Administrative Policy (Jul 30, 2015)
1.0 Scope and Application
Q. What is the City of Boston Data policy?
A. This is the City’s policy on Open and Protected Data that was called for in the Executive Order signed by Mayor Walsh on April 7, 2014.
Q. What is the goal of this policy?
A. This policy is intended to guide the City in:
- defining data and determining what data could be made open and which data must be protected;
- treating data as a valuable resource;
- making open data available, understandable and relatable for the public;
- protecting data that must be kept secure and private according to federal, state and local laws;
- ensuring that the City’s data practices respect the priorities and interests of the whole community.
Q. Who owns this policy?
A. The City of Boston’s Chief Information Officer (CIO) and whomever the CIO designates is responsible and manages this policy.
Q. What data is covered by this policy?
A. For the purposes of this policy, data is defined as geospatial, tabular, textual, legislative and source code that is maintained in an electronic, digital or optical format. This policy covers any data produced or received by any department in the City of Boston.
This Data Policy is intended to reflect and support the same principles and purposes underlying the Executive Order namely:
- The City of Boston recognizes Open Government as a key means for enabling public participation, transparency, collaboration and effective government, including by ensuring the availability and use of Open Data, appropriate security and sharing of Protected Data, effective use of Identity and Access Management and engagement of stakeholders and experts toward the achievement of Open Government; and
- It is the policy of the City of Boston to practice Open Government, favoring participation, transparency, collaboration and engagement with the people of the City and its stakeholders; and
- Information technologies, including web-based and other Internet applications and services, are an essential means for Open Government, and good government generally; and
- The City of Boston should continue, expand and deepen the City’s innovative use of information technology toward the end of Open Government, including development and use of mobile computing and applications, provision of online data, services and transactions; and
- The City of Boston also has an obligation to protect some data based upon privacy, confidentiality and other requirements and must ensure that protected data not be released in violation of applicable constraints; and
- Clarification and definition of open data, privacy, security requirements, interoperability and interaction flows is necessary for the City’s Open Government agenda.
1.2 Incorporation by Reference
The City of Boston Data Policy uses “Incorporation by Reference” to avoid duplication and connect content in a modular, extensible manner. Content may be Incorporated by Reference from External Content or from other sections internal to the Data Policy.
When the Data Policy explicitly identifies External Content by it’s name and URL as “Incorporated by Reference”, then that content shall have the same force and effect as if it had been published directly in the City of Boston Data Policy.
External content Incorporated by Reference is intended to provide additional relevant information and augmenting details that are consistent with the Data Policy. The terms of the City of Boston Data Policy shall prevail and supersede any materially inconsistent or directly conflicting terms of content Incorporated by Reference.
1.3 Policy Authorization
The City of Boston Data Policy is issued pursuant to the Executive Order promulgated by Mayor Martin J. Walsh on April 7th, 2014. That order authorizes and directs the Chief Information Officer (CIO) to issue and maintain policies covering Open Data and Protected Data including Identity and Access Management guidelines for Sharing Protected Data.
1.4 Definition of Data
Data is to be treated as an important resource of the City of Boston and its constituents for strategic and operational purposes, among others. For the purposes of this policy, data is defined as geospatial, tabular, textual, legislative and source code that is maintained in an electronic, digital or optical format.
1.5 Policy Construction and Interpretation
Nothing in this Data Policy shall be construed to diminish or alter the rights or obligations afforded under the Massachusetts Public Records Law, Chapter 66, Section 10 of the Massachusetts General Laws and the exemptions under Chapter 4, Section 7(26). Additionally, this Data Policy is intended to be interpreted consistent with Federal, Commonwealth, and local laws and regulations regarding the privacy, confidentiality, and security of data. Nothing herein shall authorize the disclosure of data that is exempt, for reasons such as confidentiality or privacy, or otherwise legally protected unless such disclosure is authorized by law and approved by the Corporation Counsel of the City of Boston.
2.0 Data Management
Q. How is data indexed?
A. The City will maintain a Data Catalog, which serves as a registry of the City’s data sets and includes key information documentation about the data, including whether it is considered Public Record.
Q. What is Data Classification?
A. Data Classification is the process of determining which data sets are Public Records and which sets are Exempt Records according to Chapter 66, Section 10 and Chapter 4, Section 7(26) of Massachusetts General Laws.
Q. What is a Data Classification Label?
A. A Data Classification Label is the quick way to check if any restrictions apply to disclosure or use of data. There are two main labels: The “Public Record” or “Exempt Record” labels. A label may change over time due to changes in law, the use of analytics or the combination of other data, for example.
Q. Does a Data Classification Label change?
A. How a specific data set is labeled may change for a number of reasons including a change to law or new data analysis. For example, data that, itself, may not contain personally identifiable information may reveal such information when combined with other data sets.
Q. Who has rights to data generated through a private contract?
A. The City has numerous contracts with private companies to facilitate City operations such as applying for building permits.. Unless specified otherwise in a contract, the City of Boston has the exclusive right to share, store or dispose of data created through these contracts. The City will seek to include standard language in all contracts that ensure these rights.
2.1 Data Catalog
To manage the City’s data, the Chief Information Officer and the CIO’s designee shall establish and maintain a Data Catalog. That data catalog will be a register of data sets, including information such as their location, description, classification, custodianship, security controls or other stipulations, where applicable.
2.2 Data Classification
Data of the City of Boston will be classified as a either a Public Record or an Exempt Record according to Massachusetts General Laws Chapter 66, Section 10 and Chapter 4, Section 7(26) . The CIO will work with the City’s Law Department and the relevant departments who are closest to each data set to conduct this data classification. The data sets will be labeled in the Data Catalog according to their classification.
2.3 Impact of Data Analysis & Data Science
The CIO or the CIO’s designee will regularly review the catalog and work with the relevant Departments to ensure that classifications labels are appropriately up to date. The classification of data as an Exempt Record or as a Public Record may change after analytics or other computational processing are conducted on data.
2.4 Rights to Share, Store and Dispose of Data
In some cases, the City will enter into contracts with third parties for the provision of public services, through which new data will be generated. In these cases, the City’s default position is that the City - and not third party acting on behalf of the City - has the exclusive right to share, store or dispose of data, to the extent allowed by law.
The City of Boston Model Data Contract, which is hereby Incorporated by Reference, includes specific standard contract language.
3.0 Open Data Policy
Q. What is Open Data?
A. For the purposes of this policy, Open Data are data sets classified as Public Records that are published on the City’s website or are otherwise accessible without making a public records requests.
Q. What Public Records are made Open Data?
A. The CIO or the CIO’s designee will work with Departments and prioritize for publishing those data sets that are public records, are frequently requested by the public, are associated with the City’s policy priorities, and are appropriate for disclosure.
Q. Where is Open Data published?
A. Data will be published on the City’s Open Data Portal(data.cityofboston.gov) and other appropriate sites, unless determined otherwise by the CIO.
Q. How is Open Data published?
A. The CIO or the CIO’s designee will strive to publish all Open Data in widely-used formats and adhering to data standards where it is available and appropriate best practice. Where possible, the CIO or the CIO’s designee will engage with regional, national, and international stakeholders to define and improve data standards.
Q. How is Open Data licensed?
A. The default license for all City of Boston Open Data is the Creative Commons Attribution International 4.0 license. You can read the license terms here: http://creativecommons.org/licenses/by/4.0/. Appropriate attribution for City of Boston Open Data is “City of Boston” with a link back to the source data. While this license is the default, other licenses may be used for specific data sets.
3.1 Definition of Open Data
For the purposes of this policy, Open Data are Public Records that have been published on the City’s website or are otherwise accessible to the public without making a public records request.
3.2 Publishing Open Data
The CIO shall work with City Departments to publish data sets classified as “Public” and that have been prioritized for public disclosure. Prior to publication, each Department shall ensure that data is published with at least minimum relevant documentation, adheres to applicable rules of the City of Boston Technical Standards Handbook, and follows - if possible, practical and available - commonly used standards for that type of data.
The CIO or the CIO’s designee will record in the Data Catalog when a data set becomes Open Data.
3.3 Publishing Priority of Open Data
Departments and the CIO shall determine the priority order for publishing as Open Data those departmental data sets that have been classified as Public Record. Departments shall report to the CIO, or the CIO’s designee the data sets of highest priority for publishing as Open Data.
In general, those data sets that have the highest public utility and can easily be published will be prioritized. The City of Boston Open Data Publishing Guidelines are hereby Incorporated by Reference to provide more detailed direction on prioritization and the process for publishing Open Data.
3.4 License Terms for Open Data
The default license for all City of Boston Open Data is the Creative Commons Attribution International 4.0 license. You can read the license terms here: http://creativecommons.org/licenses/by/4.0/.
Appropriate attribution for City of Boston Open Data is “City of Boston” with a link back to the source data. While this license is the default, other licenses may be used for specific data sets.
3.5 Legal Oversight and Review
The Corporation Counsel and Departmental Counsel shall be consulted regarding the process developed for publishing data and, as appropriate, regarding the publishing of specific data sets.
4.0 Protected Data Policy
Q. What is protected data?
A. All protected data is exempt data – data that is not classified as a Public Record.
Q. How “protected data” is secured?
A. The CIO and the CIO’s designee will maintain and enforce policies and practices to make sure that protected data - such as information regulated by law - is not made generally open. Those policies and practices are maintained in the City of Boston Protected Data Security Policy.
Q. How “protected data” is shared?
A. The CIO and his designee, in consultation with departments, can choose to share protected data to specific City partners for the limited reasons of program evaluation, research, analysis or other public good purposes. Parties must sign a protected data sharing agreement before receiving any data.
The City may also transform protected data sets so that a relevant and appropriate view of that data can be published as open data. For example, data could be summarized or anonymized so that the resulting data set does not need to be protected.
4.1 Definition of Protected Data
All protected data is exempt data – data that is not classified as a Public Record. This is also known as Exempt Data.
4.2 Securing Exempt Data
The CIO will establish and maintain a comprehensive data security program in compliance with best practices and applicable law. This program will help safeguard data from threats to confidentiality, integrity and availability. This program is outlined in the City of Boston Protected Data Security Policy, which is hereby incorporated by reference.
Departments shall adhere to the provisions of the Protected Data Security Policy, including with respect to security and other controls to safeguard Protected Data; use of Identity and Access Management; and good practice guidelines for compliance with legal or other rules requiring the sharing of Protected Data with authorized parties upon the grant of consent, by operation of law or when otherwise so required.
4.3 Sharing Protected Data
The CIO and his designee, in consultation with departments, can choose to share protected data to specific City partners for the limited reasons of program evaluation, research, analysis or other public good purposes. Parties must sign a protected data sharing agreement before receiving any data. The City of Boston Model Data Sharing Agreement offers a suggested form for such an agreement.
The CIO and his designee, in consultation with departments, may also transform protected data sets so that a relevant and appropriate view of that data can be published as open data.
4.4 Legal Oversight and Approval
The Corporation Counsel of the City of Boston shall confirm Protected Data is only disclosed in accordance with this Policy and must approve any data sharing agreements.
5.0 Content Incorporated by Reference
5.1 City of Boston Technical Standards Handbook
The City of Boston Technical Standards Handbook provides guidance on cataloging, publishing, formats, accessibility,metadata, data schemas, APIs and other relevant technical matters.
This document is managed by DoIT’s Analytics Team.
5.2 City of Boston Model Data Rights Contracts
The City of Boston Model Data Rights Contracts contains standard language to be included in contracts with third parties governing the ownership of data created as a result of those contracts.
This document is managed by the Law Department and the DoIT’s Analytics Team.
5.3 City of Boston Data Security Policy
The City of Boston Data Security Policy provides guidance to departments with respect to security and other controls to safeguard data; use of Identity and Access Management; and good practice guidelines for compliance with legal or other rules requiring the sharing of data with authorized parties upon the grant of consent, by operation of law or when otherwise so required.
This document is managed by DoIT’s Security Team.
5.4 City of Boston Model Data Sharing Agreement
The City of Boston Data Sharing Agreement is a standard template for an agreement that must be signed by all parties before sharing protected data with a third party and must be approved by the Corporation Counsel on a case by case basis.