The right of citizens to have their personal information and privacy protected must not be compromised as cities and municipalities embrace smart city concepts, a leader in privacy and data protection says

In a webinar hosted by the Smart Cities Council of Australia and New Zealand last week, Nicole Stephensen, a partner at multi-national privacy and data protection consultancy IIS Partners, warned that cities and municipalities need to ensure that privacy is protected when implementing smart city initiatives.

Stephensen says the importance of privacy in a cities or municipality context should not be underestimated.

This is particularly the case as councils increasingly rely on technology and big data to enable smart city initiatives.

It is also the case of as those who live and work within certain municipalities are not readily able to ‘opt out’ and move to alternate jurisdictions where they are not satisfied with data collection practices.

Moreover, the need to observe privacy extends beyond councils themselves and includes organisations who support or provide services to local municipalities. This could include providers of telecommunications, information management or infrastructure services.

“Councils and the technology and other vendors that support them require significant amounts of personal information to do their job.,” Stephensen said.

“We are handling this type of information on a daily basis or the machines that we have built and the technologies that we have deployed are handling that information and they are managing it and moving it around in some way.

“There is an increasing degree of community awareness and concern in relation to privacy. We only have to look at some of the things that are happening in the news at the moment in terms of local council technology deployments – whether that is smart CCTV cameras, RFID tags on council assets, smart parking or a variety of different initiatives. These things can cause the community concern unless they are aware of what happens to their personal information and why.

“Instead of allowing the community to fill in their own gaps in relation to privacy and to turn to their fears or their concerns and to make these their reality, it is important to be communicating about privacy and to be clear about what is happening with their data and why.”

Stephensen’s comments come as cities and municipalities around the world are embracing the concept of smart cities – the leveraging of smart technologies and data analysis to help improve city function and operation, promote economic growth and improve the quality of life for citizens (see here  for multiple examples).

In Singapore, Internet of Things (IOT) cameras monitor the cleanliness of public spaces, crowd density and the movement of registered vehicles. Singapore also has systems to monitor energy use, waste management and water use in real time. In addition, there is autonomous vehicle testing and a monitoring system to ensure the health and wellbeing of senior citizens.

In the US city of Kansas, the council has introduced smart streetlights, interactive kiosks and more than 50 blocks of free public Wi-Fi. In addition, the city’s visualisation app provides residents with details of parking spaces, traffic flow measurement and pedestrian hotspots.

In an Australian context, the comments also come amid growing concern surrounding privacy following severe data breaches against telecommunications provider Optus and private health insurer Medibank Private which saw hackers gain access to personal information of customers including full names, dates of birth, phone numbers, email address, passports, Medicare cards, drivers licence numbers and other items.

Indeed, a 320-page report released earlier this month as part of a review of the Commonwealth Privacy Act proposed 116 changes to the Act across 30 areas.

Moreover, recent examples show how smart city initiatives can be compromised where privacy concerns are not addressed.

In 2020, Alphabet (parent of Google) subsidiary Sidewalks Lab was forced to cancel its Sidewalks Toronto project which it was developing under an agreement with the City of Toronto. The plan had been to transform a previously neglected area on the city’s eastern downtown waterfront into a new model of inclusive urban development that delivered new levels of sustainability, economic opportunity, housing affordability and mobility.

At one point, the plan had involved spending $1.3 billion to deliver mass timber housing, heated and illuminated sidewalks, public Wi-Fi and a host of cameras and sensors to monitor traffic and street life.

Whilst the company cited economic and financial viability as the reason for its cancellation, the project had come under sustained pressure amid mounting concerns over privacy and handling of data and a lack of clarity about how data that was collected would be used.

In Australia, the City of Darwin came under stinging criticism and become labelled as a quasi-surveillance state during the latter part of the last decade as it rolled out 138 new CCTV cameras as part of the Switching On Darwin project amid concerns that facial recognition technology would be used for surveillance initiatives. (The project aims to improve safety, deliver better and more efficient services, reduce carbon footprint and improve planning. Along with the cameras, it has included free public Wi-Fi, new lighting and smart parking sensors, microclimate monitoring systems, a city intelligence dashboard, wayfinding kiosks and mall audio facilities.)

To its credit, the city took onboard the concerns and engaged in significant backpedalling. It embarked on clear communications to assure residents that facial recognition technology would not be used for surveillance and began working to a dedicated privacy management plan.

Google’s now cancelled Sidewalks Toronto project was subject to considerable criticism over uncertainty surrounding data handling and use.


How Privacy Should be Done

According to Stephensen, several things are important when designing and implementing a privacy strategy.


1. Privacy Must be Designed in Upfront

When thinking about privacy, Stephensen says this needs to be proactively designed into policies, procedures, processes, projects, initiatives, products, services and technologies rather than bolted on or retrofitted after implementation.

This helps to open up opportunities in terms of compliance, meeting community expectations and improving confidence and trust. Such opportunities are not readily available where privacy is retrofitted or bolted on.


2. Foundational Principles

When implementing privacy by design, Stephensen says seven foundational principles should be observed. These were coined in the 1990s by international privacy guru Dr Ann Cavoukian.

They include being proactive rather than reactive; having privacy as the default setting and embedded into design; and having privacy being driven across the full lifecycle of programs, being visible and transparent and being focused on users.


3. Privacy Strategy Must Have Basics

When adopting a privacy strategy, Stephensen says this must have a strategic presence and buy-in at the board and executive level with a shared understanding about what needs to be done and why. From there, privacy and security frameworks and management plans can be developed.

Next, privacy needs to have a seat at the table, with one or more parties responsible for considering privacy in relation to risk management, procurement, project design and deployment. This individual can help to conduct privacy impact statements or other consultations.

Finally, privacy can be incorporated into service level policies and procedures and complaints management processes.

The order is important.

Unless privacy has a strategic presence and its importance is understood at board/executive level, Stephensen says privacy impact assessments which are associated with technologies or initiatives are not going to be appreciated in terms of how these correspond to community trust, community expectations and potential regulatory scrutiny.


4. What your privacy strategy must say

Whilst privacy policies are important, Stephensen says these must sit in the context of a broader privacy strategy.

This needs to consider:

  • Who is responsible and accountable for privacy
  • The overall mission and vision of the city and how privacy feeds into this
  • The specific nature of the problems which the strategy seeks to address and how the strategy will respond to ensure that these challenges are addressed
  • Timeframes under which specific actions are expected to occur.
  • Community consultation and engagement in the establishment of the privacy strategy.

On the last point, Stephensen says community engagement is particularly important but often overlooked.

Potentially, community concerns in respect to privacy can revolve around several issues. Some may be concerned about surveillance activities through deployment of technologies such as drones, CCTV or facial recognition. Others may simply want better understanding of how their information is being used and/or more choice or control over how this is done.

The best way to understand community concerns, Stephensen says, is to ask them. This can be done through means such as surveys or town hall meetings.

Simply relying on assumptions what communities want and are concerned about is not advised. In many cases, what people desire in relation to privacy may look and feel different to what has been expected.


5. Its more than just compliance

When going about this, Stephenson says the focus is often concentrated on compliance and the likelihood of being subject to complaints, backlash or regulatory scrutiny.

Whilst these considerations are important, she says it is critical to also focus on why privacy matters in terms of the community whom the municipality is serving.

This is important as cities and municipalities are public institutions exist for community benefit. Their focus should not be on legal compliance but instead upon serving the community.

The Darwin City Council needed to assure residents that cameras and facial recognition would not be used for surveillance purposes.


A Positive Example

According to Stephensen, a positive example is the approach taken by the City of Melbourne.

Through its digital urban infrastructure strategy, the city has established test beds which aim to leverage technology for maximum community benefit. One initiative involves the installation of beacons that send location-specific audio messages about potential obstacles to users’ phones as they walk around the city. Another web site which can be accessed on the go on hot days enables users to determine which walking routes may provide the best protection from sun and heat taking account of the time of day along with the city architecture and surrounds. A 24-hour pedestrian counting system helps the city to understand pedestrian activity in busy locations to help plan for population growth.

All this is being delivered through a co-design approach under which the community participates in design decisions and an ethos that nothing is collected about citizens without community input as to how information is being used.

Such an approach is underpinned by a privacy by design framework which is applied before any technologies are built or implemented. It involves a series of steps and processes which need to be followed before the technologies are rolled out into the community.

The City of Melbourne has used beacon technology to help warn vision impaired residents of location specific hazards.

A good strategy delivers major benefits

In conclusion, Stephensen says an effective privacy strategy delivers significant benefits.

“To summarise, privacy strategy is intended to influence your culture as a city,” she said.

“It’s intended to reinforce that privacy is your ticket to play. And when I say ticket to play, I mean it. There are so many technology initiatives in our city. You think about free urban Wi-Fi, RFID tagging and various digital literacy campaigns that happen in our cities. You think about connectivity. You think about CCTV cameras – all of these different amazing initiatives.  If privacy has not been adequately considered, should those initiatives be taking off without having that essential scaffolding around them?

“Privacy strategy ensures that the topic of privacy and the management of personal information in accordance with community expectations and with the law becomes de rigeur. It becomes just what we do here.

“Privacy policy becomes an enabler rather than a drag on progress. It offers us an opportunity to improve. Say we do a privacy risk assessment and we discover that there is a risk of harm that had not been considered, it gives us an opportunity to build that risk of harm out of our technology or our solution.

“And it provides a safety net as a city or a vendor that we have done things right and it also provides a safety net in terms of community expectations.

“The community feels cared for and taken care of.”


Enjoying Sourceable articles? Subscribe for Free and receive daily updates of all articles which are published on our site


Want to grow your sales, reach more new clients and expand your client base across Australia’s design and construction sector?

Advertise on Sourceable and have your business seen by the thousands of architects, engineers, builders/construction contractors, subcontractors/trade contractors, property developers and building industry suppliers who read our stories across the civil, commercial and residential construction sector