normativas

The commitment to so-called smart cities is currently one of the major commitments to technological innovation in the public sector, especially in the local sphere. This type of initiative aims to address challenges to sustainability in the urban context and, through the advanced use of information and communication technologies, to optimise resources and make public services more efficient.

The report ‘Open Data and Smart Cities: an alternative legal perspective’ that we published on Datos.gob.es approaches the scope and legal analysis of data openness in this type of project. It is particularly important to provide legal security for the investments and efforts being made by both local governments and service providers and, in general, for the involvement of civil society in this field. As analysed in this report, the plurality of actors and services involved determines the diversity of legal standards in a context where information and communication technologies require interoperability.

Structured into five chapters, the report deals with Law as a tool to serve smart cities, the diversity of actors as a subjective element, the plurality of services involved in a technological context as an objective element, and the scope of the regulatory framework applicable to intelligent cities from the perspective of open data. This last section details the regulations on electronic Government, the legal provisions on transparency and access to public sector information, the legal provisions on the re-use of public sector information, and the legislation covering the protection of personal data.

In the fifth and final chapter, which focuses on the prominence of legal means, the report raises the need for paradigm shifts to drive open data in smart city projects. In particular, it advocates the promotion of a management model based on the foundation of Open Government at the municipal government level, using its legal powers and means. It also proposes a series of prerequisites required to allow the opening of data in smart cities in order to facilitate the re-use of the data generated.

In conclusion, the report ‘Open Data and Smart Cities: an alternative legal perspective’ refers to the need to be aware of the fragmentation of the existing regulatory framework and the challenge for local governments when making reasonable modifications to their own regulations and supporting effective leadership in order to offer value-added services based on their re-use according to the principles of open data.

The attached Report can be downloaded in PDF, Word, and ODT format.

Aplicación de escritorio, como alternativa al uso del navegador y del hiperenlace, con un funcionamiento muy básico. La actualización de la herramienta es automática y espero ir introduciendo sucesivas mejoras Lee los ficheros con formato XML, exclusivamente de legislación, del Boletín Oficial del Estado siendo necesario descargarlos desde su buscador de legislación.

Su funcionalidad radica básicamente en tener a la vista, a la izquierda de la pantalla, la estructura de la norma abierta y , en su parte derecha, el visor de documentos para obtener una vista íntegra del conjunto, así como la posibilidad de introducir notas o acotaciones personalizando el propio texto normativo o hacer las búsquedas oportunas en el mismo.

Esta aplicación se muestra como ejemplo de reutilización de datos abiertos, aunque ya no está operativa. ¡Esperamos que te sirva de inspiración para tus propios proyectos!

Este obra está bajo una licencia de Creative Commons Reconocimiento-CompartirIgual 4.0 Internacional.

The Spanish Data Protection Agency (AEPD) has launched a guide to promote the re-use of public sector information whereas the privacy of citizens is guaranteed. In order to provide some guidelines that help the implementation of these techniques, the AEPD has also published the document entitled “Guidelines and guarantees in the process of personal data anonymisation” which explains in detail how to hide, mask or dissociate personal data in order to eliminate or minimize the risks of re-identification of anonymised data, enabling the release and guaranteeing the rights to data protection of individuals or organizations that do not wish to be identified, or have established the anonymity as a condition to transfer their data for publication. In other words, a formula to juggle the promotion of the re-use with the regulatory rules on data protection, which ensures that the effort in re-identification of individuals carries a cost high enough to not be addressed "in terms of relative effort -benefit".

The document shows both the principles to be considered in a process of anonymization in the design stages of the information system (principle of privacy by default, objective privacy, of full functionality, etc.), as the phases of the performance protocol in the process of anonymisation, including the following:

• Defining the team detailing the functions of each profile, and ensuring, as far as possible, that each member performs the tasks independently of the rest. Thus, it prevents that an error in a level is reviewed and approved at a different level by the same agent.
• Risk analysis to manage risks arising from the principle that any anonymisation technique can guarantee absolutely the impossibility of re-identification.
• Defining goals and objectives of the anonymised information.
• Preanonymisation, elimination/reduction of variables and cryptographic anonymisation through techniques such as hashing algorithms, encryption algorithms, time stamp, and anonymisation layers, etc.
• Creating a map of information systems to ensure segregated environments for each processing of personal data involving the separation of personnel accessing such information.

Finally, the document highlights the importance of training and informing the personnel involved in the processes of anonymization who work with anonymised data, focussing on the need of establishing guarantees to protect the rights of stakeholders (confidentiality agreements, audits of the use of anonymised information by the recipient ...) and establishes as a fundamental conducting regular audits of anonymization policies, which must be documented.

The AEPD offers these guidelines even knowing that the same technological capabilities that are used to anonymise personal data can be used for re-identification of people. That is the reason to emphasize the importance of considering the risk as a latent contingency and sustain the strength of the anonymisation in impact assessment measures, organizational, technological, etc. .; all in order to combine the provision of public data and ensure the protection of personal data in the re-use of information with social, scientific and economic purposes.

Law 18/2015, of 9 July, amending Law 37/2007, of 16 November, on re-use of public sector information, provides that the authorities and public bodies have a clear obligation to authorize the re-use of their information, including those institutions in the cultural field such as museums, archives and libraries.

In order that the provision of information for its re-use does not interfere with the privacy of personal data, the Spanish Data Protection Agency has published a Guidance document on data protection in the re-use of public sector information which gathers all aspects to be considered by the public sector to release data ensuring the fundamental right to data protection recognized in Article 18.4 of the Constitution, in the Article 4.6 of Law 15/1999 on Protection of Personal Data and in the Article 8 of the Charter of Fundamental Rights of the European Union.

As laid out in the document, the treatment and re-use of public sector information by the re-user may involve the combination of that information with other data sources, using technologies of big data or data mining that limit the monitoring and control over the use of public open data and, therefore, could cause uncertainty about the privacy of such information. Nevertheless, according to the AEPD, these associated risks should not lead to a restriction of re-use considering its advantages to the whole society. The guide attempts to answer this question, highlighting the importance of preventive methodologies such as the assessment of re-use impact in the protection of personal data -which analyzes the potential risks that the treatment of the personal data may involve- and proactive solutions such as the anonymization of data, as well as the legal guarantees and tools needed thereof.

The document shows how to evaluate the impact on data protection by the body that authorizes the re-use of the information, which can develop the analysis independently or with the help of the re-user, without providing, in such case, sensitive or personal data.

In addition, the text indicates how anonymization can be strengthened through legally binding commitments such as the express indication to prohibit the re-identification and use of personal data in decision-making. Finally, it also includes some example measurements to ensure the compliance with these legal guarantees: from periodic assessments of the re-identification risks; audits on the use of reused information or the inclusion of warnings on the re-identification of personal data on websites.

Thanks to this guidance, the Spanish Data Protection Agency opens the way to spread good practices in finding the answer to one of the main risks associated with the re-use of public sector information such as the re-identification of citizens, instructing managers of public institutions in how to facilitate open data in compliance with the legal guarantees of data protection. 

In recent years, Spain has seen an authentic whirlwind of legislative action seeking to promote the technological modernization of the public sector. Apart from Law 18/2015 (9^th July) which was necessary to modify the 2007 regulations in order to meet the requirements of the European Union, by the end of 2013 a new set of general regulations was passed regarding transparency and access to public sector information. This law not only includes specific provisions of information reuse but stands as the applicable law in those cases not covered by previous legislation.

Given the current technological context of administrative management, there is no doubt that e-administration plays a key role in opening up information according to the standards of interoperability that facilitate the re-use of information. From a legal point of view since 2007, Spain has a very advanced set of rules at international level, which was further modified in 2015 in order to progress in the technological modernization of the public sector.

In spite of the progress and the many initiatives launched to promote the re-use of public sector information in Spain, however, it is still necessary to analyse the role of the Law in the opening up of information by public entities. In this regard, it is particularly important to follow the most advanced international standards such as the principles established by the International Open Data Charter.

Despite the development of Spanish e-administration, in many areas the law still allows the management of documentation on paper . This is one of the main obstacles, which fortunately is set to disappear once the above-mentioned reform act 2015 enters into force. Nevertheless, the real problem is that public administrations are not strictly forced to establish records management systems that facilitate the re-use of data according to technical interoperability criteria and thus fulfil their “public service function”.

Aside from this important shortcoming, PSI legislation is not a good example of regulatory requirements. The use in Law 37/2007 of wordings such as “they shall ensure that documents covered by this Regulation may be reused” or, directed at public sector bodies, “ they shall encourage the availability of documents for re-use while enabling the electronic processing of requests for information reuse” cannot be considered a good example of the obligations that can be legally required by re-users.

The general rules on transparency and good governance have taken only the first step towards reuse of public sector information. In fact, though Law 19 of 9 December 2013 establishes a clear obligation to use electronic means to publish information, it merely sets a preference for reusable formats when public administrations comply with this legal provision. On the other hand, Royal Decree 1495 of 24 October 2011 is a more advanced example of regulation in accordance with the 2013 European reform. This law does stipulate an irrefutable obligation, although it also includes the exceptions and limitations related to access to information covered by general legislation. It should, however, be taken into account that, in cases where documents are not available electronically, persons wishing to reuse data must submit an application, thus possibly delaying the reuse of those data.

Although since 2007 major advances have been made in the legal framework related to access and reuse of public sector information, there are still considerable limitations, shortcomings and gaps which hinder the work and innovation of the infomediary sector. Nevertheless, the provisions analyzed cannot be considered an obstacle for public institutions that are committed to opening up information according to criteria that enables it to be reusable. The Spanish open data catalogue is a clear example of the efforts being made by certain public entities, proving that the legal framework cannot serve as an excuse.

The Technical Standard for Interoperability for the Reuse of information resources establishes common conditions on selection, identification, description, format, conditions of use and making available of documents and information resources prepared or kept by the public sector, relating to numerous areas of interest such as social, economic, legal, tourist information, about companies, education, etc., complying with the provisions of Law 37/2007, of November 16.

These conditions are intended to facilitate and guarantee the process of reuse of public information from public administrations, ensuring the persistence of the information, the use of formats as well as the appropriate terms and conditions of use.