As discussed in Chapter 1, smart cities hold the promise of helping cities boost economic growth and resilience and reduce costs while enhancing sustainability, improving public services and quality of life, and increasing citizens’ engagement in a pragmatic, apolitical manner by using data-driven solutions. Data are the foundation of the digital society and play a critical role in the development of smart cities. Cities are facing increasing opportunities to leverage data and digital technologies to improve public services and resident well-being. However, cities must balance their data needs with concerns about privacy and data use. It is, therefore, critical to set robust data governance arrangements to manage and use the data that smart cities generate. Data governance understood as the “…diverse arrangements, including technical, policy, regulatory and institutional provisions, that affect data and their creation, collection, storage, use, protection, access, sharing and deletion, including across policy domains and organisational and national borders” (OECD, 2022, p. 13[1]) The relevance of data governance rests in that it provides the rules and parameters that govern data collection efforts aimed at producing more efficient interactions between city governments, their partners and citizens (Johnson et al., 2022[2]). If used and managed properly, data can help make smarter decisions, automate and accelerate processes, and improve communication between government, private companies and citizens.

According to international experience, how smart a city becomes, how fast and at what ratio of costs to benefits largely depends on how well public and private actors work together to govern and manage the data on which smart cities are built. Failing to govern and manage data responsibly and efficiently may hamper cities’ competitiveness and productivity, and may damage citizens’ trust in the government’s capacity to manage data and meet their needs.

This chapter explores international experiences of good practices in terms of governing data in the context of smart cities, both at the national and subnational levels. It starts with a discussion on the importance of data governance and the different elements that have an impact on it, such as trust, transparency and data security. The chapter then turns to different practices to ensure data interoperability. It concludes with the case of data governance in smart mobility as an integral part of smart cities.

Effective data governance involves developing and implementing the foundational frameworks in terms of institutions, roles, rules, processes and technical structures to ensure that data access and sharing are reliable, trustworthy and deliver value (OECD, 2019[3]). It is also critical to ensure that sensitive data are protected while non-personal datasets are shared or opened for reuse within the limitations of available legislation and rules (OECD, 2019[3]). The governance of data sharing must address the overlapping purposes and needs that a wide range of stakeholders may have and ensure they abide by data sharing rules. For this purpose, local governments should develop frameworks that enable targeted data sharing that respects privacy and commercial sensitivities of people and companies, and meets operational needs. New regulations demanding stricter data control and the understanding of the risk of not complying with those new requirements to protect data have reinforced the need for more capacity and capability to manage data (Algmin and Zaino, 2018[4]). Data governance is one of the key factors for enhancing the regulatory capabilities of subnational governments, unlocking market opportunities for private enterprises and improving citizens’ capacity for participation in decision-making processes (Franke and Gailhofer, 2021[5]).

As Chapter 1 highlighted, countries tend to adopt a general smart city national framework (SCNF) that guides the building and implementation of smart city projects and the provision of better services. At least three critical points can be stressed from international experience: i) the relevance attached to linkages across data from different sectors and regions; ii) the need to ensure privacy and protection of personal data; and iii) the need to ensure interoperability of data platforms. To be effective, these elements need a governance structure that facilitates co-operation across levels of government, among cities and across policy sectors, involving a wide number of stakeholders from the public and private sectors and citizens.

The experience of OECD countries suggests that data governance and management in smart cities must enable society to turn data into benefits while ensuring public support. According to the OECD, establishing a clear vision and strategy for data is an important element of data governance (OECD, 2019[3]), which can also be applied to the city level. Existing national-level data strategies may also explicitly or implicitly support smart city data governance, as is the case with the National Data Strategy of Japan (Box 2.1). The experience of Germany and the Netherlands suggests that before designing a platform, coding algorithms and acquiring and deploying digital technologies, national and local governments need to identify the challenges first and consider the value creation and broader outcomes of possible solutions. Those solutions should be tailored to the city’s unique context and its specific social and cultural needs. Sometimes, solving a city’s challenges does not require large investments in technology.

While cities aiming to make progress on digitalisation and become a smart city also develop their own data strategy, a national model or guideline can be a reference for local governments to tailor their own strategy in the framework of their smart city plans. For example, in Mexico’s robust national statistical system, there are many opportunities to reinforce support and capacity building to local governments. However, in the absence of a national data strategy, there is a lack of concrete guidance on how the National System of Statistical and Geographical Information (SNIEG) should interact with local statistical systems, as well as on knowledge-sharing modalities between the Mexican National Institute of Statistics and Geography (INEGI) and chief data officers or CDOs (or equivalent) at the state or municipal levels (Marks, 2022[6]). Establishing a process of sustained knowledge sharing between state and municipality data officers and INEGI could foster a greater understanding of the use of data. It would inform better decision making at the local level and improve the production and data dissemination processes that support policy making and decision making at the subnational level.

National statistics offices (NSOs) lead data governance and data management within central governments and at the national scale. In some cases, NSOs may start discussions within the national government on the legal system required to enable the collection, processing, sharing and storing of data. NSOs have an advisory or leadership role in the elaboration of national data strategies and work closely with the international community in sharing experiences and good practices on data governance. Critically, NSOs have the necessary experience and expertise to advise other levels of government on ensuring data quality and complying with data management regulations. An important aspect is to develop analytical capabilities in areas such as data literacy, science and engineering across national government to ensure effective data management and support subnational governments in upgrading their data management capability.

Local data strategies are a prerequisite for exploiting the potential value of data produced by the city for the benefit of its residents, businesses and academia. It should include all necessary measures to provide reliable data of the required quality in a timely manner. The city of Vienna’s Data Excellence Strategy, for example, takes a human-centric approach to managing data and digital technologies, placing residents’ well-being at the centre of decision making (Box 2.2).

Local data strategies must be tailored to the needs of each urban society. According to the experience of Germany, those strategies need to be understood and used as a tool to achieve local urban development goals and evolve continually and dynamically based on the needs and priorities of each city or community (BBSR, 2021[9]). For that purpose, all levels of government need to join forces purposefully for the use of data to achieve integrated and sustainable urban development.

Like Japan, the United Kingdom has adopted a National Data Strategy that may help strengthen data governance for smart cities. This strategy, issued in 2020, intends to facilitate the access, use and reuse of data to a wide range of stakeholders (Box 2.3). It leveraged the benefits and power of data to respond to the COVID-19 pandemic. A lesson from the United Kingdom (UK) experience that is relevant for the development of smart cities is that a data strategy should leverage existing digital strengths and installed digital capacity (infrastructure and organisational) to promote better use of data across businesses, government, civil society and individuals.

Moreover, the UK national experience suggests that for developing smart cities and setting a local data governance structure, a data strategy requires activity and focus beyond government. Working with local stakeholders to define how the city, businesses and other actors will co-operate across the wider data landscape is critical to ensure the functioning of smart cities.

Involving citizens from the early stages of data projects is also essential. Countries and cities use different mechanisms for this. For example, in the city of London, United Kingdom, the borough of Camden organised a citizens’ consultation where the government provided different scenarios on how the borough could use its data and asked how they felt about sharing their data in each one. The results provided them with the relevant information to design a more socially acceptable scenario, where people would be willing to share their data. Other options for cities can be to use a citizens’ jury methodology to develop a citizen’s charter and a data ethics board to get external advisers to ask the right questions on data sharing and protection.

Leadership on digitalisation and data management at the national and local levels is essential as it provides a body with official explicit responsibility for co‑ordinating smart city and data management efforts, including in terms of policy definition, implementation and co‑ordination.

OECD research shows that data-driven transformation requires more than technical skills, with countries such as France, Korea, New Zealand, the United Kingdom and the United States having attributed data leadership/stewardship to CDOs or bodies to support data governance at the strategic level (OECD, 2019[3]) (Box 2.4).

At the subnational level, cities are also appointing officials to lead data and smart city strategies, i.e. local CDOs. They are in charge of the implementation of their respective initiatives for the management of data but this depends on the capacity of the local government, in particular municipalities, as they may not always have the staff with the right competencies and skills. Cities such as Barcelona and Bilbao (Spain), London (United Kingdom), Los Angeles and New York (United States), Paris (France), Reykjavík (Iceland) and Vienna (Austria) have created the city-level CDO.

In general, a local-level CDO requires both specific technical capabilities (e.g. cloud computing, data science analytics and data management, data collection and production processes, etc) and communications and interpersonal skills. Local CDOs need to be able to have an influence across organisational boundaries to improve data interoperability, for example, and to lead collaborations with a wide range of stakeholders (e.g. academia, private sector and citizens) (Marks, 2022[6]). Being able to engage with local civil society is of critical importance as CDOs need to demonstrate the value of sharing data and reassure them of data safety. Local CDOs need to have the ability to break down silos and explain the benefits of sharing data and open datasets (Marks, 2022[6]). This is a message that local CDOs should convey not only to the officials but to publicly elected officials. Working with the local private sector and encouraging them to share data is also a critical task. Local CDOs need to demonstrate the benefits of pulling data together from different public and private sources. In Barcelona, Bilbao and Sydney (Australia), the CDO (or equivalent) helps scale and sustain the implementation of their data strategies. The OECD (2019[3]) noted that it is important that countries do not misunderstand the role of the data leader and confine it to the information technology (IT) department when the role should be more strategic in achieving policy goals through better data management and sharing practices. Moreover, through existing research at the national level, the OECD has observed that “[p]ublic policies tend to overlook the benefits of data governance. There is a need for promoting data governance as a sublayer of policy arrangements. This can help to extract value from data for successful policy” (OECD, 2019, p. 27[3]). However, while there seems to be an acknowledgement of the importance of data for national and subnational governments (e.g. Barcelona, Bilbao, Bogotá, London, New York, Tokyo), research suggests that the private sector also considers data as a critical asset to achieve companies’ core objectives but that this does not always translate into actions that make data deliver real advantages (Algmin and Zaino, 2018[4]). This could be to the detriment of smart city projects as private companies tend to lead such initiatives and collect large amounts of data. Although data are considered a valuable asset by the public and private sectors, it does not mean that partners in smart city strategies should gather more and more data and apply them indiscriminately. Instead, leadership is required to manage and be intentional in how data create value.

Having adequate institutional arrangements for the implementation of the smart city and data strategies is critical for data-driven cities. In Japan, for example, three central bodies are responsible for implementing digital and data strategies as well as providing guidance for the development of smart cities across the country (Box 2.5). At the local level, the city of Vienna provides an example of a data excellence organisation to implement the data strategy. To ensure the efficient and effective use of data, the government of the city of Vienna seeks to master the data lifecycle in all areas of administration, minimising the effort and generating the greatest possible added value through data. As Figure 2.1 suggests, the responsibility for this does not only lie in the IT department but in all departments. The local government has set up a data excellence organisation and defined specific roles such as data stewards, experts and users in the departments.

In some countries, data strategies make an explicit case for the development of smart cities to deal with national challenges such as demographic shifts, climate change, inequality and access to services. For example, India and Japan promote the use of data to inform policy decision making and boost innovation in service creation and delivery. In Japan, the government is boosting digitalisation to cope with the challenges of providing better services at higher levels of efficiency to an ageing and shrinking population and in turn boosting economic growth and competitiveness. The Smart City Reference Architecture advocates the use of smart city data for informed decision making. The National Data Strategy promotes an evidence-based administration that manages open data across all levels of government.

However, unlike Japan, India is using smart cities and data strategies to deal with the effects of a growing population and urbanisation that is placing a significant burden on civic infrastructure and services like sanitation, water, sewerage, housing, electricity and public transport. Like Japan, India launched a National Data Strategy focused on the development of DataSmart Cities. India aims to create data to ensure a move towards outcome-based planning in governance and build data-enabled cities (Box 2.6). India’s strategy highlights that the power of data science and geographical information systems can be harnessed to exchange ideas, solutions and workforce across the country to fix local challenges (Government of India, n.d.[16]). The DataSmart Cities strategy intends to institutionalise a culture of data by putting in place formal mechanisms for data collection, management and use. For the government of India, there is a need for building on the “city-as-a-platform” concept that recognises the value of enhancing engagement among government, citizens, academia and industry, along with improvements in the internal workflow and decision-making processes of city governments. Equally, India’s strategy promotes the development of a data maturity assessment framework, which is absent in the Japanese strategy.

At the local level, the city of Vienna’s Data Excellence Strategy aims to deal with the challenges encountered in the data lifecycle, such as data silos and redundant data, manage multiple data acquisitions and unclear data distribution of responsibility and elaborate evaluations and time-consuming reporting. Local authorities in Vienna intend to use data as the foundation for information and knowledge and the construction of the future digital twin4 of the city. Vienna’s future digital twin is expected to assist in monitoring existing processes in the city, generating new data, simulating planning in different scenarios and making better decisions based on data, offering high added value for internal tasks and co‑operation with residents, businesses and the academic community.

Developing a data strategy aims to reflect real-life problems and how the strategy could help tackle and prevent them through data collection and use. In other words, while data sharing on the part of public authorities should build in minimising data requests, data collection and sharing are, in some cases, weakly linked to desired policy outcomes at the city level (e.g. improved environmental outcomes, liveable cities, etc.). In Japan, for example, the National Data Strategy does not stress or provide guidance to cities on how outcomes and methods of data collection and management should be better linked to conduct regulatory and planning actions, including the appropriate level of aggregation, data handling, data retention periods, auditability, etc. The strategy focuses largely on the methods and the need to enhance capacity but lacks an outcome-based assessment.

Regional (e.g. New South Wales [NSW], Australia; Hamburg, Germany) and local (e.g. London, United Kingdom) experience suggest that it is critical to focus on outcomes for citizens by putting data at the core of decision-making processes. This requires a collaborative, co-ordinated, consistent and safe approach to using and sharing data. The relevance of the NSW Government Data Strategy is that it embeds the data practices that delivered valuable data and insights during the COVID-19 pandemic (Box 2.7). It was developed through a cluster of collaboration of CDOs from different departments. However, the implementation of the strategy requires a regulatory reform to strengthen data-sharing laws to facilitate the work of agencies in the creation of high-value datasets. For example, the review of the Data Sharing (Government Sector) Act revealed the need to provide “legislative teeth” to the Data Analytics Centre to meet its full potential and provide actionable insights.5 Similar to the case in Japan, the NSW Government needs to streamline how the data-sharing legislation works, particularly when it intersects with other privacy legislation. A lesson from this experience is that a data strategy should be accompanied by a revision and amendment of the regulatory framework to facilitate the operationalisation of the strategy.

Although some data strategies have a complex structure, including the adoption of technical standards and common approaches while unlocking the value of cities working together to gather, analyse and act upon their data, many of them lack a clear methodology on how this data collection should be done. Poor problem definition can lead to data being analysed in a way that does not add value and therefore diverts time and resources. The experience of London, United Kingdom, shows that it is important to have not only standards for data quality but also a clear methodology for data collection and analysis. The London Office of Technology and Innovation (LOTI) has developed a methodology that intends to prevent organisations from wasting time collecting data that they may not even need, as it adds no extra value to their decision making and does not enable new actions (Box 2.8). All smart city stakeholders need to know: what is being gathered; who is collecting it; and the purpose behind any generation, collection, storage or sharing of data. Moreover, when it comes to sharing data, it is essential to be clear about the exact uses to which the data will be put to facilitate access to information. Local governments need to understand that they should be the primary users of the data they produce. They have access to an enormous amount of data but figuring out the uses of existing data and identifying data gaps is a step that many governments tend to miss. The LOTI methodology recognises that while digital technologies and data provide a powerful set of tools and approaches with which to innovate, they are rarely the whole solution. Therefore, it is essential to work with different teams to understand the real nature of the challenges to be addressed and how they can be solved. A recurrent challenge is that through smart city initiatives, governments are producing data that sometimes no one knows how to use.

The city of Columbus, United States, developed a smart city initiative that provides an example of the need to define the scope and purpose of data collection through smart city technologies (Box 2.9). Explaining what data will be collected and why is a critical element for creating support and buy-in for any smart city project and building trust. Transparency on what data are being collected and the reasons for that could be considered part of a change management or implementation strategy. It is important that smart cities provide this information from the outset and not wait until public groups request details on data collection and use.

The Smart Columbus initiative came to an end in June 2021 and the city government has continued the project as a “collaborative innovation lab”. After almost five years, according to city authorities, the Smart Columbus programme was found to have successfully or partially achieved 22 of the 29 objectives identified and created 4 220 jobs (719 direct jobs from programme-related staffing expenditures) (City of Columbus, 2021[20]). A majority of the eight projects have continued in some form. Even for projects that were not continued, the knowledge and lessons learnt have helped increase awareness of emerging technologies and their benefits to all residents in Columbus. The case of Columbus shows that managing stakeholder expectations and understanding the importance of communications is key to a city’s ability to mitigate risk and improve both awareness and technology adoption.

In the context of smart cities, a data strategy should set the governance arrangements that will govern how and under what conditions data can be accessed and exchanged, and the responsibilities of those in charge of managing and keeping data and platforms. An example is Colombia’s National Data Infrastructure Plan (PNID), adopted in February 2022 (Box 2.10). It contains elements or features that are worth highlighting due to their contribution to the formation of smart cities in the country and the data governance dialogue. First, the PNID defines the basic elements of the governance of data at the tactical level: rules, attributions, responsibilities and processes that could also be followed in the organisation of smart city projects. Second, it defines the leadership for the strategy implementation. This leadership should not be just a single body or person but a more collaborative body that facilitates the exchange of views and experiences. However, if local governments wish to have a more collaborative model for data management, as Colombia’s PNID suggests, there should be mechanisms or protocols for co-operation among the different local stakeholders. Third, probably the most critical part of the PNID, the technical level, is that it promotes the articulation of the data infrastructure with other data-related systems in the country, such as the national statistics system, the digital security and privacy of information, and the tools and technologies that facilitate interoperability. The message for local governments is that the smart city project must be connected to the regional or local statistics office, as is done in Bilbao, Spain. It is worth pointing out that Colombia’s PNID is not explicitly linked to urban development as is India’s DataSmart Cities strategy but provides the basic framework for the development of smart cities in the country.

Cities’ desire to improve citizens’ lives, the efficiency of city management and boost economic growth by using digital technologies raises security and privacy concerns. The reason is that smart city technologies capture personally identifiable information and household-level data about citizens, such as their location and movements, physical characteristics and daily activities. These data linked together generate a profile about individuals and communities to make decisions about them but not necessarily involving them. There are also concerns about how secure these digital technologies are, the data they generate from hacking and the costs they may imply for cities and citizens. The challenge for cities is to deploy digital technologies and gain the benefits expected from them while maintaining security and minimising the negative effects they may have on the city’s infrastructure and residents. A large number of stakeholders and interests involved are vested in smart city projects and the diversity of technologies used makes it more difficult to meet this challenge.

One of the tasks of data governance is offering a common basis to use data to attain shared policy goals and promote trust. The OECD considers trust as core to becoming a data-driven public sector (OECD, 2019[3]), which applies equally well to the city level. Trust may be defined as a positive perception of the actions of an individual or an organisation grounded in actual experience but determined by the subjective assessment of individuals (OECD, 2017[25]). Between 2007 and 2020, the greatest increases were in Germany and Iceland, while trust levels in Belgium and Chile fell most steeply. However, it must be pointed out that metrics of trust in government provide signals of people’s relationship with their institutions and the state of public affairs in countries; though, as the OECD (2021[26]) points out, they remain highly aggregated and could be influenced by a wide array of factors and circumstances.

Research has shown that, at least in the European Union, local and regional institutions are more trusted than national governments (Arrighi et al., 2022[27]). This level of trust in local institutions seems to be closely related to the quality of public services and day-to-day policies, that means: the prospect of a well‑functioning economy; decent schools and safe streets; security of property and data; properly maintained public transport and infrastructure; a healthy environment; and a thriving cultural landscape (Aguiar, Boutenko and Lacanna, 2021[28]). Trust is key to ensuring social stability; for that, all institutions, particularly national and subnational governments, must provide trustworthy information (Edelman, 2022[29]). That requires providing clear, consistent, fact-based information to break the cycle of distrust.

Citizens are more likely to provide the government – and its partners – with personal data providing that their data will be protected and not misused by the government or sold for marketing purposes for example, and that their data will be used to improve public service delivery. In other words, citizens need to perceive that, with the data they have provided to the government, public services will be more personalised and meet their specific needs. If the government and its partners fail to meet citizens’ expectations by using data without permission or public service experiences do not improve, then trust is damaged and may take a long time to be repaired. In 2021, a survey conducted in Lisbon, Portugal, on data protection found that citizens generally have the perception that their data are not properly protected and there are risks of leaks or being hacked, they are worried someone else is using their personal data without their knowledge and permission, and there seems to be a general lack of knowledge on the data protection measures adopted by the city as part of its smart city programme (Cró and Castro Roegiers, 2021[30]). However, the results of the OECD Survey on Drivers of Trust in Public Institutions showed that a majority of people in most countries are satisfied with access to information about administrative procedures. More than half of respondents trust their government to use their personal data only for legitimate purposes (Figure 2.2) and trust in local governments is generally higher than in national government (Figure 2.3) (OECD, 2022[31]). Yet, governments need to strengthen their efforts aimed at reinforcing trust in the way they handle citizens’ data.

To that end, some governments have been adopting initiatives to build trust in government smart city projects and encourage citizens to share their data. Some have established practical mechanisms by which citizens and businesses can know which data government organisations hold about them. For example;

• In Japan, the Act on the Protection of Personal Information (APPI) has been amended to require more information to be provided to the individual about handling personal information in the offshore company to which they are relocating.

• In the European Union, the General Data Protection Regulation (GDPR), adopted in 2018, aims to protect citizens from privacy and data breaches. Companies can only use data that the data subject has agreed on, and consent has to be given in a clear and easily accessible form with the option to withdraw. The regulation itself is large, far-reaching and fairly light on specifics. It was designed to apply to all types of businesses, from multinationals down to micro enterprises. However, its complexity makes GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs). Thus, the European Commission created a specific website, gdpr.eu, to serve as a resource for SME owners and managers to address specific challenges they may face (EU, 2022[32]).

The use of digital technologies as part of smart city projects is giving place to a phenomenon called “datafication” by which concrete phenomena, situations or actions are transformed into data. Although these data can be used to improve services, it could breach privacy laws. Datafication creates concerns as the capture and circulation of data may involve a large number of individuals and the distribution of their data can occur across multiple devices, places and services as data flow easily across platforms.

Smart city technologies have transformed geolocation tracking, making monitoring people’s location continuous. For example, smart cards used to pay for public transport, such as the Navigo card in Paris, France, the Isar Card in Munich, Germany, and the Suica card in Japan, collect information on people’s movements across a city. Cities such as London have installed sensor networks across street infrastructure to capture and track phone identifiers such as media access control (MAC) addresses – a unique number used to track a device in a network6 – that could track the stores individuals visited, the duration of their stay and how often they visit a particular shop and use that information to show contextual adverts. Several cities across the world have installed digital closed-circuit television (CCTV) cameras that can zoom and track individual pedestrians (Figure 2.4). Local authorities are deploying CCTV cameras and facial recognition systems to bolster security in severely under-policed areas to prevent crime but in countries such as India, this is creating concerns about security and privacy as there are not strong enough laws to protect people (Chandran, 2023[33]). All data collected through digital technologies has the potential to assist in improving service delivery and making informed policy decisions. However, in many cases, private actors generally collect and store these data, creating concerns regarding the legitimate use of people’s data.

Protecting data privacy should be central to any smart city data governance arrangement. Kitchin (2016[35]) suggests that, to address privacy concerns, cities require a suite of solutions as there is no single solution to a complex political, technical and ethical challenge such as data privacy. Some solutions should be market-driven, others should be technical-oriented, should focus more on policy and regulations, or should be more oriented to governance and management. This mix of solutions would enable the rollout of smart city technologies in a way that protects people’s privacy while minimising privacy risks.

Market-driven solutions require regulatory tools and oversight to ensure compliance with privacy regulations. Regulation needs to define security requirements and assurance processes that companies need to follow. It is essential for all stakeholders contributing to smart city services to acknowledge security risk management requirements. But regulation also requires companies to see data privacy protection as a competitive advantage. Across the world, 68% of consumers believe companies benefit more from using their data than they do; and 76% of consumers want to take more direct control over their data instead of companies and governments (Bella, 2021[36]). A critical problem in many countries is that citizens are not keen on sharing the personal data that governments would need to better plan some services, for example commuting and geolocalisation data to improve traffic management planning. “Giving citizens the opportunity to actively decide on who can use their data and for what purposes, accompanied by trustworthy technology, processes and actors can also create incentives to share or generate such data” (Franke and Gailhofer, 2021, p. 8[5]). The experience of the city of Aizuwakamatsu in Japan shows how important it is to give residents the option to opt in to generate trust in how personal data are collected, handled, stored and protected. This allows residents to choose if they want to provide personal information in exchange for digital services and around 20% of the population have opted in to share their data.

Regarding technology solutions to address data privacy concerns, cities may use privacy-enhancing technologies (PETs), which are a broad range of technologies designed to extract data value without risking the privacy and security of the data, such as cryptographic algorithms, data masking techniques, anonymisation techniques and synthetic data generation, among others (Dilmegani, 2022[37]; Curzon, Almehmadi and El-Khatib, 2019[38]). Different technologies have been developed to assist cities in anonymising data through metadata aggregation, privacy masking, data purging and deep natural anonymisation technology (DNAT) that prevent the original subjects from being recognised by creating synthetic overlays and allowing cities to use videos and images safely without breaching privacy rules.7 PETs aim to minimise data generation, preventing unnecessary processing of personal data while increasing individual control of personal identifiable information (PII) and facilitating legal data inspection rights. In Singapore, for example, the National Steps Challenge is an initiative by which a step-tracking device is linked to a mobile application; the aim is to encourage users to adopt a healthier lifestyle by offering incentives to participate in a national competition.8 The risk regarding data privacy concerns the collection of personal quantitative information tied to an identified individual, which could expose personal and location information. According to research, PETs could protect the data privacy of participants in the National Steps Challenge initiative by, for example, applying a k-anonymity (i.e. ensuring all data entries share the values in their quasi-identifiers with k−1 other entries) to ensure that participant information is adequately protected (Curzon, Almehmadi and El-Khatib, 2019[38]). However, these technologies are not widespread yet and, until they are, cities should follow the Privacy by Design (PbD)9 principles as they take a broad view of a data system and its data: proactive not reactive; privacy as a default setting; privacy embedded into design; full functionality; end-to-end security; visibility and transparency; and respect for user privacy.10

To administer market and technology solutions to protect data, some countries have conducted regulatory reforms to guarantee rights and freedoms on data and information and cities have implemented initiatives for data protection as part of smart cities projects to build trust. Efforts to protect data tend to focus on areas of: ethics – to guide behaviours across the public sector; privacy – to protect citizens’ privacy and to establish data rights; transparency and accountability – of algorithms used for decision making; and security – to manage risk to government data (van Ooijen, Ubaldi and Welby, 2019[39]; OECD, 2019[3]). At the local level, for example, when procuring digital products and IT services, the city of Vienna applies tender criteria that ensure digital sovereignty, paying particular attention to protecting the data of critical infrastructure and operators of essential services. The aim is to ensure that the operation of digital infrastructure and digital services is as independent as possible to guarantee a high degree of independence and flexibility, as well as a high degree of sovereignty, individualisation and service orientation for the economy, citizens and public employees. This could contribute to the resilience of the digital infrastructure and digital services required to maintain the city administration and essential public services.

Different legal frameworks are built around personal rights and regarding the generation, use and disclosure of personal data and the obligations of governments to protect that data. For example:

• In 2021, Chile established the Measures to Encourage the Protection of Consumer Rights (known as the Pro Consumer Law or Ley Pro Consumidor) to protect the consumer collective or individual interest to request compensation upon breaches into their personal data. It grants the Financial Market Commission, the Chilean Transparency Council and the National Consumer Service supervisory powers regarding personal data processed within a consumer relation.11

• In Korea, the Personal Information Protection Commission, established to protect people’s personal information, is required by the Personal Information Protection Act to establish a master plan every three years to ensure the protection of personal information (Government of Korea, 2022[40]). In the capital Seoul, all citizens are able to vote on line on budgeting decisions that fall within the city’s participatory budgeting programme, launched in 2012 (Aguiar, Boutenko and Lacanna, 2021[28]).

• The United Kingdom aims to ensure that legislation is in step with innovation to protect personal data and citizens’ privacy. This work involves experts from civil society and convenes a number of departmental groups to ensure that data work is adequately scrutinised and that data protection and privacy regimes are robustly upheld (OECD, 2019[3]). In London, the city government set up the London Datastore as a free and open data-sharing portal where anyone can access around 700 databases relating to the city’s progress on issues such as job creation, public transport, housing, community safety, etc.12 The premise is that transparency enables residents to assess the government’s actions and build trust.

• In Portugal, the national government prioritised security as a guiding principle of its ICT strategy 2020. To enhance security, the government created the National Commission for Data Protection to supervise and monitor compliance with laws and regulations pertaining to personal data protection and to correct and sanction breaches of such laws and regulations (One Trust Data Guidance, 2022[41]).

• Japan has a very comprehensive regulatory framework for handling personal information (Box 2.11). This framework has solved the problem of about 2 000 local governments providing their own ordinance for personal information.

• In Germany, funding for smart cities is conditioned to abide by the European GDPR, by which data collected should be either non-personal or anonymised; cities should refrain from collecting data about individual citizens.

• In 2012, the United States set out a revised version of the Fair Information Practice Principles (FIPPs) – first published by the OECD in 1980 (OECD, 2013[42]) – in the Consumer Privacy Bill of Rights to improve consumers’ privacy protections and ensure that the Internet remains an engine for innovation and economic growth. The bill contains principles such as individual control, transparency, respect for context, security, access and accuracy, focused collection and accountability.13

One of the biggest barriers to sharing data is the interpretation of legislation. In London, for example, each of the 33 boroughs has its legal team with its own interpretation of the legislation of data protection. This creates delays in decision making and implementation of projects. London’s experience suggests that it is necessary to standardise the approach of information governance to align the thinking about the legality of data-sharing measures and tools.14 Moreover, research has found that the different legal framing and policies for data protection across jurisdictions create a fractured regulatory landscape which could diminish its impact (Kitchin, 2016[35]). There are different obligations for smart city technologies deployed within countries and even cities depending on local laws and regulations.

Protecting data privacy also requires governance measures. Principle-led governance is a condition for creating a smart city that maximises data benefits and minimises risks to individuals. To reinforce the ethical management and use of data, some countries have established independent bodies and developed ethical frameworks. The central body focuses on government-held data and support government entities to build capacity for data management and see data as a valuable strategic asset. They also provide support for the implementation of data standards and may experiment with innovative methodologies for data management and sharing. For example:

• In Australia, the Australian Research Data Commons (ARDC) is the national research infrastructure provider that enables the research community and industry access to nationally significant, data-intensive digital research infrastructure, platforms, skills and collections of high-quality data. It also facilitates partnerships to develop a coherent research environment that enables researchers to find, access, contribute to and effectively use services to maximise research quality and impact (ARDC, 2022[46]).

• In India, the Data Security Council of India (DSCI) is a not-for-profit body that seeks to make cyberspace safe, secure and trusted by establishing best practices, standards and initiatives in cybersecurity and privacy (DSCI, 2023[47]).

• In Ireland, the Data Protection Commission (DPC) is the national independent authority responsible for upholding the fundamental right of individuals in the European Union to have their personal data protected. It is the supervisory authority for the GDPR, and also has functions and powers related to other important regulatory frameworks, including the Irish e-Privacy Regulations and the European Union directive known as the Law Enforcement Directive (DPC, 2022[48]).

• Mexico established the National Institute for Transparency, Access to Information and Personal Data Protection (INAI) as an autonomous constitutional body that guarantees compliance with two fundamental rights: access to public information and the proper use of personal data (INAI, 2022[49]).

At the city level, Smart City Advisory Boards provide a strategic vision of the composition and ambition of the smart city plan as the principles underpinning the smart city plans. The advisory board could be composed of representatives of local and regional governments, regulatory bodies, the private sector, academia and citizen representatives, among other relevant stakeholders. Among its tasks, the board can set an ethical framework for data protection as a result of smart city initiatives. For example, in London, since 2022, the Data for London Advisory Board – a leadership group of data and technology experts – has advised the mayor and the CDO on the development of the new Data for London platform and a data strategy to ensure data are managed effectively and responsibly (Mayor of London, 2023[50]).

According to research, it is also recommended to set up a smart city governance, ethics and security oversight committee with a more operational focus than the advisory board. Its aim should be to oversee and audit the work of the privacy teams, certify that the smart city activities are aligned with the regulatory requirements and ensure that citizens know how the smart city is being realised and how data are being generated, used, stored and shared (Kitchin, 2016[35]). In the United States, for example, the city of Seattle set up the Privacy and Cybersecurity Committee as part of the Community Technology Advisory Board, with the goal to ensure the protection of residents’ data through information security policies and that they are free form unchecked surveillance (City of Seattle, 2023[51]).

Despite its added value to research and policy making, the use of data may be the origin of ethical considerations. For example, the use of geospatial data (location data) – critical for many smart city functions – may bring with it concerns such as: privacy, security and surveillance issues related to the capacity to directly or inadvertently observe private property, capture sensitive personal information and potentially put persons in harm’s way; uncertain consent when using data from third-party owners; unintended or unknown surveillance; discrimination consciously or unconsciously built into algorithms; lack of representativeness or robustness of data; and data that may be stored on servers that can be easily accessed by unauthorised actors (Berman et al., 2018[52]). Since geospatial data often locate individuals, addresses or businesses and generally come from personal devices such as mobile phones, citizens may consider them a special or intimate type of data.

While the use of digital technologies for service delivery and decision making may bring benefits in terms of efficiency, convenience and safety, they also bring risks; that is why countries and cities are building trust through ethical frameworks or guidelines regarding data management. These guidelines provide users with information, resources and approaches to achieve ethical practices in data management. They do not intend to be prescriptive but work on ethical concerns. These ethical frameworks can be developed nationwide by countries or by cities (OECD, 2019[3]). An example of a national-level ethical framework is the United Kingdom’s Data Ethics Framework, which guides public sector organisations on using data appropriately and responsibly in policy making and service provision. The UK government has codes of practice for the use of data-sharing provisions within the Digital Economy Act that contain checks and balances consistent with the Data Protection Act to ensure data are not used inadequately. The Data Ethics Framework is used for data outside the scope of the legislation and guides policy makers and data analysts in the ethical implications of their work (Box 2.12). Germany promotes a value-based approach to data that sets values and principles, which defines how personal and non-personal data should be managed and may fill the gaps in areas that remain unregulated (BBSR, 2021[9]). Moreover, the experience of OECD countries (e.g. Germany, the Netherlands) suggests that the different stakeholders involved in data management and processes need to be aware of the risks and challenges posed by the use and sharing of personal and non-personal to ensure data responsibility.

At the local level, the city of Bilbao in Spain provides an example of the efforts to ensure good data management and governance in the framework of its work to build a smart city and promote digitalisation. Bilbao’s local council intends to use data only to create new services and improve the existing ones, to give citizens the guarantee that their data will not be marketed and that they will be used only for the benefit of the city and its residents. Bilbao City Council is working with a 2030 vision. The underpinning factor is to create a data-driven government based on data-driven decision-making processes that is able to provide all sectors and stakeholders with the necessary information to create value. The local government works with open and internal data. The latter requires specific governance processes as they may include personal and sensitive information. To reassure citizens about the use of the data, in 2022, the local council approved the Bilbao Data Manifesto to generate trust based on anonymised data (Box 2.13). The basic premise is that the data belong to the city and residents, not the administration. The Bilbao local council aggregates data to ensure the privacy of residents and the protection of their data.

It is worth noting that “[t]he use of data-based applications in smart cities must not infringe on any fundamental rights or on the security, civil liberties or privacy of individuals. Algorithmic systems must not replace democratically elected bodies or the accountability of natural persons or legal entities” (BBSR, 2021, p. 17[9]). All levels of government need to work together to ensure proper data stewardship.

Collecting and sharing individuals’ spatial data can lead to beneficial insights and services. However, it can also compromise citizens’ privacy, making them vulnerable to governmental overreach, tracking, discrimination and unwanted advertisement. Therefore, countries and cities may also take into account the GeoEthics Principles proposed by a number of international organisations and statistics bureaus. Although these principles or guidelines are built for geospatial data, they can be applied to data management more generally. Table 2.3 presents a selection of available principles of guidelines to keep ethical considerations in the management of geospatial data. These guidelines or ethical frameworks provide a series of practical tools to ensure that location-enabled technologies and location data are used based on ethical considerations, and in turn, that could help enhance trust in the government’s capacity to manage and protect data.

Data protection is one of the key challenges of digital transformation in OECD countries and cities implementing smart city strategies. As smart cities become more interconnected and the level of digital infrastructure becomes more complex and relevant, these services also become more vulnerable to cyberattacks. These can take different forms, close a system down or deny service use; extract data and information; or enter into a system to alter information (Dodge and Kitchin, 2017[55]). Because of privacy and security concerns, people tend not to share their data with government and private companies, which may limit the efficiency of smart city initiatives. Collecting incomplete and poor-quality data may undermine the usefulness of data and trust in government’s capacity to manage data wisely and eventually the efficiency of the smart city projects. The basic tenet for OECD countries and cities is to ensure that data remain safe and available to users at all times. In Latin America and the Caribbean, there were 137 billion attempted cyberattacks between January and June 2022, a 50% increase compared to 2021; Mexico was the most attacked country (85 billion attacks), followed by Brazil (31.5 billion) and Colombia (6.3 billion) (Fortinet, 2022[56]). Thus, countries and cities invest in cyber security, which means protecting systems, networks and programmes against digital attacks, but it is still in its infancy in smart cities (Ma, 2021[57]).

Research has found five major vulnerabilities digital technologies have (Dodge and Kitchin, 2017[55]; Cerrudo, 2015[58]). Weak software security and data encryption, which means that smart city systems are built without minimal security. The use of insecure legacy systems and poor ongoing maintenance creates serious risks as smart city technologies are built on top of much older technology that has not been upgraded (Cerrudo, 2015[58]). The interdependency of smart city systems makes it difficult to detect which components are exposed to mitigate risks. These interdependencies create cascade effects as failures and disruptions in one part of the system may have knock-on effects on other critical services or infrastructures, and it is a key risk in city operating systems (Dodge and Kitchin, 2017[55]). Human errors and sabotage can also lead to exposing weaknesses in the system.

Data protection has increasingly become a major concern, especially for cities and private companies deploying cloud-based applications. Many cities across OECD countries rely on a wide network of sensors, technologies and interconnected data-gathering portals to operate smoothly. However, digital technologies can easily be hacked if they are not implemented with proper security. Smart cities are vulnerable to cyberattacks in many ways, as several different attacks could be working in unison to disrupt urban services, often using malware and ‘zero-day’ software vulnerabilities. These may result from data breaches and misuse or relate to the cyber security of the smart city technologies and systems themselves. The risks are important because systems may be diverted from their original use and cause moral (cyber-theft), economic and physical harm.

Threats to cyber security include attacks on critical infrastructure, bringing industrial control systems (ICS) to a halt; abusing low-power wide-area networks (LPWAN) and device communication hijacking; system lockdown threats caused by ransomware; manipulation of sensor data to cause widespread panic (e.g. disaster detection systems); and siphoning citizen, healthcare and consumer data and PII. Some of the most common attacks on the smart grid, for example, are the denial of service through channel congestion, computational flooding of equipment with low computer power, delaying a time-critical message that may cause a widespread shutdown, and forgery of data from various sensors across the urban area (Marahatta et al., 2021[59]; Ebrahimian et al., 2018[60]; Ma, 2021[57]). In addition, attackers can forge a customer identity to control building equipment remotely and cause various damages to customers (Parasol, 2018[61]).

Attacks on the smart transport system can occur via, for example, fake information when the attacker sends incorrect information such as certificates, alerts, security messages and identification (ID). The attacker alters, falsifies, or repeats data to mislead other drivers (Xie et al., 2020[62]). In other cases, the attacker may send large volumes of irrelevant messages clogging the communication channel and consuming the computing resources of other nodes with the purpose of disabling the case network of a vehicle, which can have vital consequences in the event of an emergency (Yan, Liu and Tseng, 2020[63]).

Smart cities are particularly vulnerable to data theft as hackers can infiltrate data banks and steal PII (Box 2.14). Device hijacking is another threat by which attackers take control of a device and use it to disrupt processes such as road signals. Another threat is the Man-in-the-Middle attack (MitM), by which a hacker interrupts communication between two devices and sends false information to cause trouble.22 For instance, a hacker may gain access to a mobility platform and report public transport delays, which could lead to more people using a car to reach their destinations, causing an increase in traffic and bringing a city to a standstill. In Japan, the selection of Tokyo as the host city of the 2020 Olympic games represented an opportunity to enhance the capacity and capability of the country in cybersecurity. In 2015, two years after the selection of Tokyo as Olympic host, the Japanese government adopted the Cybersecurity Strategy. The strategy highlights the need to create public-private cybersecurity partnerships, improve workforce development and develop cyber exercises. It also urges business leaders to incorporate cybersecurity in their business strategy and invest proactively in cybersecurity for innovation and vigorous growth (Matsubara and Mochinaga, 2021[64]).

Several factors exacerbate the vulnerability of smart city technology. The lack of co-ordination among different stakeholders on who is responsible for maintaining security across the systems and the infrastructure; and the need for cities to show efficiency savings leading to a lack of digital security investments in many cities are jeopardising the infrastructure, intelligence, efficiency and sustainability of future smart city developments. Many cities also face critical staffing needs. Recruiting and maintaining highly skilled IT staff is a growing problem for local governments, and in particular, investing in cybersecurity personnel is hampered by the lack of funds. Cybersecurity plans are, in many cases, built under a siloed approach preventing a cross-function assessment and response to an attack (Dodge and Kitchin, 2017[55]; Cerrudo, 2015[58]). In addition, many smart city vendors may lack experience and incentives in embedding security features into their products; and cities have been lax in demanding string security controls during the procurement process for the new systems (Dodge and Kitchin, 2017[55]). Designing flexible systems with high information protection capabilities is essential to prevent serious security incidents.

Cybersecurity workforce shortages also threaten smart city projects and hamper national and local cybersecurity strategies. The global cybersecurity workforce is estimated at 4.7 million workers but, to protect public and private organisations and enterprises from more complex threats, there is a need to fill a gap of 3.4 million cybersecurity workers worldwide (ISC2, 2022[70]). Brazil, China, India and the United States seem to have a wider workforce gap (Figure 2.5). Cybersecurity policies and strategies include measures to address training needs and raise awareness of cybersecurity but they may take a long time to mature. Due to high attrition rates in the public sector for cybersecurity jobs and low rates of availability of educational opportunities on cybersecurity, developing a digitally savvy workforce with adequate skills may take many years; thus, governments need to prioritise workforce development, ensuring adequate funding for such programmes (OAS, 2022[71]). According to research, the workforce shortage is particularly severe in areas such as government, transportation, aerospace and insurance, jeopardising the most basic functions of the profession, such as risk assessments, oversight and critical systems patching (ISC2, 2022[70]). The biggest challenges for cybersecurity professionals are the emerging technologies such as blockchain, AI, quantum computing and intelligent automation, and the continuous changes in the regulatory framework.

The implications of a data breach or data loss incidents can represent serious challenges for public and private organisations. Failure to protect data can cause financial losses, loss of reputation and citizens’ trust, as well as legal liability, considering that most public and private organisations are subject to some data privacy standards or regulations. Therefore, countries have set formal requirements to protect citizens’ data across data collection, storage, processing and sharing exercises. Authorities are issuing regulations and strategies for the handling and security of digital big data. As smart city projects involve large amounts of data, stakeholders need to consider new methods of managing their data risk exposure. Off-the-shelf antivirus solutions are not enough as smart city projects and data strategies need a more comprehensive policy for the protection of government, companies and citizens’ data.

Countries and cities collect different types of data that could be sensitive or non-restricted, depending on their nature. Various levels of data privacy risk should be considered when making decisions about their collection, storage, use and disclosure. For example, New York City, United States, has prepared a framework for classifying three tiers of data based on privacy risk level to support decisions about data collection, use, disclosure and storage (Table 2.4). The framework is informative only and does not represent a classification structure used by the city government. However, it is based on the city’s privacy protection policies and its cybersecurity programme, policies and standards. Under normal circumstances, data in Tiers 1 and 3 will stay there, but data in Tier 2 may move to other tiers depending on several factors, such as how data collection is implemented.

Therefore, ensuring digital security must be a fundamental part of countries and cities’ digital and data strategies. Research suggests that city governments need to adopt a security-by-design approach in the technical design and training of the workforce (Dodge and Kitchin, 2017[55]). Security-by-design implies the inclusion of security aspects from the outset of a smart city project. Conducting a security risk assessment and extensive testing of the security systems should be part of the design process. City administrations should require digital technology vendors to monitor their products throughout their life cycle to identify potential risks.

Cities should also ensure to set up a core security team overseeing the security aspects of digital technologies related to smart city projects. The team should have specialist skills and responsibilities beyond day-to-day IT administration. The security team could be in charge of threat and risk modelling, testing the security of the digital technologies to be used in smart city projects, preparing a plan of action in case of cybersecurity incidents, conducting security assessments on a regular basis, and co‑ordinating staff training on digital security (Cerrudo, 2015[58]; Dodge and Kitchin, 2017[55]). The Information Security Office (ISO) in the government of the city of Chicago exemplifies the role a security team performs to ensure security monitoring and response (Box 2.15). Installing such an office may be costly to some cities but the Chicago model operates in a “shared services” model, resulting in operational efficiencies and cost savings. In Spain, the city of Madrid is creating a Security Operations Centre (Centro de Operaciones de Seguridad, COS) to act as the backbone of the prevention, surveillance and response capabilities to cybersecurity incidents. Moreover, the city government set up the Municipal Information Security Committee, a collegiate body, to direct and oversee the implementation of the cybersecurity policy of the city and provide advice.23 At the regional level, the Comunidad de Madrid is creating a Cybersecurity Agency to protect itself from future cyberattacks. The regional governments aim to create a climate of trust, provide a centralised vision of cybersecurity, improve the capacity to respond to cyberattacks, promote cybersecurity training and improve the IT security of the regional infrastructure.24

Governments are investing substantial budgets in developing state-of-the-art cybertechnologies based on AI and big data analytics, as well as strengthening capabilities to collect cyber intelligence, disturb Internet networks and disrupt major facilities. The United Kingdom, for instance, is investing GBP 2.6 billion in cyber and legacy IT between 2021-24, a considerable increase from the GBP 1.9 billion of the previous strategy. The European Commission invested EUR 249 million in digital technologies and cybersecurity in 2022.25 In 2020, the United States invested USD 5.9 billion in cybersecurity (76% of all global cybersecurity funding), followed by Israel (USD 2.7 billion) and China (USD 1.8 billion).26 It is unclear the extent these resources are reaching subnational governments in their quest to ensure data security as part of their smart city strategies.

To enhance cybersecurity, national governments such as in Korea and the United Kingdom are adopting digital security strategies (OECD, 2019[3]), which show that protecting cyberspace requires government leadership and a whole-of-society effort (Box 2.16). These efforts could inform the development of a detailed cybersecurity strategy at the city level, in line with their broader smart city projects or initiatives. Cities need to ensure that their cybersecurity strategy is in line with their interoperability systems. A key message from national governments’ experiences is that ensuring cybersecurity in cities is not only the responsibility of local governments. National and local governments should build synergies in protecting data and infrastructure from attacks, for example forming digital security committees with representatives from national and subnational governments as well as the private sector to discuss challenges, possible solutions and build agreements to provide technical support and capacity building to local governments may be one way forward. The national government could take the lead but subnational governments’ strategies should be aligned to ensure a coherent approach. These initiatives show that there should be a clear delimitation of responsibilities for data protection in the smart city ecosystem based on a strong governance model.

Ensuring cybersecurity capability is a top priority of national governments. For example, research suggests that until 2021 at least, Japan faced workforce shortages since Japanese end-user companies outsource the majority of their IT and cybersecurity work (Matsubara and Mochinaga, 2021[64]). Therefore, their cybersecurity teams tend to be smaller than in other major countries. Research suggests that while only 28% of IT professionals work in house in Japan, the ratio is 65.4% in the United States, 61.4% in Germany and 54% in the United Kingdom (Matsubara and Mochinaga, 2021[64]).

Countries are implementing initiatives to improve trust in digital technologies and their capacity. In Singapore, the national government has, through the Infocomm Media Development Authority, requested Nanyang Technological University, Singapore to establish the national Digital Trust Centre to strengthen the country’s capabilities in digital trust (Box 2.17). This is an example of how a city – in this case, a city‑state – could formalise partnerships for cybersecurity to grow cyber capabilities as different stakeholders need to work together as a city government alone will not be able to develop the capacity and capability required to face cyberthreats. It also shows that smart cities need to develop skills and competencies across various disciplines and ecosystem layers.

Governments are also investing in revamping their cybersecurity capabilities as part of their data and cybersecurity strategies to create a specialised workforce on cyberattacks. Cities could establish a network of cities, with the support of regional or even national governments, including academia and the private sector, to strengthen cyber defences. Some countries have even set up a special body in charge of cybersecurity and recruiting professionals. For example:

• In Canada, the national government recruits cybersecurity professionals to work across the government due to the increase in cyber threats and ransomware attacks following the COVID-19 pandemic. These professionals are in charge of protecting infrastructure, systems and processes citizens rely on from cyber and ransomware attacks.27

• In the United Kingdom, the National Cyber Security Centre is the national authority on the cybersecurity environment by sharing knowledge, addressing systemic vulnerabilities and providing leadership on key national cybersecurity issues. This has helped the UK government to simplify its operational structures, transform its ability to respond to national-level cyber incidents and initiate the rollout of innovative digital services that have helped to make organisations and individuals automatically safer on line (UK Government, 2022[75]).

• In Japan, the Personal Information Protection Commission (PPC), a regulatory body established to monitor and supervise compliance with the Act on the Protection of Personal Information (APPI), has issued a number of guidelines to provide detailed guidance on the scope and meaning of the provisions of the APPI and examples of their application (Government of Japan, 2003[43]). Non‑compliance with the statements in the guidelines, which are expressed as obligations, may be considered a violation of the APPI. The guidelines cover a wide range of topics, including general rules, provision to third parties in foreign countries, pseudonymised and anonymised processed information, the obligation to confirm and record at the time of provision to a third party, administrative bodies and appropriate handling of specified personal information.

• In the United States, the Department of Homeland Security (DHS) operates enterprise-wide capabilities and offers tools and services to assist agencies in managing their cybersecurity risks. It has established baseline protective capabilities across federal enterprises through the deployment of perimeter security capabilities. The DHS works to deploy innovative cybersecurity capabilities and practices to protect information systems and adopt a more unified approach to securing our own information systems and, where appropriate, deploy standardised, cost-effective, and cutting-edge capabilities across high-value departmental information systems (US Government, 2018[77]).

• The Organisation of American States (OAS) has recommended its members invest in developing the workforce to provide people with education and skills development to bridge the cybersecurity workforce gaps. This could be done by, among other things: developing national strategies and action plans for cybersecurity workforce development; creating a governance model for the co‑ordination and harmonisation of the different stakeholders involved in the process; developing public-private partnerships for launching new training programmes and updating existing curricula; updating the regulatory framework to promote cybersecurity development; and promoting the ongoing assessment of the labour market and cybersecurity workforce data (OAS, 2022[71]).

Public data alone are not enough to develop innovative services; data from different stakeholders are sometimes required. Encouraging citizens to grant third parties (i.e. government and private enterprises) access to their data and use them calls for being transparent and honest with citizens and proving the benefits of sharing data. When people perceive there is a direct benefit to sharing their personal data and that their data are managed in an ethical manner, they would be more willing to share their data for decision making or the design of public services. It is a process of give and take: if people give their data, they should expect something in return in the form of information, services and products.

Governments need to ensure that citizens understand how their data are used to help improve their lives, which can range from proactively managing traffic flows to safer street lighting and smarter energy use. Governments failing to consider privacy and/or consent can create tensions and challenges. Governments need to do more to be transparent about the data they collect and demonstrate the value of the resulting products. For example, the city of Adelaide, in Australia, is based in the driest state (South Australia). The city council is trialling the use of smart sensors to collect data to manage its water more effectively. The main benefit of the smart network project is the utility’s increased ability to be more responsive to customer needs. Smart technology is being trialled in Adelaide because of the higher potential for customer impact from bursts and leaks (Cella, 2017[78]). The sensors, loggers and meters allow the water authority (SA Water) to detect water leaks before they become visible on the surface and help large businesses in the city track and manage their water use. Customers have reported an increased understanding of how they use their water. This detection and subsequent cost savings enable customers to pay back the investment on their smart metering equipment.

As governments seek to introduce more technology-enabled services, they will need more effective measures to reassure the public about their management of data and analytics. Neutrality and fairness are critical to avoid any bias and build trust. A data management platform must be operated jointly by public and private entities in adherence to the regulatory framework for data protection. This is because it may facilitate data sharing among public and private stakeholders, optimise costs and improve return on investment, improve data security, build on each other’s capacity for data management and have better access to data from different sources for decision making. However, the government should assess regulation as an instrument to ensure neutrality and fairness.

One way of proving to citizens why their data matters and how it is being used is by reporting on progress on the implementation of the smart city strategy. Such a report should include the steps taken since the adoption of the initiative, the barriers encountered for their implementation and point to the efforts the city will undertake in the time to come. Moreover, the progress report should not just highlight what has been done and which activities are completed or are in progress, but what matters to citizens is the change achieved so far. For example, in New York City, the Office of the Chief Technology Officer has produced a progress report on the implementation of the New York City Internet of Things Strategy (NYC Government, 2021[79]). The report has been seminal in showing commitment to transparency and accountability in the planning, use and governance of connected technologies. It describes the work conducted since the adoption of the strategy and the upcoming activities.

Another way of showing why data matters is by using data to optimise public action. Cities are currently experiencing a convergence of open data, digital mapping, geolocation and the co-creation of services. Through the use of data, cities are in a prime position to be catalysts of new services and economic models that create value, jobs and well-being. For this purpose, it is important that cities ensure that all data produced by the city and residents through the use of public services are made available to all relevant stakeholders. For example, the city of Paris, France, releases financial, social, urban planning, environmental and transportation data every six months; and holds a quarterly consultation meeting with end users to know about their data priorities (Mairie de Paris, 2020[80]). Furthermore, the city government has created a programme called DataCity as a data science study accelerator programme that allows local and international start-ups to work on challenges selected by the city and its industrial partners, using high‑quality data. The DataCity programme promotes the design of solutions tailored to the city, with a focus on sustainability, based on open data provided by the city and industrial partners (Box 2.18).

Data standards facilitate the integration of otherwise heterogeneous data collected from different sources and by different stakeholders (e.g. public and private organisations, academia etc). In general terms, “[d]ata standards are the predetermined merits that govern how data is managed, used, represented, formatted, defined, transmitted, structured, and tagged” (Satori, 2022[83]). They refer to technical specifications or recorded agreements that describe how data should be stored or exchanged across different systems so that they are understood and mean the same to all stakeholders. If data are going to be used, then they need to mean the same to every actor or user through common terminology and semantics.

Cities should work towards using a comprehensive, unified ontology (the representation and definition of concepts and their relationships) adopted across the board. Data should not be dependent on geographical location; they should be used in different places other than those where they originate from. Thus, a common terminology is essential to ensure data have the same meaning everywhere and rules to ensure their lawful use. Common data platforms are a key element to this goal but they require a non-disclosure agreement. Rules for data quality and standards are one of the components of Japan’s Smart City Reference Architecture (SCRA) issued by the national government. Japan is promoting a base registry initiative to ensure that core data held by government agencies meet quality and management quality standards and can be used by society (see Chapter 1).

Setting standards may be a way forward to encourage citizens to share their data and, in a way, build trust in government. For example, the Abu Dhabi (United Arab Emirates) government has created standards for data management, which also serve as an assessment framework, to promote informed and responsible data ownership and usage, protect government datasets, engender and maintain stakeholder confidence in the capability of the government to deliver sufficiently secure and reliable services to residents, and maximise the return on investment in information assets and systems (Box 2.19).

Principles for data management that underpin data standards cover a wide range of data-related domains of both a management and a technical nature (Figure 2.6). Two messages from this experience are that it is not necessary to develop overly complex frameworks to build trust and manage data, and each government body or level of government should develop a programme that is suitable to meet the requirements for compliance with the standards while meeting their own requirements of data. The data management standards are intended to direct government entities and other stakeholders in areas requiring focus for the application of data management controls. Adherence to the control standards means data management controls are being consistently deployed across government entities. Authorities in Abu Dhabi developed control standards that represent the government’s expectations for data management. Those are expressed in 13 domains of data management that are interrelated and mutually supportive. Entities and business partners handling government data are responsible for understanding the control standards and applying them in the context of all data assets they own.

Critically, implementing data standards contributes to ensuring data quality, which is also another factor that builds trust in government capability for data management. Data standards improve data quality for better and more insightful decision making and allow for the reuse of data elements, thus reducing redundancy and enhancing reliability while also bringing down the cost of data management. Determining data quality is highly linked to data management standards. For example, Statistics Canada has developed guidelines for data quality defined around six quality dimensions: relevance, accuracy, timeliness, accessibility, interpretability and coherence (Box 2.20). These guidelines constitute practical measures that government organisations, all levels of government and private stakeholders can adopt to ensure data quality. There are several common points between Canadian and Japanese practices. For example, Japan’s Public-Private Data Utilisation Act calls for the promotion of Open Data by Design in order to reflect user needs and ensure that the information published is kept up to date and published on a website in an easily searchable and usable form (Government of Japan, 2016[45]). A system of data quality assessment is critical to foster data accountability in the management of data.

Valuable experience can be learnt from the scientific data management field on standardisation. The FAIR Guiding Principles for scientific data constitute a concise and measurable set of principles to enhance the reusability of data (Box 2.21). The FAIR principles (Findability, Accessibility, Interoperability and Reusability) guide producers and publishers to maximise the added value gained by contemporary, formal scholarly digital publishing, ensuring that all components of the research process are available, fostering transparency, reproducibility and reusability (Wilkinson et al., 2016[86]). These principles have been adopted by research institutions worldwide. These principles suggest that, to make data findable, it should have sufficiently detailed descriptive metadata as well as a unique and persistent identifier such as a digital object identifier (DOI). To be accessible, data should be understandable to both humans and machines and stored in a trusted repository. For data to be interoperable, metadata should use a formal, accessible, shared and broadly applicable language for knowledge representation, such as agreed-upon controlled vocabularies. Finally, the principles suggest that for data to be reusable, they should have a clear usage license and provide accurate information on provenance. Although the FAIR principles are aimed at the academic community, they could provide valuable input for data management in smart city projects, enhancing data standardisation and interoperability. The city of Vienna uses the FAIR principles as part of the data spectrum of the Open Data Institute (ODI).

Promoting openness and transparency is a top priority for OECD countries. In particular, governments pursue opening up government data to empower citizens, foster innovation, create business opportunities and improve public services. Open government data are a core component of government-wide data strategies across OECD countries as they strengthen good governance due to the social and business value created by shared and public data (OECD, 2019[3]; 2020[87]). Open data enable the use of data as a platform for greater engagement and collaboration among stakeholders. Policies on open data focus on making data from public organisations available to everyone in open, free and accessible formats. The results of the OECD 2019 Open, Useful and Reusable Data (OURdata) Index revealed overall improvements in open government data policies and practices at the national level (OECD, 2020[87]) (Figure 2.7).

As Figure 2.7 shows, the results of the 2019 OURdata Index revealed an overall growing maturity in terms of open government data at the national level across OECD member countries. The improvements were driven by better data availability, increased data accessibility and stronger government support to open data policies. However, the OECD has found that while countries often include elements of data governance in their national digital government strategies, such as open data, data management and/or AI strategies, these elements are often fragmented (OECD, 2019[3]). This disconnection may be rooted in the governance arrangements, such as different organisations leading the open data policies, lack of clarity in the definition of responsibilities or even lack of leadership. These problems create a barrier to data sharing and integration, hindering smart cities’ development.

Some countries have introduced specific arrangements to facilitate access, share and reuse of policy or sector-specific datasets. These arrangements benefit a number of organisations that share common goals and mandates. For example:

• In Sweden, the National Geodata Strategy of the National Land Survey authority was developed to cover all strategic issues related to handling geodata in the country. Its aim to build up a national infrastructure for geodata and encourage increased co-operation within the geodata sector. Lantmäteriet, the Swedish mapping, cadastre and land registry authority, is responsible for implementing the strategy in co-operation with the Geodata Advisory Board and other stakeholders (Lundquist, Rannestig and Sandgren, 2010[88]). The strategy led to the creation of the National Geodata Platform to provide access to nationally standardised basic data in various processes in society.28

• In Japan, the central government has implemented an evidence-based and data-driven approach to improve the impact of policies since 2017. Japanese authorities are promoting the open data initiative, in which the government widely discloses public data in machine-readable formats and allows secondary use of the public data for profit making or other purposes (Box 2.22). This initiative has the goals of improving people’s lives and stimulating corporate activities and, in turn, contributing to the social and economic development of the country. The Public-Private Data Utilisation Act instructs both central and local governments to make their data easily accessible to the public to use and reuse (Government of Japan, 2016[45]).

Other countries have implemented measures to facilitate data sharing across levels of government. The aim is to ensure that the central government has access to data owned and produced by local authorities. While central authorities can define overarching data quality standards, in practice, local governments are responsible for ensuring data quality. For example:

• In Mexico, the national government has developed the Open Mexico Network (Red México Abierto). It is a network that seeks to encourage the exchange of mechanisms to establish open data policies at the local level, engage local governments in the central open data policy and facilitate the publication of open government data produced by local authorities on the central open data portal datos.gob.mx. More than 700 open databases have been published across 32 states and 25 municipalities (Government of Mexico, 2018[93]).

• In Japan, the central government has realised that most interaction with citizens takes place at the local government level. It has therefore made considerable efforts to try to encourage the adoption of the “open by default” principle among local governments. To this end, it has organised seminars where it presented the benefits of open data and involved local governments in central-level working groups for open data initiatives across the country. Moreover, the central government has created the portal data.go.jp, which contains over 24 000 datasets from 22 public central government organisations and 17 groups (e.g. land and climate, mining and manufacturing, housing, estate and construction and administration and public finance). The portal features a developer’s page that provides a variety of information needed for developers of applications or new services using metadata from the portal.

At the local level, digital technologies have increased the amount of data produced by the city’s residents through different sensors located in the urban space (e.g. cameras, meters, motion detectors, among others). Data are also generated through crowdsourcing, such as peer-to-peer platforms, voluntary citizens’ feedback and data collected via smartphones and other connected devices. In France, for example, the city of Paris has made all structured data accessible by open license to promote their reuse and generate new applications since 2010. The city government also supports: i) big data analysis solutions, which are made more personalised and proactive through predictive and preventative approaches; and ii) open innovation with its partners through data exchanges that are kept secure and confidential, in line with the recommendations of the French data protection authority (Mairie de Paris, 2020[80]).

Data governance frameworks also make efforts to ensure access, sharing and collection of information and data across sectors. For instance, in the context of smart city projects, business-to-government reporting practices can benefit from the implementation of common data governance structures and tools across all layers of the governance model. For example, Seoul’s integrated public sector data dashboard serves to strengthen public sector accountability through the centralisation of cross-sectoral data (Box 2.23).

The development of smart cities has been accompanied by the installation of data-sharing platforms as part of the data strategy and data governance arrangements. Countries and cities have thus been working to ensure the existence of a data architecture that reflects data quality standards, semantics and interoperability for data processing and sharing. Interoperability is an essential element to contribute to digital transformation and is vital to put smart city initiatives in place to ensure a modern, efficient and effective administration. Until a decade ago, smart cities depended on the use of information and communication technologies and the Internet, but now data and their management make smart cities possible. The lack of adequate data governance arrangements can lead to duplication of data standards and technical solutions for data sharing, which would constitute a barrier for data interoperability across sectors, organisations, levels of government and across cities. Limited data flows hinder the development of new technologies and the development of better services to face challenges such as ageing and shrinking populations experienced in countries such as Italy, Japan, Korea, Poland and Spain, to name a few. This would be reflected in inefficiencies in service provision as citizens would be asked to provide the same information several times to the public administration.

Changing the mindset of city administrations is one of the critical challenges cities must face in improving data management and governance. The hierarchical and siloed organisation of cities is affecting their functionality and preventing them from benefitting from digitalisation. The experience of Helsinki, Finland, is that to make the most of the opportunities digitalisation provides, cities must offer digital services in a secure, personalised, user-friendly manner and provide them proactively and at the right time.29

The need for city administrations to interact with other public and private organisations and to exchange data or documents is increasing and becoming more important in the context of digitalisation and smart city building. These interactions, which are part of the digital transformation of countries and cities, are also becoming more complex as organisations are more interdependent. The ability of services to communicate and exchange information in an efficient, effective, quick and simple manner with other services across organisations and cities in order to achieve mutual development goals is not only demanded by political powers but expected by citizens.

Interoperability can be defined as “…the ability of different digital services to work together and communicate with one another. Digital platforms can develop application programming interfaces which enable these connections” (OECD, 2021, p. 13[97]). In 2021, the European Commission commissioned a proposal for an European Interoperability Framework for Smart Cities and Communities (EIF4SCC) where interoperability was defined as “[t]he ability of organisations and individuals to interact towards the delivery of services in cities and communities, through the exchange of data, information and knowledge, enabled by aligned processes and digital technologies, taking into account security and privacy issues” (EC, 2021[98]). Interoperability allows access and processing of data from multiple sources without losing meaning. It permits the integration of data for mapping, visualisation and other forms of representation and analysis. Interoperability enables people to find, explore and understand the structure and content of datasets to help create a contextual and holistic picture for analysis, better decision making and greater accountability.

Some national governments guide the development or establishment of data governance arrangements through a national interoperability framework (NIF). A NIF generally aims to intensify and extend the collaboration and co-ordination among the concerned stakeholders by improving the practical aspects of the governance of interoperability. It provides a catalogue of interoperable services using the cartography of existing services. However, building national interoperability requires a behavioural change based on principles that constitute fundamental aspects of driving interoperability actions in every central and local government body:

• Openness and transparency regarding data, specifications and software used as well as procedures and services provided with the data.

• Emphasis on solving residents’ problems and generating benefits. Data provided by residents should be returned in the form of benefits (i.e. products or services) that improve their lives.

• Inclusion and accessibility. Access to data should be a possibility for everyone and data should even be provided in several languages spoken in the city or country.

• Building synergies through data linkage. This refers to the reuse, reusability and sharing of data. When using data from other entities, it is necessary to see if the initiatives created produce synergistic effects as open innovation. Careful consideration should be given to the minimum data required to create value with the minimum amount of data linkage.

• Fostering transparency in data management. Most of the data that circulates in smart cities originates from residents’ activities; thus, residents are the owners and should be able to exercise their rights regarding their use. It should be possible for individuals to verify how their data are being used based on appropriate consent and there should be appropriate opt-out procedures for that use if necessary.

The European Union is encouraging member states to focus on interoperability for digital services. The European Union’s internal market guarantees freedom of free movement of goods, capital, services and people among states. Interconnected, interoperable networks and systems guarantee these freedoms. People and businesses must interact electronically with member state public administrations when looking for work abroad or reallocating their business. Member states are modernising their public administrations by introducing digital public services to make these interactions efficient, effective, timely and of high quality and to help cut red tape and reduce the cost and effort involved (EC, 2017[99]). However, there is a risk of creating isolated digital environments and, consequently, electronic barriers that may prevent national public administrations from connecting with each other and citizens and businesses from identifying and using available digital public services in countries other than their own. To avoid that, the European Commission developed the European Interoperability Framework (EIF) to give guidance to member states through a set of principles and practical recommendations as part of an interoperability model applicable to all digital public services of the union (Box 2.24). The EIF was originally prepared in 2010 and revised in 2017 to push a more ambitious vision for the interoperability framework and to factor in the latest technical evolutions.

The experience of the EIF offers major lessons to consider. Interoperability governance is the key to a holistic approach to interoperability, as it brings together all the instruments needed to apply it. Co‑ordination, communication and monitoring are elements of the utmost importance for successful interoperability governance. Moreover, setting standards and specifications is fundamental to operationalise interoperability and ensuring data are the same for all users. A critical lesson is that when preparing legal instruments, organisation business processes, information exchange, services and components that support public service interoperability should be at the core of works. Interoperability is a continuous task, as it is regularly disrupted by changes to the environment, such as legislation, the needs of businesses or citizens, political priorities, etc. Similarly, this experience suggests that an information management strategy should be drafted and co-ordinated at the highest possible level of the organisation to avoid fragmentation and set priorities.

Based on the renewed EIF, Luxembourg has developed a data governance framework in the context of the NIF (Box 2.25). This framework takes a progressive approach to interoperability as it includes principles such as digital first, once-only and transparency. The NIF covers levels of interoperability such as: legislation, organisation, semantics and technique. The experience of Luxembourg’s NIF is rather recent and it is not yet possible to analyse its impact or results. However, it suggests that adopting an NIF does not necessarily guarantee achieving its defined objectives and benefits per se, but rather marks the starting point for the long-term implementation of interoperability across government. The implementation of an NIF requires the participation of a wide number of stakeholders to produce tangible and concrete field measures. This requires setting an effective and efficient governance framework on all levels to implement the NIF and its principles.

In Argentina, national public sector organisations are mandated by law to exchange the public information they produce, obtain, work with or are responsible for with any other public body that requests it (Government of Argentina, 2016[100]). To this end, the Ministry of Modernisation is responsible for the creation of the exchange protocols, interoperability guidelines and complementary, explanatory, technical and operational standards necessary for data sharing. A key tool has been the creation of the interoperability module of the electronic management system called INTEROPER.AR. This module functions as an exchange node between the national public sector organisations’ different information systems and database (Government of Argentina, 2018[101]). The national government has invited provincial and municipal governments to enter into co-operation agreements with the national government to form a decentralised node network by which information and data are shared across different levels of government. Each public body is constituted in an interoperable services module (MSI) node that together make up a decentralised network. The information between nodes is shared through services and only those authorised areas can access the data exchange through validations, electronic authentication forms and the use of digital certificates.30 While in Argentina, there is a need for formalising a data governance structure at the strategic layer in the case of INTEROPER.AR illustrates the potential scalability of an interoperability tool. In this case, its application is being expanded to subnational levels of government.

Ensuring the interoperability of datasets is a critical step in building smart cities based on data. Interoperability frameworks ensure that subnational governments, in particular cities, have the necessary understanding of the standards to manage data, semantics and platforms to facilitate data sharing across cities. According to international experience, to achieve interoperability (i.e. how data are formatted allows diverse datasets to be exchanged and merged into meaningful ways), it is necessary to ensure data compatibility (i.e. data consistency across datasets). This would facilitate the use and exchange of data. For that purpose, a common understanding of the meaning of data needs to be agreed between the data provider and user. Continuous dialogue among different stakeholders (i.e. local governments, private companies, experts and individuals) is essential to maintain compatibility. Discussion on data meaning should be cross-sectoral so that data can be used and various services provided.

For example, in 2020, the Japanese central government adopted the Government Interoperability Framework (GIF) to use city data to create new value by structuring and ensuring high-quality data (Government of Japan, 2020[103]). This will enable services to be offered across cities, regions and even borders, not only in a single city. The GIF is a generic framework applicable to all entities of national and local governments. It lays out the basic conditions for achieving interoperability, acting as the common denominator for relevant initiatives across the country involving the public and private sectors and citizens. The GIF stresses the importance of receiving feedback from residents as users. The reason is that residents’ participation would allow the creation of more and new services tailored to their needs. The GIF acknowledges that innovation in service delivery is possible not only through government and private sector actions but by the active participation of citizens.

To enable interoperability, countries generally enact legislation to define a set of rules to control access to and sharing of data. Regulations help in the definition of common data standards and their enforcement to promote greater data interoperability and streamlined data-sharing practices. In general, these regulations focus on the central/national-level government organisations but subnational governments are also encouraged to emulate those practices. This is seminal in the formation of smart cities as it would ensure a common understanding and semantics across levels of government on data features facilitating data flows across levels of government. Across OECD member and partner countries, examples of data-sharing regulatory instruments are vast (OECD, 2019[3]). In many cases, regulation is supported by softer legal and regulatory instruments such as guidelines, recommendations or codes of practice. For example:

• In Argentina, to help organisations to implement the Open Data Policy, the national government issued the Guide for the Identification and Use of Interoperable Entities. These are basic and fundamental data whose use is frequently repeated between datasets of different themes and sources. The guide provides public and private sector organisations with simple methods to generate, share and/or consume good-quality government-held data (OECD, 2019[3]). Interoperable entities are those that allow datasets to talk to each other but this cannot happen when two datasets name the same interoperable entity differently. In order for datasets to be interoperable, the guide establishes that all interoperable features present in a dataset must be identified and data about them followed by the same standard (Government of Argentina, n.d.[104]).

• In France, the national government issued the General Reference Framework for Interoperability (Référentiel général d’interopérabilité, RGI) in a quest to promote interoperability across information systems within the public sector. It is largely based on the EIF and sets standards for each level of interoperability (i.e. political, legal, organisational, semantic and technical). A critical element is that the RGI is open to adaptation to new technological developments, the evolution of standards and the need for interoperability. The RGI introduces the concept of interoperability profile (profil d’interopérabilité), which is a limited set of standards to use in a context and a determined use. The objective is to frame the use of the RGI and avoid the proliferation of standards and combinations of standards for a given use (Government of France, 2015[105]).

• In Italy, the Agency for Digital Italy published a White Paper on Artificial Intelligence at the Service of Citizens in 2018. It aims to improve the quality and usability of the data they provide to facilitate their use in refining AI systems (OECD, 2019[3]). The paper argues that the quality and interoperability of data are determining factors for the possibility of applying new technologies. It acknowledges that a challenge for digitalisation and interoperability is that data coming from a multitude of connected devices can be fragmented, heterogeneous and distributed irregularly in space and time. To face this situation, it recommends public administration aggregating data through the creation of an open platform for the collection, generation and management of certain types of data directly related to public administration (Agency for Digital Italy, 2018[106]).

National experiences in fostering interoperability suggest that enabling joined-up data is a way to improve decision-making processes and make service delivery more efficient and effective. Indeed, data-sharing frameworks should link desired policy outcomes (e.g. reduced congestion, building liveable cities, improved accessibility, etc.) to the regulatory and planning methods or use cases that may deliver those outcomes (e.g. congestion management, travel activity monitoring, data to support infrastructure interventions, etc.). Outcomes and methods should be linked to the specific data required to carry out those regulatory and planning actions. This includes rules relating to an appropriate level of aggregation, data handling, data retention period and auditability, as well as data destruction protocols (ITF, 2020[107]). For example:

• In Spain, all public administrations are connected to a central data exchange node called the “platform for data intermediation” (Box 2.26). One of its main achievements has been the reduction in the administrative burden of data sharing. Its message is that, as far as possible, under the legislation in force, cities/communities service users should be asked for once-only and relevant-only information, ensuring a fully transparent process on how data are used. The Spanish experience shows that data-sharing mandates on the part of public authorities should build on data minimisation concerns by default.

• In Japan, the central government is the largest data holder, player and platformer in the country. Thus, the central government, with the support of the private sector, launched a cross-domain data exchange and use platform called DATA-EX in 2020 (Figure 2.9). The data platform consists of the glossaries, code sets and data models needed for data flows. The platform is to serve as a data search engine (data available in Japan and abroad), allow users to access the data they require (download data, API acquisition, contracts, transactions) and connect the required data (data collaboration, interoperability and data cleansing). DATA-EX aims to link different platforms already in operation: national government open data, local government open data, data platform of Tokyo Metropolitan Government, personal data store, information bank, data trading, public transportation, agriculture, geography and academia. DATA-EX intends to create a large data trading community in Japan, spanning across industry, academia and government and contribute to the promotion of a cross-industry and cross-border data exchange environment. The platform is expected to serve the multinational trading corporation’s domestic and foreign network by enabling the sourcing, exchange, sharing and commercialisation of data products by leveraging the platform’s advanced features and capabilities. The information systems of smart cities collect data across many networks, such as the fifth-generation technology standard for broadband cellular networks 5G. The data that come from the electrical component of a smart building, the transport network or the state of the road traffic must interact to bring value. At the end of the chain, algorithms and AI provide insights allowing communities to explore new areas of development. The interconnection of networks and the crossing and correlation of data flows largely determine the success, efficiency and value of an information system.

Open collaboration among cities as well as minimal digital interoperability based on open standards are crucial for the successful digital transformation of public administrations. Interoperability will only be possible if a governance framework facilitates collaboration and co-operation among different actors. The experiences of the Nantes Métropole in France and Takamatsu City in Japan show that collaboration among cities, regardless of their size, allows for better and more comprehensive data collection, economies of scale in terms of data collection and pulling resources towards a common platform.

Interoperability can be categorised as vertical and horizontal. The former refers to the ability of digital services to incorporate data of content from an upstream provider such as the central or regional government, while the latter refers to the possibility of digital services to communicate with other services, which could come from other cities, agencies, private sector and even citizens. For example, Japan’s GIF covers three types of interactions:

• City to city, which refers to interactions between local governments.

• City to business, which refers to interactions between local administrations and businesses.

• City to citizens, which refers to interactions between the local government and citizens.

At the horizontal level, interoperability is ensured through agreements among local governments and among local governments and private sector actors. Cities may organise fora for the exchange of ideas, get partners for new smart city-related projects and draw lessons from other experiences. The experiences of the cities of Takamatsu and Toyama suggest that collaboration among local governments is not enough to ensure interoperability and ensure the optimal use and operation of data-sharing platforms. Partnering with the private sector and academia is essential for sharing lessons, getting to know best practices and finding potential business partners (Box 2.27). Moreover, Toyama’s Sketch Lab and Takamatsu’s Promotion Council constitute fora where discussions on real problems, data needs and how to get and manage them should take into account the needs of a wide number of actors.

In the United Kingdom, London provides another example of how to promote collaboration for data management and sharing. The London Office of Technology and Innovation (LOTI) helps the different boroughs work together by bringing the best digital technology and data to improve service delivery across the Greater London area.31 As of 2022, 23 out of 33 London boroughs were members of LOTI. One of the aims of LOTI is to unlock the value of public sector information by bringing together member boroughs to analyse and act upon their data together. All local public services from the smart city perspective depend on the local mayors of the boroughs. LOTI facilitates collaboration and knowledge sharing to facilitate the digital transformation journey. In the Seoul Metropolitan Area, there is no official operation and consultative body for data management with cities around Seoul, such as Gyeonggi-do and Incheon, but co‑operation takes place for data analysis that is needed jointly. An example is the analysis of commuting data in the metropolitan area, which is of interest to all cities around Seoul.

OECD (2019[3]) research suggests that interoperability requires a common data governance framework to ensure effective implementation of cross-sector data collection, sharing and/or accessing facilities. It is important to ensure seamless business-to-government communication due to the large role private sector companies play in the promotion of smart cities and data collection. Thus, implementing common data governance structures and tools across all layers of governance is essential to facilitate interoperability. This communication and data provision must be simple and avoid unnecessary procedures and red tape. The Netherlands offers a good example of how to reduce the burden imposed on businesses for the provision of information to local authorities and banks (OECD, 2019[3]). The Dutch government has introduced Standard Business Reporting (SBR) that defines a shared public-private data governance framework aimed at reducing the burden imposed on businesses for the provision of information to local authorities and banks. This experience provides an example of smart city initiatives on how to reduce unnecessary requirements and procedures and make data management more efficient, enhancing interoperability.32

With the adoption of IoT devices and systems for service delivery, many IoT protocols and standards have been developed. IoT devices are generally constrained by their limited functionalities (e.g. memory space and processing capacity) or are closed proprietary systems dedicated to one single task (Ahlgren, Hidell and Ngai, 2016[111]). Sometimes, even market forces work against interoperability, in particular in the IoT domain. This is the case, for example, when smart lighting systems only work with light bulbs from the same vendor with limited possibilities for third parties to be part of the smart system (Fältström, 2016[112]). Ahlgren, Hidell and Ngai (2016[111]) have found that standardised IoT protocols may not be enough to ensure interoperability; systems must be designed with openness considerations (i.e. open data and open platforms) from the outset.

Indeed, across countries, city authorities need to upgrade their capacity and capability for data management. This generally involves a single data platform to manage all data collected through a wide array of IoT devices. The platform is the cornerstone of a system of systems as it will be tasked with linking different fragmented systems. The reason is that not all services are delivered by the same providers that may have their own management platforms for data management. Enabling the use of city data and external data through the platform is key to providing a comprehensive view of the state of the city and designing more tailored services based on the cities and their residents’ particular needs. The effectiveness of the city platform depends to a large extent on the trust the city can ensure in the reliability of the data quality, accuracy and security.

City platforms for data management enable a shift in the approach to data and policy making. Rather than focusing on a vertical siloed approach, data management platforms enable a more horizontal across-the-board approach that maximises the benefits of combining data from many different sources. It enables sharing data across administrative departments within the local administration, across different levels of government, among cities at different locations, not only neighbouring ones, and with private, voluntary and academic organisations. Using a platform to share open data is also a way of improving relations between local authorities and citizens, strengthening co-operation and co-ordination among local governments and across governments at different levels, enhancing efficiency in public administration and boosting innovation in public service delivery. For example, the use and governance of data in Barcelona in Spain, London in the United Kingdom, Nantes Métropole in France and Seoul Metropolitan Government in Korea provide important lessons on how the notion of a smart city can be reconceptualised to be responsible, citizen-centric and privacy-preserving.

• In France, three local authorities – the Loire-Atlantique department, Nantes Métropole and the Pays de la Loire region – have created a common platform for opening up public data. These authorities allow all reusers (citizens, associations, companies, local authorities, etc.) to access a wide range of open data from the same portal. Whether users connect to data.nantesmetropole.fr, data.loire-atlantique.fr or data.paysdelaloire.fr, they benefit from all of the data and features of this shared platform. To ensure an orderly approach to data sharing and consistency of the open data portals in form and substance, the three local authorities issue a charter of uses of the shared approach (Charte des usages de la plateforme Open Data mutualisée) (Nantes Métropole, 2022[113]). These rules of use as well as their evolutions are subject to validation by the co‑ordinators of the pooled approach in the steering committee composed by the three local authorities. In addition, Nantes Métropole participates in the national transport.data.gouv experiment led by the Inter-ministerial Directorate for Digital and State Information and Communication System (Direction interministérielle du numérique et du système d’information et de communication de l’État, DINSIC), the Ministry of Transport and Etalab. The transport.data.gouv platform constitutes the French National Access Point (Point d’Accès National, PAN) and aims to reference all transport data. It contributes to the improvement of the links between data producers and reusers and provides all of the tools and information necessary for their quality, interoperability and reuse.

• In Germany, the city of Hamburg adopted a comprehensive Digital Strategy for Hamburg that establishes the adoption of digital technologies to improve residents’ quality of life. Data are regarded as a key element in the building of digital cities. Thus, the strategy includes the Urban Data Platform Hamburg (UDP_HH) as the technological “data hub” of the city. Its goal is not to be a uniform central data resource but the standardised technical linking of the city’s many decentralised systems and databases (system of systems). Moreover, the Urban Data Hub (UD‑HUB) aims to co-ordinate the handling of urban data. The technical organisational unit is responsible for the strategic management of the common municipal data infrastructure. One of its main tasks is the operation and further development of the UDP_HH as well as the organisation and standardisation of the technical data and process interfaces (e.g. Xbau and Xplanung) and the facilitation of the integration of data from procedures of the urban actors to the UDP_HH (City of Hamburg, 2020[114]).

• In the United Kingdom, London authorities have concluded that cities need a simple well-known and trusted technical means to share data among departments and stakeholders. For that reason, they created the London Datastore, which is an open data-sharing portal where anyone can access data relating to the city. Citizens, business owners, researchers and developers can have access to data provided through more than 700 datasets. The datastore includes a High Streets Data Partnership, a Night Time Observatory, the Planning London Datahub and data on economic fairness. In June 2022, London announced an investment of GBP 500 000 to create a new platform to boost data innovation and establish a data governance body. The new Data for London platform will act as a “central library” for the vast amount of data held across the capital, enabling residents to access both public and private data more easily and in a more sophisticated manner.33

• In Spain, in 2011, the city of Barcelona set the Open Data BCN portal as part of the Barcelona Ciutat digital strategy to ensure and facilitate the access, storage and sharing of public information with the objective of maximising available public resources, exposing the information generated or guarded by public bodies, allowing data access and use for the common good and for the benefit of anyone and any entity interested.34 Public information can be of any type or subject: pictographic documents, statistical data, results of studies or analysis, information on public services, etc. A wide range of users (e.g. private companies, researchers, public institutions or citizens) may make use of information resources for any purpose, maximising the economic and social possibilities offered by this project: promotion of transparency in management, improvement of services to citizens, generation of business activities and social impact, in search of efficiency in governance. The Open Data BCN service is transversal to several of the pillars of the city’s digital strategy35 and is based on the principle that all public information managed by municipal public entities must be publicly exposed by default, allowing their reuse. The Open Data BCN service provides information in an automatically processable manner, enabling processing efficiency through the latest and most advanced technologies.

• In Korea, the Seoul Metropolitan Government (SMG) has created a system for data management to respond to future challenges pre-emptively and leverage advanced technology to build confidence in smart services. The system is known as the 6S model for a smart city-based infrastructure (Figure 2.10). It is a simple but comprehensive system for converging and linking high technology and data. Its first component is the Smart Seoul Network (S-Net), a smart city communication infrastructure that can provide smart city services throughout Seoul’s public living area. It is the foundation of the future smart city Seoul that guarantees citizens the right to communicate and solves numerous urban problems. Data are collected from the different IoT devices (Smart Seoul Data of Things, S-DoT). IoT sensors are installed throughout the city of Seoul to collect, distribute and analyse various urban phenomenon data such as fine dust, living population, noise and illumination at once, and use it to formulate data-based urban policies and discover services for citizen feeling, and to implement a safe city by collecting and utilising smart CCTV city safety data. Then, the S-Data integrates all data from Seoul Metropolitan Area to use in real time. It collects, shares and utilises all data from the city of Seoul to promote the data economy and play the role of smart city infrastructure to implement Data Sharing Seoul. The S-Brain analyses a wide range of data across municipalities, including administration, transportation and environment, to support AI-based decision making that creates new services. Data are also used in the S-Map, which is an advanced system that implements Seoul equally in three-dimensional (3D) virtual space and predicts changes related to urban planning, environment and safety, enabling evidence-based policy responses. In response to the increasing security threats of new smart city technologies, the S-Security provides safe public administration services through accident prevention and implements measures to ensure the safety of personal information.36 A key message from Seoul’s experience is that even if a city has the technology for building data management platforms, it is essential to have the necessary policies in place to make the process work.

Ensuring interoperability can start within the local public administration itself. According to the experience of Estonia and Korea, a key challenge for interoperability is to capture and share data across ministries. A digital administration must unify and centralise its citizens’ information. This would make a more cost-efficient and effective administration, as in many cases, citizens have multiple IDs issued by different government agencies. Each ministry or department’s dataset has its own characteristics and information. This profusion of data in different administrative bodies causes duplication, slows down government action and is detrimental to citizens’ well-being. To address this issue, in 2021, the Seoul Metropolitan Government (SMG) established the first stage of the Big Data Service Platform to store public data in one place (Box 2.28). The goal is to unify all public data collection and management, usually dispersed among different SMG institutions and departments, with the aim of producing, utilising and opening high-quality public data. The platform is composed of a unified, integrated management system for storing and utilising public data and a physical infrastructure (data lake) that stores huge amounts of source data in one place. To operate the platform, the SMG established an integrated data governance system to unify data access and collection authority management. By producing and distributing high-quality public data through metadata management, data standardisation and quality management, the SMG set the basis for public-private data analysis and utilisation convergence. The SMG operates other data platforms for more specific purposes: Open Data Plaza, Big Data Campus and Seoul Smart City Platform. A basic feature is that each of these platforms has a different target population and, thus, access rules, although, in principle, they are all accessible to citizens. The SMG’s experience in data governance and management suggests that to build more effective data management practices, it is necessary to: i) regard data as a public resource that can be used by public and private actors to create value and not as a by-product of social and economic activities; ii) strengthen the data ecosystem for a more dynamic flow of data production, distribution and utilisation; iii) specify the roles of each institution to co-ordinate data collection and management across policy fields avoiding data duplication; and iv) adopt a comprehensive national data strategy that guides the creation of value by collecting and analysing data nationally.

Although national governments are taking the lead to facilitate interoperability for data sharing across national-level organisations, subnational governments are also adapting interoperability frameworks to support their smart city initiatives. Some interoperability frameworks focus on specific sectors or policies. This helps organisations share common goals and mandate to access, reuse and share common datasets. As mentioned above, Sweden’s Geodata Strategy of the National Land Survey authority was key to bringing coherence and fostering the value of geodata for efficiency, innovation and competitiveness (Lundquist, Rannestig and Sandgren, 2010[88]). In the Netherlands, the Dutch Metropolitan Innovations (DMI) ecosystem aims to facilitate data sharing, not only among cities and across levels of government but also among public and private stakeholders. The DMI ecosystem also seeks to ensure better connections between various domains (e.g. mobility, urban planning and housing) and stakeholders to optimise the use of data (Box 2.29).

At the subnational level, interoperability also takes place within sectors and across cities. Cities take measures to ensure data sharing among organisations in the same sector, such as transport or the judiciary. Interoperability is also used to ensure data can be shared across cities to build and provide common public services.

The city of Buenos Aires, Argentina, and Los Angeles County in the United States exemplify the case of interoperability within a policy sector as both cities have used IT platforms for data sharing and make public services more efficient and effective.

• The case of judicial power in the city of Buenos Aires, Argentina, provides a clear example of the efforts cities are conducting to ensure interoperability within the same sector to enhance efficiency and effectiveness in service delivery. In 2014, the Judicial Council (Consejo de la Magistratura) decided to initiate a process of digital transformation of the judiciary of the city of Buenos Aires. At that time, the Judicial Council had a variety of systems to manage files in the criminal, misdemeanour jurisdictions, administrative and tax, chamber of appeals, etc. These systems were designed in different databases making administration complex. To make the judicial system of the city more modern and efficient, the city analysed the experiences of the province of San Luis and the city of Salta, which had already made a digital transition in their judicial systems. Based on these experiences, the city decided to use the IURIX application as it had been key in the design of a multi-organisation, multi-instance architecture based on a single database with embedded digital signature and processor. The city of Buenos Aires implemented a Judicial IT system platform (Servicios Informáticos Judiciales, SIJ) to be able to exchange information with internal and external bodies to the judiciary of the city of Buenos Aires, in such a way that when a system connects to the SIJ, it automatically establishes a connection with the rest of the systems that are part of the platform. The SIJ is a service-oriented architecture that enables interoperability among all systems of the judicial power of the city, maintains the independence of the different systems, and facilitates scalability; indeed, if one service is improved, improvements can be made in all other services (Ferrero, 2021[117]).

• In Los Angeles County, United States, the local government partnered with the Los Angeles Network for Enhanced Services (LANES) – a non-profit organisation responsible for operating a community-based health information exchange (HIE) for hospitals, health systems, clinics in Los Angeles County – to connect all healthcare databases in the county. Los Angeles County has nearly 10 million residents, accounting for approximately 27% of California’s population. In Southern California, healthcare is delivered locally as most patients typically seek care within their metropolitan area. Patients visit health facilities where data omissions could extend to duplicate, incomplete or inconsistent records missing recent medical encounters and demographic data such as laboratory or other diagnostic tests, medications, allergies and family medical histories. The lack of quality, relevant and reliable patient data and the inability to share them is a challenge for providers as patients switch across healthcare services. The county’s healthcare system is rather fragmented and requires connecting beyond electronic health records. Thus, the local government and LANES have partnered to aggregate medical records and put them to use for Los Angeles health service providers. The aim is to connect local providers across the care continuum to the most up-to-date patient data when needed and from various sources. In 2018, L.A. Care Health Plan teamed up with LANES to help to provide co‑ordinated healthcare. More recently, Health Net of California, UCLA Health, Emanate Health and Beverly Hospital and LANES joined forces to make robust clinical data available to HIE provider participants (Modaressi, 2020[118]).

Data flows across borders in the context of globalisation and digitalisation is also increasing and is needed to ensure economic growth on a global scale. In this context, interoperability is becoming more relevant and cross-border data flows demand greater government action to ensure the protection and ethical use of data, particularly citizen data, when those are collected, processed and used by organisations from all sectors (OECD, 2019[3]). Stronger international data governance arrangements are needed to monitor the access, use and sharing of data produced in different countries.

Japan has been an international leader in the promotion of trust in data management for economic growth and social well-being. Since 2019, the Japanese government has been promoting an international order for Data Free Flow with Trust (DFFT) (Box 2.30). DFFT is a basic concept for the data-driven society the Japanese government is promoting. Since digital data are driving the economy forward, DFFT entails that countries and citizens must be able to put data embodying intellectual property, national security intelligence and so on under careful protection while enabling the free flow of medical, industrial, traffic and other most useful, non-personal, anonymous data across borders.

To achieve the goals of the DFFT vision, it is essential to promote rules (i.e. privacy, security and intellectual property issues), technologies (i.e. security technologies) and data quality (i.e. accuracy, updated and comprehensive datasets) to build trust in government and its stakeholders.

To further advance the Osaka Track – a collective term for the global governance processes needed to unleash the benefits of more open and trusted data flows – the WEF has issued a series of recommendations to implement the DFFT vision, such as:

• Governments should issue good privacy and security protections that empower users to control rights to their personal information in accordance with international guidelines and standards.

• Businesses should provide information on data treatment and enhance transparency.

• Governments and large industry actors should forge public-private partnerships to advise micro enterprises and SMEs on using digital technologies to drive growth and competitiveness.

• Governments should negotiate trade agreements that include obligations with respect to data while ensuring sufficient discretion to regulate in the public interest (WEF, 2020[120]).

A clear example of how to govern cross-border data flows is the agreement among Estonia, Finland and Iceland to reinforce data sharing to improve cross-border public service delivery. In 2013, Estonia and Finland signed a memorandum of understanding to initiate formal co-operation for the development and management of a software environment that enables secure connectivity, searches and data transfers among various public and private databases. This supported the implementation of cross-border digital services in areas such as tax, health and education, and enabled the deployment of Estonia’s X-Road data-sharing platform in Finland. The interconnection of Estonia’s and Finland’s X-Road platforms in 2018 facilitated greater, automated and secure cross-border data sharing and is considered seminal in the development of additional cross-border services in the region (OECD, 2019[3]). To deepen co-operation in a more formal yet flexible manner, the governments of Estonia and Finland decided to create a separate jointly managed special purpose organisation to administer the X-Road development called the Nordic Institute for Interoperability Solutions (NIIS) (Box 2.31). The success of the cross-border deployment of the X-Road between Estonia, Finland and their partners is due to technical reasons but, more importantly, to the shared data governance policy structures at the strategic level.

Cities and communities are confronted with complex challenges, ranging from an ageing population to energy efficiency and urban mobility. Thus, a large number of cities started making use of digital solutions to tackle those growing challenges; but the result, in many cases, has been a fragmented system for service delivery as every city has developed its own digital response. The lack of interoperability is a major obstacle to progress in digitalisation and innovation in cities. It prevents having a coherent national interoperable environment that facilitates the delivery of services that work together, within and across organisations or public and private domains, resulting in suboptimal public services and is a barrier to the integration of services provided at the local level and for effective communication among different data platforms and technologies. To use data more effectively in the framework of smart city initiatives, cities are building data linkage platforms that enable mutual linkage and sharing of data with relative ease.

Cities are also using IT platforms to share data across administrative departments and enhance data sharing with neighbouring cities in the framework of smart city initiatives. City governments generally implement a platform to collect, store and share data from multiple sources such as mobile phones, computers, cameras, sensors and others. The purpose is to collect data that can be used to provide better services, contributing to well-being and reducing costs for the city government. For example, since 2017, the city of Takamatsu in Japan has been building an IoT common platform using FIWARE as a cross-disciplinary linkage platform (Box 2.32). The platform can be used in any combination to suit the requirements of the users. Figure 2.12 shows that the platform includes a test environment where universities and private companies can run tests with the data collected. In 2020, the neighbouring municipalities of the town of Ayagawa and city of Kan’onji decided to use the common IoT platform of the city of Takamatsu by signing a collaboration agreement to form a wide-area disaster resilience initiative (FIWARE, 2020[123]). The basic idea was that utilising IoT data generated from a wider area provides more reliable and better insights. At the same time, such a wide-area collaboration also benefits residents who commute across municipality boundaries on a regular basis.

As a key component of smart city policies, smart mobility depends on managing and sharing vast amounts of heterogeneous data to ensure mobility benefits. By linking digital technologies and infrastructure, smart mobility projects seek to improve traffic management. It expands on the concept of intelligent transport systems to leverage communicative assets such as vehicles and infrastructure, mobility data platforms and shared mobility services. When all these components work in co-ordination, they have the potential to improve mobility in cities while reducing the negative aspects of public transport (ITF, 2020[107]).

Smart mobility requires taking advantage of (digital) technologies and data to deliver benefits. France, for example, has created a smart mobility platform to provide and operate a digital infrastructure to enable cities to regain power in mobility management.37 However, smart mobility requires an adapted regulatory framework that enables innovation without compromising other objectives such as efficiency, inclusiveness and safety. The International Transport Forum (ITF) and the OECD noted that governments do not need to regulate all aspects of smart mobility, although they need to ensure the overall regulatory framework is linked to other global public policies (ITF, 2020[107]). Voluntary agreements and contractual and concessionary agreements also have the potential to guide private sector action in smart mobility. Removing existing regulation that is no longer adapted to current needs is another task to be conducted while designing a smart mobility initiative. This could reduce excessive regulation that could prevent efficient service delivery.

Transport systems – and smart mobility projects in particular – generate an increasing amount of data. These data may be used to improve the performance of the transport system but also achieve other policy objectives such as housing and environmental protection. Certainly, data generated by transport systems cause tensions regarding which data are collected, by whom, for what purpose and how to balance individual and commercial value and public and social value (ITF, 2020[107]). The data governance arrangements need to enhance the capacity of stakeholders to follow data-sharing rules and address concerns about data collection and sharing. Smart mobility also calls for clear guidance or rules for data sharing, portability and reporting. These rules need to ensure the integrity of data to enable ticketing, payments and access rights and identification. Data should be shared with public authorities to monitor compliance with safety rules and use of public space, but also for planning purposes to improve efficiency and sustainability. The governance of data sharing should address these overlapping needs and enhance the capacity of stakeholders to abide by the data-sharing rules. Data sharing should be based on data minimisation by default.

Moreover, making the IT systems compatible is essential for interoperability. The case of the Suica card issued by the East Japan Railway Company (JR East) in Japan exemplifies this case (see Annex 2.B). To ensure service expansion, all actors must follow the same protocols, semantics and technical parameters. This is even more relevant in cases where, like the Suica card, this transport card is used for other purposes such as paying for consumer goods and increasing the need for more co-ordination with a wider number of stakeholders.

Mobility as a Service (MaaS) is a particular smart mobility initiative that exemplifies the use of data and the need for a clear data governance structure. MaaS builds on the idea of accessing via a single medium – for example, a smartphone – a large variety of mobility services, including public transport and shared mobility services (Crozet, 2020[125]). A large number of mobility service providers interact in a co-ordinated manner to give users the opportunity to access a wide range of mobility services. For MaaS to function, it needs to ensure data sharing and portability requirements among stakeholders and data reporting to public authorities to facilitate monitoring and planning while ensuring personal data protection (ITF, 2021[126]).

MaaS aims to facilitate travellers’ mobility through a customer-facing user interface supported by a back‑office exchange of usually sensitive information among different stakeholders (ITF, 2021[127]). Therefore, it requires a comprehensive and agile data governance framework that guides the management of data sharing and reporting. These governance arrangements need to achieve three goals: an efficient service for travellers, a remunerative business for MaaS providers and meet broader urban and social development objectives.

Several cities have introduced MaaS projects, such as: Helsinki, Finland, via the Whim system that offers multimodal packages;38 Hanover in Germany uses the Mobilitatsshop application to offer single public transport tickets;39 and Vienna, Austria, uses the WienMobil application through which users can buy a diverse range of public transport tickets and subscriptions.40 These experiences show that there are different organisational and governance models for setting up a MaaS system. Helsinki uses a commercial integrator model in which the MaaS operator signs bilateral agreements with the transport operators to finance and operate the system with minimum investment from the local government. Vienna uses a back‑end platform model by which the local authority sets up a platform to integrate data on different mobility services (e.g. timetables, booking, ticketing, routes). This platform is then used by MaaS operators to build their MaaS solution (Cerema, 2019[128]). Hanover uses transport as the integrator model, where the public transport network operator develops the service to attract other mobility service operators to take part in the MaaS solution (Cerema, 2019[128]).

Different factors allow the MaaS systems to operate, for example, having a diversified and efficient public transport network, good mobile phone network coverage and physical connections of the mobility services. However, one critical element is the open data and data exchange infrastructure. Cities require APIs for route calculation, booking, ticketing and price systems (ITF, 2021[126]). To enable MaaS, cities need to put into practice a data-sharing system by which all mobility operators and MaaS providers share certain data that allow them to keep their license to operate and the market to function. These data can be: informational, to allow MaaS providers to plan, create and communicate mobility services; operational (e.g. identity of the traveller, access to vehicles and services, the start of trips etc.) that can be shared with the consent of the user; and transactional to provide access to booking and payment to facilitate combining and paying for trip segments. Audit mechanisms are needed to monitor adherence to purpose specifications in processing and retaining data. It is also important that data reporting mechanisms are put in place to allow public authorities to access data from the MaaS ecosystem to plan, monitor and control market functions (Figure 2.13). Transport and city authorities need to ensure that technical mechanisms for data reporting are in place and aligned with those of data sharing, adopting security and data access protocols to guarantee the security of the sensitive data involved.

To offer their services, operators normally use an application-enabled platform that may be operated by the operators themselves, the city or transport authority, or a dedicated third party. Although this also raises the question of the rules to access the platform, which serve as gatekeepers and how to prevent anti‑competitive behaviour. When the platform is developed and operated by the operators themselves, it may provide great value for consumers, as services are highly co-ordinated; it, however, is unclear how they contribute to broader public policy goals such as well-being, sustainability and inclusiveness. When the public authorities operate the platform, integration with other policy goals is generally ensured but it may be harder for new MaaS operators to enter into the market or may create concerns about favouritism by public authorities. When a third party operates the platform, the risks encountered with publicly operated platforms may be avoided but the platforms require transparent operating rules, auditability and accountability towards public authorities (ITF, 2020[107]). Adopting platform access standards may reduce the transaction costs associated with delivering platform-mediated MaaS services. The platforms enable easy and open integration of mobility services within the MaaS ecosystem.

In Japan, in the Fukushima prefecture, the city of Aizuwakamatsu had a population of 116 171 inhabitants in 2021. Like the rest of the country, Aizuwakamatsu is experiencing a population decline of 6.3% between 2011 and 2021 (i.e. more than 1 000 per year); the birth rate has declined by 23% in the last decade. In particular, the working-age population (aged between 18 and 64 years) shrank 13.7% in the same period. However, the proportion of elderly residents (31% of the population) exceeds the national average (28.8%) and the amount of people requiring long-term care is close to 40% of the local population (Muroi, 2021[129]). The city is home to an important agglomeration of ICT-related industries represented by Smart City AiCT at the University of Aizu, the largest university in the country dedicated to advanced ICT software and hardware training and research, and to a semiconductor factory. After the 2011 earthquake, which affected large areas of the country, and the Fukushima nuclear plant disaster, the local government has been promoting a number of smart city initiatives to underpin recovery and tackle the main sociodemographic issues that affect the city.

To manage the situation, the city government has been promoting a number of smart city initiatives through the Smart City Aizuwakamatsu strategy and vision. The objective of the smart city strategy is to use ICT in fields such as healthcare, welfare, education, disaster prevention, energy, transport, agriculture, government, infrastructure and environmental protection. To design and implement the different smart city initiatives, the local government promotes the active participation of citizens to understand their needs better. It collaborates with private enterprises such as Accenture in the creation of different ICT-related projects for service delivery. The local government facilitates piloting private companies’ smart projects in the city, which will be upscaled to the rest of the country. There is a strong collaboration with the University of Aizu, which provides advice and technical co-operation, and takes the lead in the training and upskilling of the private and public workforce on ICT. In the local government, the city also is deploying staff with ICT skills to implement different smart city initiatives across the administrative departments.

Therefore, data collection and management are essential elements of the smart city strategy. Data are essential to design personalised services based on data provided by residents. The city introduced a management operating system with an information platform, Aizuwakamatsu Plus, with the support of Accenture. The platform provides tailored information on more than ten digital services such as transportation, medical care, childcare and tourism. Opt-in is the fundamental approach to the city smart city initiatives, allowing residents to choose if they want to provide personal information in exchange for digital services. Around 20% of the population have opted in to the platform.

The digital platform Aizuwakamatsu Plus is the city operating system (OS). It functions as an open data platform and links datasets to the city. It is fed by IoT sensor data, open data, data provided by citizens who have opted in and data held by private companies. The role of Aizuwakamatsu Plus as the city OS is fourfold:

• Functions as a one-stop service to citizens. Citizens can use their regional ID to access and manage digital services in a wide variety of fields. The portal consolidates city services in a single, streamlined interface for citizens to use.

• Connects services and functions. It supports service providers in the development of efficient services and creates a more user-friendly experience by providing the authentication, ID management function and the “opt-in” management function that all services use in common.

• Co‑ordinates data and asset management. By developing a standardised API based on the Smart City Reference Architecture established by the Cabinet Office, data and asset management functions can be provided to allow for flexible and diverse data co‑ordination.

• Facilitates co-operation with other cities (and their OS). Citizen data can be linked with other cities’ OS on an “opt-in” basis, allowing for the horizontal development of various new services intended for city OS systems (Annex Figure 2.A.1). This method allows interoperability and more efficient service delivery across different cities and regions.

Collaboration must be based on common data standards, taxonomies and platforms for data sharing that are able to communicate with each other. Annex Figure 2.A.1 shows that with an open and standardised architecture, different cities, towns and villages can share data and develop new services without depending on a specific vendor. Moreover, services developed in other settings (i.e. cities or villages) can be used quickly and at a lower cost. The experience of the city of Aizuwakamatsu shows that deploying the city OS horizontally contributes to a stronger regional community and that the more local governments work together on sharing a common platform for data management, the more sustainable it will be.

Different services have been linked to Aizuwakamatsu Plus. For example, in the tourism industry, the city operates Visit Aizu, an inbound tourism website that reflects preferences according to the nationality of the visitors and displays tourism content that varies depending on the selected language and the time of the visit, rather than simply making a multilingual tourist site. In addition, if the users select their nationality/city, planned date of visit and individual interests, the site presents a recommended plan according to these data. Another example is the Line Chat application, a service that uses the smartphone application LINE to answer citizens’ questions 24 hours a day, every day of the year. The services have been upgraded to include services such as finding doctors open on holidays, garbage disposal, snowplough location information and inquiries related to COVID-19, among others. In healthcare, through the Aizu Healthcare Demonstration Service, residents can access a number of services such as visualisation of medical check-up results, lifestyle disease risk analysis and visualisation of conducted physical activity according to wearable devices. These healthcare services have led to an improvement of 95% in health awareness and 89% of improvement in the adoption of healthy habits (Aizuwakamatsu City, n.d.[130]).

In Japan, railways have become integral to people’s daily lives (mass commuter transportation, real daily contact points). The East Japan Railway Company (JR East) is one of the six main railway companies that provides passenger rail services in the country. It focuses on the eastern part of the country, which includes the Tokyo Metropolitan Area. The company was created in 1987 through the privatisation of Japan National Railways. JR East has three business domains. The first is transportation services that include a 7 401 km passenger line network and1 676 stations that provide services to 12 million passengers daily. In fiscal year (FY) 2021, the company reported revenues of JPY 954.3 billion (approximately USD 7 billion) (JR East, 2021[131]). The second domain is what the company calls “lifestyle services” as it operates 193 shopping centres and 9 190 hotel guest rooms. Finally, the IT and Suica Services refers to a digital network centred on the Suica card. Through these domains, JR East aims to provide seamless services for information, purchases and payments in people’s mobility and daily lives through business development centred on railways.

Since customer satisfaction with having different train cards for different train operators was low, in 2001, JR East issued a prepaid e-money card for travelling and shopping, the Super Urban Intelligent Card (Suica). Though not an e-money card when launched, JR East was the first company in Japan to introduce the service.

The Suica card uses the pay-as-you-go method: travellers need to recharge the card, which gets debited every time it is used. There are four types of Suica cards: physical, digital (on mobile phones), employee and student ID, and credit, which is another functionality of Suica. The card can be used on JR East lines in the Tokyo Metropolitan Area as well as for subways, buses and the Tokyo Monorail that connects Haneda Airport with Tokyo. In addition to the Tokyo area, the Suica card can be used for certain transportation systems in the Hokkaido, Kyushu, Sendai and Niigata, Tokai and West Japan areas. Other uses include a key function for shared bicycles and cars.

JR East has other business activities besides rail passenger transport, such as hotel accommodation, retail and restaurants where the card can be used. The Suica card can also be used for paying in businesses affiliated with the card, as it has been linked to merchandise sales at stations, restaurants and hotels. Thus, the card can be used for purchases on board trains as well as from vending machines, to rent coin lockers and for spending at convenience stores and restaurants. JR East has agreements with Apple Pay and Google Pay to enable the card to be used for the services they provide.

The company wants to expand the Suica card nationwide. The aim is to make the card a replacement for train tickets. There are associations with other train companies throughout the country so that the card can be used in different areas. Suica is normally used for short-distance trains but, since 2018, the card can be used on high-speed train services. Nowadays, ten different transportation companies across the company accept the Suica card, facilitated by the use of JR East technology for their own cards. The ten transportation integrated circuit (IC) cards (including Suica) are not linked in terms of data but rather in terms of standardisation (so that they can be used mutually) and the data are owned by each rail company. In 2021, JR East was reported to have issued 86.63 million Suica cards, with 250 million monthly transactions for public transportation electronic money. The card is accepted in 1.15 million stores.41

JR East uses the big data collected both through the Suica card and the payment platform e-Money to generate a station chart or report providing information station by station and even sells the data to third parties. Before the introduction of the Suica card, there was no possibility of getting detailed information about who boarded from which station and alighted at which station: JR East only had information on the trains. The use of the Suica card has allowed the company to produce big data that can be utilised and traded. The data collected through the card help to improve passenger convenience as it allows them to be cashless and ticketless at the stations. It also helps the company reduce costs as the equipment and hardware are cheaper and security is improved. JR East’s main businesses are train passenger transport and retail businesses (i.e. hotels, restaurants) and the introduction of the Suica card has opened up a new business activity through the marketing of data.

Indeed, JR East collects two types of data. Data related to railway operations include operation information data, train congestion data (i.e. stress-weighted data), ticket gate open data, image data (i.e. inside stations and trains) and maintenance data (e.g. electricity, rails, station buildings, escalators, elevators, air conditioning, etc.). These data are used to provide timely information to passengers (e.g. train delays and cancellations), for operation management (e.g. to improve operation schedules and air conditioning) and for improving the design of facilities in stations and trains. The use of the Suica card allows JR East to collect information such as the profile of passengers (i.e. age bracket, gender, origin and destination, and the length of their visit to a station). These data are for JR East use but can also be considered marketing data from the perspective of understanding people’s movement. JR East receives requests from real estate companies and businesses located in the neighbourhood of the station for this kind of data. In fact, JR East started to provide data services in May 2022. Local governments have also begun to approach JR East, inquiring about statistics regarding the origin and destination of travellers, in view of using that data in their sales and marketing activities such as tourism.

Private data are protected as information such as names and addresses are not used for analysis. However, some of the cards are for students and office workers and that characteristic provides JR East with a clearer profile of the customers. The other type of data refers to customer usage, which includes Suica settlement data,VIEW credit card data (i.e. customer data, settlement data), ticket sales data and point of sales data. This type of data is used to guide users and improve services, as well as management data for a variety of measures.

Nowadays, other train operators accept Suica cards. Every train operator has its own card. The cars are not linked by data but by standards, making interoperability possible while protecting data privacy and ownership. When data are aggregated, the rail companies carry out the aggregation use the same specifications for each company’s data. The JR East card system is very different from that used in other regions, even if the Suica card can be used there. To allow this aggregation, instead of asking other companies to use the JR East system, the company provides the specification so that the card can be used in other systems. It is a combination of two or three different systems. JR East and other train companies focus more on unifying data standards rather than linking their datasets. Therefore, it is possible to see the use of different cards in different systems. A similar situation can be observed in cities, as interoperability is ensured by having the same standards as linked data.

The card system of the JR East Suica card has also been used in some smart city initiatives. JR East and the city of Maebashi in the Gunma prefecture have linked My Number Card (the social security card in Japan) to Suica. This entails that some information stored in the My Number Card is identified by Suica’s IC chip and retained. This facilitates the provision of some services, such as applying discounts on buses to residents of the city of Maebashi. This experience suggests that, in the future, it will be possible to mix administrative information with transport data for better service provision and even use Suica cards to access health services.

In 2014, JR East launched an application to provide information about routes and trains, and eventually expanded it to provide other services. The application has a real-time route function that gives the best route from Stations A to B by combining direct train information. The application includes information on train delays. JR East has been working with different transport providers, such as other train, bus and subway companies, to provide more real-time information regarding all transport providers. The application includes train congestion information and, thanks to the installation of cameras in each train coach, passenger numbers and crowding statistics. This information is provided to application users as there was a demand for this kind of information during the COVID-19 pandemic.

[84] Abu Dhabi Government (n.d.), Data Management Standards, Systems and Information Centre, Abu Dhabi, https://addata.gov.ae/sites/default/files/AD-Gov-Data-Management-Standards-EN-v1.0.pdf (accessed on 2 August 2022).

[106] Agency for Digital Italy (2018), White Paper on Artificial Intelligence at the Service of Citizens, https://www.agid.gov.it/en/agenzia/stampa-e-comunicazione/notizie/2018/04/19/english-version-white-paper-artificial-intelligence-service-citizen-its-now-online (accessed on 29 September 2022).

[28] Aguiar, M., V. Boutenko and S. Lacanna (2021), “Vibrant cities are built on trust”, Cities of the Future, BCG, https://www.bcg.com/publications/2021/vibrant-cities-are-built-on-trust (accessed on 19 January 2023).

[111] Ahlgren, B., M. Hidell and E. Ngai (2016), “Internet of Things for Smart Cities: Interoperability and open data”, IEEE Internet Computing, Vol. 20/6, pp. 52-56, https://doi.org/10.1109/MIC.2016.124.

[130] Aizuwakamatsu City (n.d.), “Initiatives and vision for “Smart City Aizuwakamatsu” - Examples of Smart City initiatives”, Information provided to the OECD by the government of Aizuwakamatsu, Aizuwakamatsu.

[4] Algmin, A. and J. Zaino (2018), Trends in Data Governance and Data Stewardship: A 2018 DATAVERSITY® Report, http://content.dataversity.net/rs/656-WMW-918/images/Trends%20in%20Data%20Governance%20and%20Stewardship_FinalRP-Graphs.pdf (accessed on 22 September 2022).

[46] ARDC (2022), About the ARDC, Australian Research Data Commons, https://ardc.edu.au/about_us/ (accessed on 23 September 2022).

[27] Arrighi, J. et al. (2022), The Scale of Trust: Local, Regional, National and European Politics in Perspective, Groupe d’études géopolitiques, https://geopolitique.eu/en/2022/07/13/the-scale-of-trust-local-regional-national-and-european-politics-in-perspective/ (accessed on 19 January 2023).

[133] At Internet (n.d.), Privacy by Design (PbD), https://www.atinternet.com/en/glossary/privacy-by-design-pbd/ (accessed on 19 September 2023).

[54] Ayuntamiento de Bilbao (2022), Bilbao Data Manifesto, Ayuntamiento de Bilbao, Bilbao, https://kopuru.com/bilbao-data-manifesto-los-10-principios-eticos-que-regiran-el-uso-de-datos/ (accessed on 27 July 2022).

[9] BBSR (2021), Data Strategies for Common Good-oriented Urban Development, Federal Institute for Research on Building, Urban Affairs and Spatial Development, https://www.smart-city-dialog.de/wp-content/uploads/2021/12/data-strategies-common-urban-development-dl-1.pdf (accessed on 9 May 2023).

[36] Bella, K. (2021), “How to overcome mistrust of data”, World Economic Forum, https://www.weforum.org/agenda/2021/12/how-to-overcome-mistrust-of-data/ (accessed on 1 August 2022).

[52] Berman, G. et al. (2018), “Ethical considerations When using geospatial technologies for evidence generation ethical considerations”, Innocenti Discussion Paper, No. DP-2018-02, UNICEF Office of Research, http://www.unicef-irc.org (accessed on 4 October 2022).

[34] Bischoff, P. (2022), “Surveillance camera statistics: Which city has the most CCTV cameras?”, Comparitech, https://www.comparitech.com/vpn-privacy/the-worlds-most-surveilled-cities/ (accessed on 6 February 2023).

[66] Business Insider (2020), “8 cities that have been crippled by cyberattacks — and what they did to fight them”, https://www.businessinsider.com/cyberattacks-on-american-cities-responses-2020-1?r=US&IR=T#st-lucie-florida-3.

[65] Business Insider (2018), “Atlanta has shut down courts and people there can’t pay their bills online because of a crippling cyberattack the mayor has called ’a hostage situation”, https://www.businessinsider.com/atlanta-cyberattack-cripples-city-operations-2018-3?r=US&IR=T.

[78] Cella, L. (2017), “Managing water supply with smart technology”, Utility Magazine, https://utilitymagazine.com.au/managing-water-supply-with-smart-technology/ (accessed on 1 August 2022).

[128] Cerema (2019), MaaS in Europe: Lessons from the Helsinki, Vienna and Hanover Experiments, https://www.cerema.fr/system/files/documents/2020/04/cerema_parangonnage_maas_rapport_complet_eng.pdf (accessed on 6 March 2023).

[58] Cerrudo, C. (2015), An Emerging US (and World) Threat: Cities Wide Open to Cyber Attacks, IOActive Labs, https://ioactive.com/pdfs/IOActive_HackingCitiesPaper_CesarCerrudo.pdf (accessed on 8 February 2023).

[33] Chandran, R. (2023), “Police in India are expanding their surveillance reach by tapping into private security systems”, Scroll.in, https://scroll.in/article/1041633/police-in-india-are-expanding-their-surveillance-reach-by-tapping-into-private-security-systems (accessed on 6 February 2023).

[73] City of Chicago (n.d.), Information Security Office, https://www.chicago.gov/city/en/depts/dgs/supp_info/information-security-office.html.

[20] City of Columbus (2021), Smart Columbus Program Summary, https://d2rfd3nxvhnf29.cloudfront.net/2021-06/20210615-smart-columbus-program-summary-FINAL_0.pdf (accessed on 7 October 2022).

[21] City of Columbus (2020), Data Management Plan for the Smart Columbus Demonstration Program, https://d2rfd3nxvhnf29.cloudfront.net/2020-08/SCC-E-DataManagementPlan-Update-v1.pdf (accessed on 7 October 2022).

[23] City of Columbus (2020), Data Privacy Plan for the Smart Columbus Demonstration Program, https://d2rfd3nxvhnf29.cloudfront.net/2020-09/SCC-D-DataPrivacyPlan-AnnualUpdate-V2_0.pdf (accessed on 7 October 2022).

[22] City of Columbus (2019), Project Management Plan for the Smart Columbus Demonstration Program, https://d2rfd3nxvhnf29.cloudfront.net/2019-08/Smart%20Columbus%20Smart%20City%20Challenge%20Project%20Management%20Plan.pdf (accessed on 7 October 2022).

[114] City of Hamburg (2020), Digital Strategy for Hamburg, Senate Chancellery, Hamburg, https://www.hamburg.de/contentblob/14924946/e80007b350f1abdc455cfaea7e8cd76c/data/download-digitalstrategie-englisch.pdf (accessed on 5 May 2023).

[51] City of Seattle (2023), Privacy & Cybersecurity Committee - Community Technology Advisory Board, https://www.seattle.gov/community-technology-advisory-board/what-we-do/committees/privacy-and-cybersecurity (accessed on 7 February 2023).

[110] City of Takamatsu (2022), “Takamatsu City’s Smart City Vision”, Presentation given to the OECD on 24 June 2022, Takamatsu.

[69] Computer Weekly (2023), “Suspected LockBit ransomware attack causes havoc in City of London”, https://www.computerweekly.com/news/365530214/Suspected-LockBit-ransomware-attack-causes-havoc-in-City-of-London.

[30] Cró, I. and T. Castro Roegiers (2021), Data Protection in the Smart City of Lisbon, Flanders Investment & Trade, Lisbon, https://www.flandersinvestmentandtrade.com/export/sites/trade/files/market_studies/2021-Portugal-Data%20protection%20in%20the%20smart%20city%20of%20Lisbon-Website_2.pdf (accessed on 3 February 2023).

[125] Crozet, Y. (2020), “Mobility as a Service: A New Ambition for Public Transport Authorities”, International Transport Forum Discussion Papers, No. 2020/16, OECD Publishing, Paris, https://doi.org/10.1787/3de9adb3-en (accessed on 5 March 2023).

[38] Curzon, J., A. Almehmadi and K. El-Khatib (2019), “A survey of privacy enhancing technologies for smart cities”, Pervasive and Mobile Computing, Vol. 55, pp. 76-95, https://doi.org/10.1016/J.PMCJ.2019.03.001.

[95] Development Asia (2021), Digital Mayor’s Office: An Integrated Smart City Data Platform, https://development.asia/case-study/digital-mayors-office-integrated-smart-city-data-platform.

[37] Dilmegani, C. (2022), Top 10 Privacy Enhancing Technologies & Use Cases in 2023, AI Multiple, https://research.aimultiple.com/privacy-enhancing-technologies/ (accessed on 6 February 2023).

[55] Dodge, M. and R. Kitchin (2017), “The challenges for cybersecurity for smart cities”, Journal of Urban Technologies, pp. 205-216, https://personalpages.manchester.ac.uk/staff/m.dodge/Dodge_Kitchin_Challenges_of_Cybersecurity_for_Smart_Cities.pdf (accessed on 8 February 2023).

[48] DPC (2022), Homepage, Data Protection Commission, https://www.dataprotection.ie/ (accessed on 23 September 2022).

[47] DSCI (2023), About DSCI - Data Protection, Thought Leadership, Policy Advocacy, Data Security Council of India, https://www.dsci.in/content/about-us#about_section (accessed on 7 February 2023).

[60] Ebrahimian, H. et al. (2018), “The price prediction for the energy market based on a new method”, Economic Research, Vol. 31/1, pp. 313-337, https://doi.org/10.1080/1331677X.2018.1429291.

[98] EC (2021), Proposal for a European Interoperability Framework for Smart Cities and Communities (EIF4SCC), European Commission, https://op.europa.eu/en/publication-detail/-/publication/f69284c4-eacb-11eb-93a8-01aa75ed71a1/language-en (accessed on 4 August 2022).

[99] EC (2017), New European Interoperability Framework: Promoting Seamless Services and Data Flows for European Public Administrations, European Commission, https://ec.europa.eu/isa2/sites/default/files/eif_brochure_final.pdf (accessed on 4 August 2022).

[29] Edelman (2022), Edelman Trust Barometer 2022, https://www.edelman.com/sites/g/files/aatuss191/files/2022-01/2022%20Edelman%20Trust%20Barometer%20FINAL_Jan25.pdf (accessed on 19 January 2023).

[32] EU (2022), General Data Protection Regulation (GDPR) Compliance Guidelines, European Union, https://gdpr.eu/ (accessed on 26 September 2022).

[112] Fältström, P. (2016), “Market-driven challenges to open internet standards”, Global Commission on Internet Governance Paper Series, No. 33, Global Commission on Internet Governance, https://www.cigionline.org/publications/market-driven-challenges-open-internet-standards/ (accessed on 5 October 2022).

[117] Ferrero, M. (2021), “Interoperabilidad en sistemas”, Sistemas Judiciales, Vol. 24, https://inecip.org/wp-content/uploads/2021/12/Sistemas-Judiciales-N%C2%B024-Genoveva-Ferrero.pdf (accessed on 30 September 2022).

[123] FIWARE (2020), “Collaborating municipalities for disaster resiliency and sustainable growth”, Smart Cities and Logistics, http://www.fiware.org (accessed on 8 August 2022).

[56] Fortinet (2022), “Fortinet registró 137 mil millones de intentos de ciberataques en América Latina en la primera mitad del año”, https://www.fortinet.com/lat/corporate/about-us/newsroom/press-releases/2022/fortinet-registro-137-mil-millones-de-intentos-de-ciberataques-e (accessed on 23 February 2023).

[5] Franke, J. and P. Gailhofer (2021), “Data governance and regulation for sustainable Smart Cities”, Frontiers in Sustainable Cities, Vol. 3, p. 148, https://doi.org/10.3389/FRSC.2021.763788/BIBTEX.

[101] Government of Argentina (2018), Resolución 19/2018, Ministerio de Justicia y Derechos Humanos, Argentina, http://servicios.infoleg.gob.ar/infolegInternet/anexos/305000-309999/307439/norma.htm (accessed on 28 September 2022).

[100] Government of Argentina (2016), Decreto 1273/2016 Simplificación Registral, https://www.argentina.gob.ar/normativa/nacional/decreto-1273-2016-269242/texto (accessed on 28 September 2022).

[104] Government of Argentina (n.d.), Guía para la identificación y uso de entidades interoperables, Paquete de Apertura de Datos de la República Argentina, https://datosgobar.github.io/paquete-apertura-datos/guia-interoperables/#objetivo-de-esta-guia (accessed on 29 September 2022).

[24] Government of Colombia (2022), Plan Nacional de Infraestructura de Datos, Ministrio de Tecnologías de la Información y las Comunicaciones, Bogotá, https://www.mintic.gov.co/portal/715/articles-198952_resolucion_00460_2022.pdf (accessed on 31 July 2022).

[105] Government of France (2015), Référentiel Général d’Interopérabilité Standardiser, s’aligner et se focaliser pour échanger efficacement, Direction Interministérielle du Numérique et du Système d’Information et de Communication de l’Etat, Paris, https://www.numerique.gouv.fr/uploads/Referentiel_General_Interoperabilite_V2.pdf (accessed on 29 September 2022).

[16] Government of India (n.d.), DataSmart Cities: Empowering Cities Through Data, Ministry of Housing and Urban Affairs, https://smartcities.data.gov.in/sites/default/files/DataSmart_Cities_Strategy_Print.pdf (accessed on 29 July 2022).

[17] Government of India (n.d.), Open Data Platform: India Smart Cities, https://smartcities.data.gov.in/.

[7] Government of Japan (2021), National Data Strategy, Digital Agency, Tokyo, https://www.digital.go.jp/assets/contents/node/basic_page/field_ref_resources/0f321c23-517f-439e-9076-5804f0a24b59/20210901_en_05.pdf.

[103] Government of Japan (2020), スーパーシティ／スマートシティの相互運⽤性 の確保等に関する検討会 最終報告書 令和2年 9⽉ スーパーシティ／スマートシティの相互運⽤性の確保等に関する検討会 (Interoperability for smart city), Digital Agency, Tokyo, https://www.chisou.go.jp/tiiki/kokusentoc/supercity/pdf/sogowg_houkokusyo.pdf (accessed on 4 August 2022).

[91] Government of Japan (2017), “Basic Principles on Open Data (provisional translation)”, https://cio.go.jp/sites/default/files/uploads/documents/data_shishin_en.pdf (accessed on 11 July 2022).

[45] Government of Japan (2016), 官民データ活用推進基本法 [Basic Act on the Advancement of Public and Private Sector Data Utilization], https://japan.kantei.go.jp/policy/it/data_basicact/data_basicact.html (accessed on 11 July 2022).

[44] Government of Japan (2013), Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (Act No. 27 of 2013 as Amended), https://www.dataguidance.com/legal-research/act-use-numbers-identify-specific-individual (accessed on 1 August 2022).

[90] Government of Japan (2013), Japan Open Data Charter Action Plan, https://japan.kantei.go.jp/policy/it/2013/1029_fulltext.pdf (accessed on 23 June 2022).

[43] Government of Japan (2003), Act on the Protection of Personal Information, https://www.japaneselawtranslation.go.jp/en/laws/view/4241/en (accessed on 1 August 2022).

[14] Government of Japan (n.d.), About Digital Agency, Digital Agency, https://www.digital.go.jp/en/about-en/#mvv.

[13] Government of Japan (n.d.), About the Cabinet Office, Cabinet Office, https://www.cao.go.jp/en/about.html.

[40] Government of Korea (2022), 개인정보보호위원회 [Personal Information Protection Commission], https://www.pipc.go.kr/eng/index.do (accessed on 22 September 2022).

[102] Government of Luxembourg (2019), National Interoperability Framework, http://digital.gouvernement.lu/en/dossiers/2019/NIF-2019.html (accessed on 28 September 2022).

[93] Government of Mexico (2018), Red México Abierto, https://www.gob.mx/epn/articulos/red-mexico-abierto?idiom=es (accessed on 26 September 2022).

[11] Government of New Zealand (n.d.), Government Chief Data Steward (GCDS), https://www.data.govt.nz/leadership/gcds/.

[108] Government of Spain (n.d.), La Plataforma de Intermediación de Datos, https://administracionelectronica.gob.es/pae_Home/pae_Estrategias/Racionaliza_y_Comparte/elementos_comunes/Intermediacion_de_datos.html.

[116] Government of the Netherlands (2023), DMI-ecosysteem voor mobiliteitsvernieuwing en slimme, duurzame verstedelijking, Dutch Metropolitan Innovations, https://dutchmobilityinnovations.com/spaces/1216/dmi-ecosysteem/0ver-ecosysteem (accessed on 27 April 2023).

[8] Hiramoto, K. (2022), “Smart cities in Japan”, PowerPoint presentation given to the OECD team, Tokyo.

[132] IBM (n.d.), What is a digital twin?, https://www.ibm.com/topics/what-is-a-digital-twin.

[82] ICC (n.d.), DataCity Paris, European Commission’s Intelligent Cities Challenge, https://www.intelligentcitieschallenge.eu/good-practices/datacity-paris.

[49] INAI (2022), Acceso a la Información y Protección de Datos Personales, Instituto Nacional de Transparencia, https://home.inai.org.mx/ (accessed on 23 September 2022).

[76] Infocomm Media Development Authority (2022), “Singapore grows trust in the digital environment”, https://www.imda.gov.sg/Content-and-News/Press-Releases-and-Speeches/Press-Releases/2022/Singapore-grows-trust-in-the-digital-environment (accessed on 18 January 2023).

[70] ISC2 (2022), “Cybersecurity workforce study. A critical need for cybersecurity professionals persists amidst a year of cultural and workplace evolution”, https://www.isc2.org/ (accessed on 23 February 2023).

[124] Ishii, K. and A. Yamanaka (2018), “Building a common Smart City platform utilizing FIWARE (Case study of Takamatsu City)”, NEC Technical Journal, https://www.nec.com/en/global/techrep/journal/g18/n01/180106.html (accessed on 8 August 2022).

[126] ITF (2021), “Developing innovative mobility solutions in the Brussels-Capital Region”, International Transport Forum Policy Papers, No. 97, OECD Publishing, Paris, https://doi.org/10.1787/37cc3a85-en.

[127] ITF (2021), “Developing Innovative Mobility Solutions in the Brussels-Capital Region”, International Transport Forum Policy Papers, No. 97, OECD Publishing, Paris, https://doi.org/10.1787/37cc3a85-en (accessed on 28 February 2023).

[107] ITF (2020), Leveraging Digital Technology and Data for Human-centric Smart Cities: The Case of Smart Mobility, OECD, Paris, https://www.itf-oecd.org/sites/default/files/docs/data-human-centric-cities-mobility-g20.pdf (accessed on 29 July 2020).

[119] Japanese Cabinet Office (2019), “Toward a New Era of “Hope-Driven Economy“: The Prime Minister’s keynote speech at the World Economic Forum Annual Meeting”, https://japan.kantei.go.jp/98_abe/statement/201901/_00003.html (accessed on 2 August 2022).

[2] Johnson, J. et al. (2022), “Data governance frameworks for Smart Cities: Key considerations for data management and use”, Journal of Law and Mobility, Vol. 2022/1, https://repository.law.umich.edu/jlm/vol2022/iss1/1 (accessed on 7 October 2022).

[131] JR East (2021), JR East Group Integrated Report 2021, JR East, Tokyo, https://www.jreast.co.jp/e/environment/pdf_2021/all.pdf (accessed on 9 August 2022).

[35] Kitchin, R. (2016), Getting Smarter about Smart Cities: Improving Data Privacy and Data Security, Department of the Taoiseach, Dublin, https://www.researchgate.net/publication/293755608_Getting_smarter_about_smart_cities_Improving_data_privacy_and_data_security (accessed on 3 February 2023).

[19] LOTI (n.d.), LOTI Outcomes-based Methodology for Data Projects, London Office of Technology and Information, https://loti.london/resources/data-methodology/.

[88] Lundquist, A., E. Rannestig and U. Sandgren (2010), “The Swedish National Geodata Strategy and its implementation”, https://www.fig.net/resources/proceedings/fig_proceedings/fig2010/papers/ts04b/ts04b_lundquist_rannestig_et_al_3796.pdf (accessed on 26 September 2022).

[57] Ma, C. (2021), “Smart city and cyber-security: Technologies used, leading challenges and future recommendations”, Energy Reports, Vol. 7, pp. 7999-8012, https://doi.org/10.1016/J.EGYR.2021.08.124.

[80] Mairie de Paris (2020), Paris Smart and Sustainable. Looking Ahead to 2020 and Beyond, https://cdn.paris.fr/paris/2020/02/26/f7dc822a66de6000cd910a145c7fca39.ai (accessed on 19 October 2022).

[81] Mairie de Paris (2019), “DataCity 2019 : les startups qui font la ville de demain”, https://www.paris.fr/pages/datacity-2019-decouvrez-les-startups-qui-font-la-ville-de-demain-6511#les-10-startups-selectionnees.

[59] Marahatta, A. et al. (2021), “Priority-based low voltage DC microgrid system for rural electrification”, Energy Reports, Vol. 7, pp. 43-51, https://doi.org/10.1016/J.EGYR.2020.11.030.

[6] Marks, A. (2022), “Learning from city-level chief data officers”, Thematic Research Networks on Data and Statistics, https://www.sdsntrends.org/blog/2022/learning-from-city-level-chief-data-officers-insights-for-national-statistics-offices-on-advancing-data-stewardship (accessed on 19 January 2023).

[64] Matsubara, M. and D. Mochinaga (2021), “Japan’s cybersecurity strategy - From the Olympics to the Indo-Pacific”, Asie Visions 119, https://www.ifri.org/sites/default/files/atoms/files/matsubara_mochinaga_japan_cybersecurity_strategy_2021.pdf (accessed on 16 August 2022).

[50] Mayor of London (2023), Data for London Advisory Board, https://www.london.gov.uk/programmes-strategies/business-and-economy/supporting-londons-sectors/supporting-tech-and-digital-sectors/data-london-advisory-board?ac-157819=157818 (accessed on 7 February 2023).

[15] MLIT (n.d.), Homepage, Ministry of Land, Infrastructure, Transport and Tourism, Government of Japan, https://www.mlit.go.jp/en/ (accessed on 27 September 2022).

[118] Modaressi, A. (2020), “Connecting Los Angeles: LANES drives interoperability across LA County”, https://lanesla.org/connecting-los-angeles-lanes-drives-interoperability-across-la-county/ (accessed on 30 September 2022).

[129] Muroi, S. (2021), “Initiatives and vision for Smart City Aizuwakamatsu”, Information provided to the OECD by the government of Aizuwakamatsu City, Aizuwakamatsu.

[113] Nantes Métropole (2022), Charte des usages de la plateforme Open Data mutualisée, Nantes Métropole, Loire Atlantique Department and Pays de la Loire Region, https://fr.ftp.opendatasoft.com/nantesmetropole/CharteUsagesPortailODS-v1-3.pdf (accessed on 3 October 2022).

[74] National Security Office (2019), National Cybersecurity Strategy, National Security Office, Seoul, https://www.itu.int/en/ITU-D/Cybersecurity/Documents/National_Strategies_Repository/National%20Cybersecurity%20Strategy_South%20Korea.pdf (accessed on 26 September 2022).

[121] NIIS (2022), Homepage, Nordic Institute for Interoperability Solutions, https://www.niis.org/ (accessed on 29 September 2022).

[18] NSW Government (2021), NSW Government Data Strategy, New South Wales, Sydney, https://data.nsw.gov.au/sites/default/files/inline-files/NSW%20Government%20Data%20Strategy_0.pdf (accessed on 27 July 2022).

[72] NYC Government (2021), IoT Strategy - The New York City Internet of Things Strategy, Mayor’s Office of the Chief Technology Officer, New York, https://www1.nyc.gov/assets/cto/downloads/iot-strategy/nyc_iot_strategy.pdf (accessed on 16 August 2022).

[79] NYC Government (2021), The New York City Internet of Things: Progress Report, Office of the Chief Technology Officer, New York, https://on.nyc.gov/iot-progress-report (accessed on 7 October 2022).

[71] OAS (2022), Cybersecurity Workforce Development in an Era of Talen and Skills Shortages, Cybersecurity Program of the Inter-American Committee against Terrorism, Organization of American States, https://www.oas.org/en/sms/cicte/docs/Report_Cyber_WorkForce_Development_in_an_Era_of_Talent_and_Skills_Shortages.pdf (accessed on 23 February 2023).

[31] OECD (2022), Building Trust to Reinforce Democracy: Main Findings from the 2021 OECD Survey on Drivers of Trust in Public Institutions, Building Trust in Public Institutions, OECD Publishing, Paris, https://doi.org/10.1787/b407f99c-en.

[1] OECD (2022), Going Digital to Advance Data Governance for Growth and Well-being, OECD Publishing, Paris, https://doi.org/10.1787/e3d783b0-en.

[97] OECD (2021), “Data portability, interoperability and digital platform competition”, OECD Competition Committee Discussion Paper, OECD, Paris, http://oe.cd/dpic (accessed on 4 August 2022).

[26] OECD (2021), Government at a Glance 2021, OECD Publishing, Paris, https://doi.org/10.1787/1c258f55-en.

[87] OECD (2020), OECD Open, Useful and Re-usable Data (OURdata) Index: 2019, OECD, Paris, https://www.oecd.org/governance/digital-government/ourdata-index-policy-paper-2020.pdf (accessed on 23 June 2022).

[89] OECD (2019), Government at a Glance 2019, OECD Publishing, Paris, https://doi.org/10.1787/8ccf5c38-en.

[92] OECD (2019), OECD OURdata Index: 2019, OECD, Paris, http://www.oecd.org/gov/digital-government/ourdata-index-japan.pdf.

[3] OECD (2019), The Path to Becoming a Data-Driven Public Sector, OECD Digital Government Studies, OECD Publishing, Paris, https://doi.org/10.1787/059814a7-en.

[25] OECD (2017), Government at a Glance 2017, OECD Publishing, Paris, https://doi.org/10.1787/gov_glance-2017-en.

[42] OECD (2013), The OECD Privacy Framework, OECD, Paris, https://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf (accessed on 7 February 2023).

[41] One Trust Data Guidance (2022), Portugal - Data Protection Overview, https://www.dataguidance.com/notes/portugal-data-protection-overview-0 (accessed on 22 September 2022).

[61] Parasol, M. (2018), “The impact of China’s 2016 Cyber Security Law on foreign technology firms, and on China’s big data and Smart City dreams”, Computer Law & Security Review, Vol. 34/1, pp. 67-98, https://doi.org/10.1016/J.CLSR.2017.05.022.

[68] RFI (2022), “Paralysed French hospital fights cyber attack as hackers lower ransom”, https://www.rfi.fr/en/france/20220902-paralysed-french-hospital-fights-cyber-attack-as-hackers-lower-ransom-demand.

[83] Satori (2022), What are Data Standards and Why Do You Need Them?, https://satoricyber.com/data-management/what-are-data-standards-and-why-do-you-need-them/ (accessed on 2 August 2022).

[94] SCPM (n.d.), Whitepaper, Seoul Smart City Platform, http://scpm.seoul.go.kr/resources/whitepaper_EN.pdf.

[96] Seoul Metropolitan Government (2020), “Seoul’s “Smart City Platform for Mayor” to lead global communication in the age of “untact””, https://english.seoul.go.kr/seouls-smart-city-platform-for-mayor-to-lead-global-communication-in-the-age-of-untact/.

[115] Seoul Metropolitan Government (n.d.), Seoul Smart City Platform, https://news.seoul.go.kr/gov/archives/529453.

[85] Statistics Canada (2019), Guidelines for Ensuring Data Quality, Statistics Canada Quality Guidelines, https://www150.statcan.gc.ca/n1/pub/12-539-x/2019001/ensuring-assurer-eng.htm (accessed on 2 August 2022).

[109] Toyama City (2022), “Smart city promotion business”, Presentation given to the OECD on 17 June 2022, Toyama.

[75] UK Government (2022), National Cyber Strategy 2022 - Pioneering a Cyber Future with the Whole of the UK, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1053023/national-cyber-strategy-amend.pdf (accessed on 26 September 2022).

[53] UK Government (2020), Data Ethics Framework, Government Digital Service, London, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/923108/Data_Ethics_Framework_2020.pdf (accessed on 23 September 2022).

[10] UK Government (2020), National Data Strategy, Department for Digital, Media, Culture & Sport, https://www.gov.uk/government/publications/uk-national-data-strategy/national-data-strategy#data-1-2 (accessed on 1 August 2022).

[12] United States Congress (2017), H.R.4174 - Foundations for Evidence-Based Policymaking Act of 2018, https://www.congress.gov/bill/115th-congress/house-bill/4174/text.

[77] US Government (2018), U.S. Department of Homeland Security - Cybersecurity Strategy, Department of Homeland Security, Washington, https://www.dhs.gov/sites/default/files/publications/DHS-Cybersecurity-Strategy_1.pdf (accessed on 27 September 2022).

[39] van Ooijen, C., B. Ubaldi and B. Welby (2019), “A data-driven public sector: Enabling the strategic use of data for productive, inclusive and trustworthy governance”, OECD Working Papers on Public Governance, No. 33, OECD Publishing, Paris, https://doi.org/10.1787/09ab162c-en.

[120] WEF (2020), Data Free Flow with Trust (DFFT): Paths towards Free and Trusted Data Flows, World Economic Forum, Geneva, https://www.weforum.org/whitepapers/data-free-flow-with-trust-dfft-paths-towards-free-and-trusted-data-flows/ (accessed on 13 July 2022).

[86] Wilkinson, M. et al. (2016), “The FAIR Guiding Principles for scientific data management and stewardship”, Scientific Data, Vol. 3/1, pp. 1-9, https://doi.org/10.1038/sdata.2016.18.

[67] Wired (2008), “Polish teen hacks his city’s trams, chaos ensues”, https://www.wired.com/2008/01/polish-teen-hac/.

[62] Xie, S. et al. (2020), “The optimal planning of smart multi-energy systems incorporating transportation, natural gas and active distribution networks”, Applied Energy, Vol. 269, https://doi.org/10.1016/J.APENERGY.2020.115006.

[122] X-Road (2022), X-Road® Data Exchange Layer, https://x-road.global/ (accessed on 29 September 2022).

[63] Yan, J., J. Liu and F. Tseng (2020), “An evaluation system based on the self-organizing system framework of smart cities: A case study of smart transportation systems in China”, Technological Forecasting and Social Change, Vol. 153, https://doi.org/10.1016/J.TECHFORE.2018.07.009.