to get there. And therein lies the irony, that in a time of rapidly changing technologies that can in fact improve services, officials need to be particularly sensitive to the privacy and security of personally identifiable information (PII).

When interacting with residents and delivering critical public services, local governments often collect, analyze, and store highly sensitive personal information, like social security numbers, bank account information, personal addresses, and more. Even when in the right hands this data can be at risk of a loss of privacy. And in the wrong hands this information can be used to steal personal identities, commit fraud, or worse.

Privacy and security are connected, though not exactly the same. The more personal data collected and retained, the higher the risk and cost of a security beach. In the last few years, very high-profile cybersecurity and ransomware attacks have exacerbated concerns over the ability to keep private information secure, eroding trust between local government and the public. And data privacy rules relating to third parties played a major role in the cancellation of the large Toronto/Sidewalk Labs joint venture.

New York City is at the forefront of local government privacy best practices. The current Chief Privacy Officer (CPO) Michael Fitzpatrick spoke with Data-Smart about the history of this work, why privacy policies must be collaborative, and what the future of data privacy looks like in NYC.

Establishing an Office of the Chief Privacy Officer in NYC

In 2017, the City Council passed Local Laws 245 and 247 which established the city’s Office of the Chief Privacy Officer and went into effect in 2018. The CPO was granted the authority and duty to create new privacy policies and protocols within a new citywide privacy protection framework. The law also embedded Agency Privacy Officers (APOs) across all city agencies to oversee privacy practices in their departments. The mandate of the CPO was to ensure that “identifying information is anonymized where appropriate,” and to provide expertise, advisory support, training, and counsel to the Mayor, Chief Technology Officer (CTO), and city officials on privacy issues.

In 2018, Executive Order 34 established the Mayor’s Office of Information Privacy, which is currently the Office of Information Privacy (OIP), and placed the CPO at its head. It also established a Citywide Privacy Protection Committee (CPPC), an advisory board tasked with evaluating biennial reporting from agencies across the city relative to their privacy practices and providing recommendations to the CPO on how citywide policies can be revised and improved.

Building a Culture of Privacy in NYC to Build Trust

Laura Negron was the city’s first CPO, appointed by then-Mayor Bill De Blasio in 2017. Under Negron’s leadership, NYC grew and significantly expanded the reach of the CPO’s office, with a focus on building a culture of privacy across city government and standing up privacy practices and infrastructure.

During her tenure, Negron successfully translated Local Laws 245 and 247 into a fully functioning citywide privacy framework. As part of this effort, she established the city’s core privacy policies and protocols, the Citywide Privacy Protection Policies and Protocols. Negron also implemented an agency reporting cycle that occurs every two years, where APOs report on their agency’s privacy practices. Today, the city is on the cusp of completing its second biennial agency reporting cycle.

Beyond building the city’s core privacy framework, Negron and her staff were deeply involved with IDNYC, the city’s local identification card initiative, working to draft agency agreements and ensuring privacy policies were in place to protect the identification of vulnerable immigrant communities and undocumented New Yorkers. The privacy team was also heavily involved in the city’s response to COVID-19, working to launch testing and vaccination sites, manage documentation processes for student cases and vaccinations in the NYC public schools, and supporting the city’s Recovery Data Partnership with the private sector. “These initiatives have proven to be big successes for the city and our privacy office,” said Becky Blatt, senior counsel for special projects, strategy, and external affairs for OIP.

A New Chapter for NYC’s Office of the Chief Privacy Officer

Negron retired from her post when Mayor Eric Adams took office in 2022, paving the way for the CPO Michael Fitzpatrick, who was appointed by Mayor Adams in April 2022. Under Mayor Adams, OIP moved under the Office of Technology Innovation (OTI) and reports to Matthew Fraser, the city’s CTO.

By embedding the CPO role within OTI and continuing to leverage the APO network, the city’s leadership has enabled a “privacy-by-design approach to government operations and initiatives,” said Fitzpatrick. The move encouraged collaboration among technology related authorities and “ensures privacy considerations are in place from the initial stages of all government processes or initiatives.” The purpose of this, according to Fitzpatrick, is to build trust with New Yorkers, ensuring a high level of comfort among the public in terms of how the city is collecting, sharing, using, and protecting PII.

Keys to Success

Fitzpatrick identified several keys to success, including identifying privacy champions across agencies, establishing privacy as a citywide priority, and providing simple and clear privacy guidance from the CPO. “In the public sector, signals matter,” said Fitzpatrick, “New York’s privacy framework was created out of local law, meaning there is a strong signal from the legislative and executive branches that privacy is of utmost importance.” Sending such a strong signal from the top helps to ensure agency buy-in and signals to the public that privacy efforts are taken very seriously.

Fitzpatrick and Blatt also felt it was critical to establish core privacy principles for agencies and the APOs. “Privacy laws can be extremely complicated,” said Blatt, “by establishing core privacy principles, you can give agency employees something that they can wrap their heads around and give them a simplified framework to guide their day-to-day work. This in turn helps us to scale privacy best practices across the city.”

“Privacy practices are living, breathing entities” that are constantly evolving, explained Fitzpatrick. The dynamic nature of the information privacy environment necessitates privacy programs adapt over time, but what's critically important is getting the program up and running to begin the important work of protecting the information of city residents and visitors.

Making it easier for a resident to qualify for benefits or simplifying service requests clearly illustrates the challenges and tradeoffs of privacy and efficiency, and the importance of having guiding principles. The more information the city possesses, the more it can speed up identification of a person to provide support more quickly or respond to concerns. Efforts across the country and in NYC to establish smoother customer management systems shine a light on the privacy complexities. The opportunities and risks become clearer as customer relationship management systems struggle to connect a place where a person lives and needs services, to the cellphone number they may use to make the request, to the identification verifications required to receive key municipal services and benefits.

Mayor Adams’s significant “MyCity” initiative, currently in development at OTI, will reduce bureaucratic steps and save time for residents seeking assistance, but demonstrates the importance of having the privacy team at the table. Moving from a world where each interaction with government feels like the first time, to one where information provided by an individual is coordinated among agencies to drive more effective and efficient government services for that person presents substantial benefits, while also raising privacy questions.

For Fitzpatrick, the solution must be built upon transparency with the customer and providing sufficient information about how their information will be handled and why. The MyCity initiative covers many city departments, which reinforces the importance of having APOs in each agency who can more deeply assess the benefits and risks associated with collecting, using, and sharing individual data, including what data can or should be stored.

The Future of NYC Privacy

Fitzpatrick is focused on elevating OIP, boosting the agency’s capacity to carry out its mission and expanding the services it provides.

These enhancements involve increasing the total headcount of the office and expanding from a focus on internal city processes to a broader strategy of public engagement, soliciting suggestions from the public and developing partnerships with New York City’s academic institutions and the private sector. In addition, OIP will continue to help set privacy policy for City contractors and vendors reflecting the current privacy and cybersecurity landscape, including required privacy terms and conditions for city contracts to sufficiently protect PII.

Perhaps most importantly, Fitzpatrick believes that as CPO, he has an important role to play in building and maintaining a trusting relationship between New Yorkers and their government. “As a government entity, we have access to extremely sensitive personal information for millions of people and we are responsible for providing needed services to the public, especially the most vulnerable. Effectively delivering on that core mission requires that we have strong governance over the information and services we provide, which in turn enables us to earn the confidence and trust of the public.”