Office of Operations
21st Century Operations Using 21st Century Technologies

Behavioral/Agent-Based Supply Chain Modeling Research Synthesis and Guide

CHAPTER 7. SHARING OF DATA BETWEEN PUBLIC AND PRIVATE SECTOR

Public transportation agencies can consider arrangements with private data firms to obtain data needed for behavioral supply chain freight models. These arrangements can provide agencies with access to data with large samples or new attributes, but there are also challenges around data privacy. The key concepts around data privacy from the literature are provided in Appendix A.

PROPRIETARY DATA AND PRIVACY ISSUES

The internal and external sharing of data is crucial to most business operations. It forms the basis for most business decision-making processes and models. Conversely, the protection of these data, which are often proprietary in nature, is essential to reducing both personal and professional risk and liability. The data management landscape has shifted over the last decade: technological advances associated with collecting business information have been exponential, leading to a massive increase in the amount of data that is generated, stored, and distributed. The concept of data mining has data analysts synthesizing and analyzing seemingly unrelated datasets for patterns, trends, and insights in ways that were never previously imagined. Data mining has also created new areas of privacy concern since sensitive information can often be discerned through cross-referencing otherwise innocuous datasets. Unfortunately, the speed of data generation, analysis, and monetization has outpaced the knowledgebase for data protection.

Maintaining business confidentiality and data privacy is a well-understood necessity for individual firms competing in a free market. Like most other industry sectors, the trucking industry develops and manages data that are often considered sensitive and proprietary. The myriad business records that seem of interest to certain outside parties may include: balance sheets, income statements with profits and losses, accounts payable and receivable, customer and cargo information, equipment inventories, depreciation schedules, compensation schedules, routes/lanes, and real-time vehicle location information. In addition to these, carriers generate and maintain extensive safety and economic forecasting data. The ultimate objective of data collection is for supply chain firms to operate a safe and profitable business. However, many in the trucking industry are concerned that data disclosure pressures are growing, particularly due to technology developments and an unpredictable regulatory landscape 1 .

VEHICLE-LEVEL DATA ISSUES

Vehicle-level data privacy concerns are based on devices that exist within vehicles or devices that are external to vehicles. In addition, the use of event data recorder information collected from trucks is highly controversial, and has led to concerns ranging from data privacy to abuse of discovery. 2

Concerns also exist around providing detailed cargo/commodity data. The U.S. Department of Justice has indicated that cargo theft may exceed $100 billion dollars annually. Providing real-time latitude-longitude data on trucks and commodities would greatly enhance a perpetrator's ability to identify valuable cargo in a moving truck.

Concerns raised by industry from these unit-level privacy examples not only convey the proprietary nature of data, but also rationalize concerns toward certain legal consequences that may evolve from data disclosure such as the use of anonymized data in court cases by plaintiffs' attorneys.

MACRO SUPPLY CHAIN DATA ISSUES

Supply chain data typically include inventory level, sales data, order status for tracking and tracing, sales forecasts (or other forecasts), and production/delivery schedules. Data sharing among supply chain partners is a critical requirement to ensure greater efficiency for business partners. Most business contracts include clear language that defines what data are considered proprietary, who owns the proprietary data, how it must be managed and protected, and what legal consequences will ensue if the data are deliberately or accidentally released.

Anecdotally, industry concerns relating to data access have classically been rank-ordered as follows:

  1. Civil litigation impacts.
  2. Competitor access to proprietary data.
  3. Government access for regulatory compliance.

Data sharing with government is a growing business concern given the increasing use of electronic data, with few legal and technical tools for protecting such data. Without these protections, the freight industry has been extremely wary to participate in government research programs where industry data could be invaluable. At the same time, without real-world industry data, public sector agencies have difficulty justifying the transportation attention and investment desired by industry.

Government often has a legitimate need to obtain industry data, but State and federal laws make it challenging for government agencies to enter legal arrangements to protect proprietary data. A patchwork of laws exist that seek to protect certain data from disclosure; while other laws require release of data to support the concept of transparent government. The most prominent and widely encountered laws in this realm are described in the following sections.

FREEDOM OF INFORMATION ACT

One of the programs that has impacted the sharing of industry data is the Freedom of Information Act (FOIA). FOIA is a federal law enacted in 1966 and codified at 5 USC § 552 et seq., 3 which provides individuals with the opportunity to view public documents held by federal government agencies. Any individual can make a request for access to any public document, data, or information held by a government agency. The agency must respond to requests per the agency's procedures 4 and provide the requester with access to the requested information unless a specific data protection exemption applies. Because FOIA allows individuals to request information about third parties, a FOIA request to a federal agency involved in collecting, storing, or analyzing trucking industry data as part of a U.S. Department of Transportation (USDOT) program presents a potential threat to the confidentiality of proprietary information of the participants.

FOIA requests can be legally rejected in several situations. The primary reasons for denial that would relate to a USDOT database of proprietary industry data include the following:

  • Physical Possession of the Requested Data. FOIA generally requires the release of any data possessed by an agency. A general legal interpretation is that data obtained under the sponsorship of an agency, but physically stored outside of the agency, would likely be protected against a FOIA request/release.
  • Using one of the Nine FOIA exemptions. FOIA Exemption #4—Trade Secrets and Confidential Commercial Information reflects Congress' recognition that public access to some information, such as commercially sensitive data, would adversely affect the ability of government and private parties to collaborate. Exemption #4 protects information in agency records from mandatory disclosure provisions of FOIA if it constitutes trade secrets and commercial or financial information obtained from "a person" and is privileged or confidential. This information is protected if it is privileged or confidential, and obtained from a person. 5 For the purposes of Exemption #4, a "person" is defined as an individual, partnership, corporation, association, or public or private organization other than an agency, 6 and thus would include a freight company or other intermediary, customer, seller, or other participant participating in a USDOT program IF the data are formally classified as "Trade Secret." The "confidential information" Exemption #4 is available when disclosure will either: 1) impair the government's ability to obtain necessary information in the future; or 2) cause substantial harm to the competitive position of the person providing the information. 7
  • Voluntarily Provided Data. Case law has recognized and supported the increased protection of private sector data that was provided voluntarily by industry. Recognizing the unique nature of public-private partnerships, legal precedents have favored denying requests that could harm or undermine voluntary and innovative arrangements between the business community and government agencies.

Additional federal laws that have some nexus to data protection or disclosure include the following:

  • Privacy Act of 1974 (5 USC § 552a). The Privacy Act protects individual data. This act allows government agencies to protect certain data that relates to specific individuals.
  • Drivers Privacy Protection Act (18 USC § 2721). The Drivers Privacy Protection Act (DPPA) is more specific to truck driver data. It was enacted to protect individuals' right to privacy, guarding individuals' information from improper disclosure or use. 8 In practice, DPPA requires states to protect information in an individual's motor vehicle record (MVR) and delineates permitted uses for MVR data. DPPA permitted uses of MVR data include verifying accuracy of personal information and legitimate State uses related to motor vehicle safety. 9 That said, individual drivers can sign releases that allow the collection and use of specific data for research and other purposes.
  • Fair Credit Reporting Act (15 USC § 1681 et seq.). The Fair Credit Reporting Act (FCRA) mandates that credit reporting agencies follow reasonable procedures to ensure that consumer privacy and accuracy of information is ensured. 10 Most financial data, including secondary data related to an individual's personal information from MVRs, is protected by FCRA requirements.

STATE SUNSHINE LAWS

Similarly, many states have laws regulating the release of public records. These laws vary by State. 11 Most State sunshine laws have exemptions for personal privacy, law enforcement, and commercially valuable information. 12 Provision of commercially valuable information to government agencies would require a state-by-state investigation of relevant laws to ensure information is applicable for exemption from public access. 13, 14

INSTITUTIONAL ISSUES AND OTHER CONSIDERATIONS

This section includes additional and important institutional data issues that extend beyond the previously cited legal and regulatory concerns. The following issues can affect aspects of a USDOT data collection program:

  • Revenue/Funding Expectations. Based on historical experience, it is plausible that the private sector will request or expect financial compensation for its private sector data. Unless the direct benefits from the sharing of proprietary data are direct and immediate, private firms will be reluctant to utilize their own resources to create and maintain a data-sharing program.
  • Timeline Expectations. While government agencies would not likely require real-time receipt of industry data, numerous externalities could affect when data is shared. Syncing timelines and schedules for data receipt and distribution will be important, and ultimately formalized and automated. Once in place, it will be challenging to change any metrics and outputs.
  • Lack of Subject-Matter Expertise for Data Privacy Issues. Most public-sector transportation stakeholders are unaware of legal, contractual, and competitive issues associated with proprietary data. Information on issues related to sensitive data and information should be understood by transportation agencies.
  • Data Continuity. For the USDOT, data continuity is extremely important, as any lapses or changes in data could dramatically affect data products and services. Since business models constantly change (firms merge, change data systems, or go out of business), the USDOT will need to develop and implement data redundancy plans. This need to maintain redundant technology systems and redundant data feeds could come with a high cost.
  • Standardized Agreements. Standardized agreements and contract templates should be developed immediately for future use to reduce processing and negotiation time. A sample nondisclosure agreement is provided in Appendix B. Developing and submitting these generic tools for broad scrutiny by both government and industry legal representatives could create solid vehicles for information-sharing and partnerships, and send a positive message to industry that government is a willing signatory.

DATA-SHARING REQUIREMENTS AND EXPECTATIONS

The topic of data privacy requires new and innovative agreements. This need is based on growing concerns surrounding proprietary data protection—including who shares data, how the data are protected, how and when access is authorized, and voluntary data sharing between private industry and government agencies—and the rise in data theft. These agreements will likely include variations of the following requirements:

  • Legally Binding. All agreements/contracts between industry and government must include legal, financial, or criminal consequences should the agreement be violated. Several public agencies or academic institutions will not or cannot sign agreements that generate liability; in some cases, these legal positions are underpinned by State law or even constitutional clauses. Such entities may not be legally able to protect sensitive industry data.
  • Clear Ownership Clauses. The private sector will likely not relinquish data ownership rights. This means that data-sharing arrangements will provide a use license and clear guidance on how the data can/cannot be used, and by whom. These restrictions may conflict with both State and federal law (e.g., challenges with the Confidential Information Protection and Statistical Efficiency Act) which may allow or require the sharing of certain data across agencies that may not be a party to the data-sharing agreement (DSA).
  • Clear Data Usage Restrictions. Many DSAs explicitly state who cannot use the data, and what uses are not appropriate or authorized. Even when data are anonymized so that individual parties cannot be identified and harmed, entire sectors and classes may still be affected. Industry is aware of such large-scale impacts and is hesitant to participate in DSAs that may create such negative impacts.
  • Use of Trusted Third Parties. Considerable industry support exists for the use of "trusted third parties" who can act as reliable and knowledgeable stewards for proprietary industry data and related data-sharing partnerships. These entities must possess industry subject-matter expertise to ensure that certain data are not shared or synthesized inappropriately; must be able to successfully negotiate data-sharing contracts with industry; and provide technical support to government agencies in terms of analysis and interpretation.

A case study in successful private sector data sharing with the government is provided in Appendix C.

1 John Sommers II, "Some Carriers Worry How Proposed Safety Scoring Could Affect Them," Transport Topics, September 12, Accessed September 13, 2017. (enumerated web address: http://www.ttnews.com/articles/some-carriers-worry-how-proposed-safety-scoring-could-affect-them) [Return to Note 1]

2 Schmitt-Cotta, 2005. Discovery abuse may be defined as intentional misreading of EDR data by expert witnesses to bolster the claims of plaintiffs. [Return to Note 2]

3 The FOIA Regulations are codified at 26 CFR Part 16 (2017). A copy is available at https://www.gpo.gov/fdsys/pkg/FR-2017-01-04/pdf/2016-31508.pdf. [Return to Note 3]

4 The following are citations to FOIA regulations promulgated by two agencies pertinent to a U.S. DOT database of industry data – together with some useful website summaries:

5 5 USC § 551(2). [Return to Note 5]

6 5 USC § 552(b)(4). [Return to Note 6]

7 Id. at 770. [Return to Note 7]

8 Center, Electronic Privacy Information. "EPIC - The Drivers Privacy Protection Act (DPPA) and the Privacy of Your State Motor Vehicle Record." Accessed March 17, 2017. (enumerated web address: https://epic.org/privacy/drivers/#cases) [Return to Note 8]

9 Ibid. [Return to Note 9]

10 Center, Electronic Privacy Information. "EPIC - The Fair Credit Reporting Act (FCRA) and the Privacy of Your Credit Report." Accessed March 17, 2017. (enumerated web address: https://epic.org/privacy/fcra/) [Return to Note 10]

11 "Open Records Laws A State by State Report.pdf." Accessed March 17, 2017. http://www.naco.org/sites/default/files/documents/Open%20Records%20Laws%20A%20State%20by%20State%20Report.pdf [Return to Note 11].

12 "Freedom of Information Laws | Reporters Committee for Freedom of the Press," October 28, 2011. (enumerated web address: https://www.rcfp.org/first-amendment-handbook/freedom-information-laws) [Return to Note 12]

13 Ibid. [Return to Note 13]

14 Summaries of State laws relating to public access to government collected information can be found at Open Government Guide (enumerated web address: https://www.rcfp.org/open-government-guide) [Return to Note 14]

Office of Operations