Why mobility data should be treated as PII
- By Stephanie Kanowitz
- Jun 10, 2019
One way cities can manage the deluge of data generated from new transportation technologies is to treat geospatial mobility data as personally identifiable information (PII), according to new guidance.
“It should be gathered, held, stored and released in accordance with existing policies and practices for PII,” according to a new National Association of City Transportation Officials (NACTO) policy titled “Managing Mobility Data.”
That’s because mobility data -- information generated by activity, events or transactions using digitally enabled mobility devices or services, by NACTO’s definition -- often includes a series of points with latitude and longitude at regular intervals. It’s easy to connect those literal dots to discover who is traveling, according to the document, released in April and compiled with the International Municipal Lawyers Association.
Geospatial data is or can become PII in two main ways, the policy states. One is through recognizable travel patterns, such as going from home to work. The other is in combination with other data.
“For example, taken by itself, a single geospatial data point like a ride-hail drop-off location is not PII,” the policy states. “But, when combined with a phonebook or reverse address look-up service, that data becomes easily linkable to an individual person.”
Other sources of easily identifiable or connectable information include dockless scooters, ride-hail service apps and autonomous vehicles, all of which are easily tied to individual profiles. This data has practical applications, though. For instance, better insight into the volume of pickup and drop-off activity at given locations can help cities when they consider adjusting curbside rules.
Already saddled with questions about how to use, store and analyze all this newly available data, cities now have the added challenge of determining with private-sector partners how best to reconcile the competing goals of access and privacy with the need to share data. The companies that supply the data-collection devices need the information to operate their businesses, but “the ability of an individual to think and move freely, without fear of undue surveillance, is the foundation of democratic society,” the policy states.
The policy offers four principles for cities looking to manage geospatial data responsibly:
- Consider the public good by requiring access to data from mobility services operating in the public right-of-way, enforcing contractual agreements with public interest in mind and using open-data formats.
- Protect the information by treating geospatial data as PII, ensuring that data policies are regularly updated and include modern security approaches, requiring vendors to prove compliance with privacy requirements and updating city insurance policies to limit liability.
- Be purposeful in choosing what to analyze when collecting data from companies. Cities should also audit data internally and work with companies to clearly define in their user agreements what consent means in terms of data collection and use.
- Be portable, meaning cities should put open data standards and formats first.
The document also sets out best practices for data handling, such as setting limits on how long travel data is stored, publicly sharing only aggregated data, setting rules for when and why individual records can be accessed and putting governance responsibilities and roles in place.
Stephanie Kanowitz is a freelance writer based in northern Virginia.