Share Data Only As Necessary
Three may keep a secret, if two of them are dead.
There is a growing trend in our technologically sophisticated society to share data and information indiscriminately. Government agencies have become part of this problem, creating massive shared databases of sensitive information about ordinary people. Many states and local municipalities run dedicated repositories with such information that are commonly referred to as “fusion centers.” Further, the costs of sharing enormous amounts of information have plummeted.
Any agency or local government engaging in surveillance should have strong restrictions that limit sharing and disclosure of sensitive personal data. These restrictions should take two general forms: they must limit the sharing of data with third parties, and they must place clear obligations on any recipient of data.
Surveillance data should be shared with other departments, outside entities, or other government agencies only when there is an established need that is essential to the original purpose for the collection. Examples include with an outside individual responsible for auditing the department’s data collection practices or with a third party that is providing technical support. Data should not be shared with other parties for new or expanded purposes, or for any kind of dragnet or indiscriminate surveillance.
There should be clear contractual restrictions and policy guidelines for authorized recipients of this data. Data should not be shared with any entities, even other government agencies, if they cannot agree to appropriate restrictions and limitations.
Any data sharing must be subject to formal audit in accordance with the policies and guidelines that regulate the surveillance technology and the third-party recipient must also be subject to these audits. In addition, community input should be solicited prior to disclosure of any information.
Employing these common sense regulations on disclosure of surveillance data will protect privacy interests, promote accountability, and foster public trust.
QUESTIONS TO ASK
Is the information collected via surveillance shared with third parties?
Are any such third parties subject to legal or policy restrictions on their use or further disclosure of the information?
Are steps taken to audit sharing and subsequent use?
Has the community been consulted on this sharing?
Examples of Use
- Location::Menlo Park, CACity council restricts fusion center use of data
In Menlo Park, the city council mandated that a regional fusion center comply with the city’s own data retention schedule in its use of Menlo Park data it received.