Wisconsin Geospatial News

Data security guidelines released

Since Sept. 11, 2001 national security has become a big issue surrounded by loads of publicity and lots of money directed toward improving safety and emergency response. Over the past four years, many of the public, private, and non-profit organizations that produce or use geospatial data have developed concerns about the security risks associated with distributing geospatial information.

For a small amount of this data, the case can be made that open dissemination does pose a security risk. As a result, managers of geospatial data have used a variety of procedures and rationales to secure and protect some types of information.

In attempt to standardize the decisions for releasing data, and as a guide for balancing security risks and benefits of data dissemination, the Federal Geographic Data Committee (FGDC) recently adopted and released a document entitled Guidelines for Providing Appropriate Access to Geospatial Data in Response to Security Concerns.

The guidelines are straightforward, providing procedures for identifying sensitive information that pose a risk to security, and reviewing decisions about sensitive information. Also, the guidelines offer a method for balancing security risks against the benefits of making data available.

The guidelines do not grant any new authorities, and are intended to apply to a wide variety of data. They are intended to strike a balance between safeguarding information that could potentially be used to cause harm, and providing the free flow of information essential to society. The guidelines are based on the principles of freedom of information and open records laws, and the public’s right-to-know. The RAND Corporation’s 2004 report, “Mapping the Risks: Assessing the Homeland Security Implications of Publicly Available Geospatial Information” was used in crafting the guidelines.

The guidelines, which are directed to organizations that originate and/or disseminate data publicly, are organized through a sequence of decisions, or a “decision tree”. Each decision is based on a set of questions requiring yes/no answers. Answers of “yes” to all questions will lead to the decision to restrict the data, while a “no” answer anywhere along the tree of decisions will lead to the conclusion not to restrict the data. The guidelines offer a detailed discussion of the decisions to be made, a brief explanation of terms used, and references to sample policies from which the guidelines were developed.

Without question, these guidelines should be used by anyone establishing policies and making decisions regarding the distribution of geospatial data to others outside of their organization.