Oakland Domain Awareness Center Privacy Policy

DRAFTDRAFTDRAFTDRAFTDRAFTDRAFTDRAFTDRAFTDRAFT

BLACK=ApprovedSections
RED=textsuggestedbydacmembersNOTyetdiscussedintheDACCommittee
BLUE=NotapprovedsuggestedwordingasaresultofdiscussionintheDACCommittee

Table of Contents
TableofContents
AllsubsequentrevisionsofthisPrivacyPolicymustaddresstheseissues:
CoreValues/UnbreakablePrinciples.
PurposeoftheDAC
HighLevelStrategies
DataandinformationdefinitionandClassification
DataRetention
Changestotheprivacypolicy

1. All subsequent revisions of this Privacy Policy must address

these issues:
a. InformationsharingAgreements
b. PenaltiesforAbuse
c. Auditing
d. DataRetention
e. Analytics(CurrentlynotpartoftheDACwecouldpreemptfuturepolicyworkonthisby
havinganopinion.)
i. NeedgooddefinitionofAnalytics(PortconsidersMotionDetectionAnalyticswhich
iscriticalforthePorttobeincluded,DACcriticsconsiderFacialRecognitionand
Gaitrecognitionasanalyticswhichisimportanttothemnotbeincluded)
f. ProtectionofWhistleblowers
g. PurposedefinitionoftheDAC
h. DataMinimization
i. DataSafeguards(Preventionofabuse)
j. PublicAccess
k. Metrics(istheDAClivinguptoitsgoals,isitworththeongoingcost)
l. Security(PrimarilyDatasecurity)
m. Disputeresolution
n. ProjectInnocence(cantheDAChelpproveinnocenceandatwhatcost)
2. Core Values/Unbreakable Principles.
NostrategieseitherhighleveloroperationalcanviolatethefollowingUnbreakable
PrinciplesifanypartofthispolicyislaterfoundtoviolateanyoftheseUnbreakable
principlesthentheviolatingpartisvoidandnull.RestofDACPrivacypolicyremainsin
effect.
a. Constitutionality(bothFederalandCaliforniaconstitution)
i. 1stamendment
ii. 4thamendment
b. Efficiency
c. Safety
i. EconomicRealities(Needmoredetails)
d. Transparency
e. AmendabilityCitizensabilitytoamendinformationabouther/himself
f. PresumptionofInnocence
g. Privacy
h. CivilLiberties
i. BalancebetweentheCoreValues

3. Purpose of the DAC

NarrativeofPurposeoftheDACgoesheretobedraftedbyJonWactorJesper
Jurcenoks
a. AllPort,OPD,FD
i. RealtimeDisasterResponse
1. Earthquake
2. Fire
b. Port
i. Realtimeexamplesbutnotlimitedto:
1. Tsunamiresponse
2. ShipBridgecollisionpreventionandresponse
3. Hazardousmaterialresponse(HazMat)
4. Perimeterenforcement/PhysicalIntrusionprevention
ii. AftertheFact
1. PorthasNOneedforafterthefactaccesstoDACdataSuchdatacan
beaccessedfromothersources
c. OaklandPoliceDepartment(OPD)
i. Realtimeexamplesbutnotlimitedto:
1. CoordinationofinitialresponsetoCrime
2. OPDwouldliketousetheDACforresponsetoallkindsallthewaydown
tomisdemeanor
3. OPDwouldlikedatatoberetainedfor1shift(8hours)forthispurpose
ii. AftertheFact
1. PorthasNOneedforafterthefactaccesstoDACdataSuchdatacan
beaccessedfromothersources
d. OaklandFireDepartment(OFD)
i. Realtimeexamplesbutnotlimitedto:
1. CoordinationofrealtimeresponsetoOFDtaksincluding
a. Fire
b. Injury
c. Hazmat(likeRailcarincidents)
ii. AftertheFact
1. PorthasNOneedforafterthefactaccesstoDACdataSuchdatacan
beaccessedfromothersources

4. High-Level Strategies
a. Metrics
i. Doweachievewhatweintended?
ii. Atwhatcost?
b. DataMinimization
i. Onlycollectwhatisneeded
ii. ShortestpossibleDataretention
c. PreventionofAbuse
i. Datasafeguards
ii. PenaltiesforAbuse
iii. DataSecurity
iv. AbuseviaPublicaccesslaws
v. ChecksandBalances
d. Transparency
i. Auditability
ii. ProtectionofWhistleblowers
iii. PublicAccess
iv. DisputeResolution
v. Amendability
vi. Accessibilityofpolicyandworkingguidelines
vii. Understandability
e. Datasharingagreements
i. PurposeofDatasharingmustbenarrowlydefined
ii. DownstreamcannotshareourDACdataAllsharingofOaklandDAC
datamustbeapprovedaccordingtotheprivacypolicy
iii. Penaltiesfordownstreamsharing
iv. ClassificationofDatasharingagreementtypes(incidenttypesharing,
masssharing,etc.)
v. AllDatasharingagreementsmustbePublicbydefault
vi. AllDatasharingagreementsmustbereviewedbyPrivacyOfficer
function,whomustgivearecommendation(Accept/Reject)before
presentedtoCityCouncil
vii. AllDatasharingagreementsmustbeapprovedbycitycouncil.
viii. Confidentialagreementsareonlyallowedwhenmeetingcertainspecific
narrowcriteria
ix. PrivacyOfficerfunctiontoevaluateifcriteriaismetbeforeaconfidential
datasharingcanbeevaluated.
f. SuitablyaddtheElectronicFrontierFoundationssixevaluationcriteriaasgoals
fortheDACPolicy.
i. RequireaWarrant
ii. TellusersaboutGovernmentdatarequests
iii. Publishtransparencyreport
iv. PublishLawenforcementguidelines
v. FightforUsersprivacyrightsincourts
vi. FightforusersprivacyrightsinCongress

5. Data and information definition and Classification
a. Data:Dataisraw,unorganizedfactsthatneedtobeprocessed.Datacanbe
somethingsimpleandseeminglyrandomanduselessuntilitisorganized.
b. Information:Whendataisprocessed,organized,structuredorpresentedina
givencontextsoastomakeituseful,itiscalledInformation.
c. PersonallyIdentifiableInformation(calledPII)isisanydataorinformationthat
aloneortogetherwithotherinformationcanbetiedtoanindividualwith
reasonablecertainty.ThisincludePhotographsoffaces,movements,
distinguishingmarks,licenseplates,cellphonemetadata,internetconnection
metadataandsimilar.
d. PresumptionofInnocenceinpublicspace.Individualsrecordedinthepublic
spacearepresumedtobeinnocentuntilprobablecauseisestablishedonan
individualbasis.
e. Insomecaseslocalcircumstanceschangestheautomaticpresumptionof
innocence,e.g.thepresenceofunauthorizedpersonsinsiderestrictedareas,
canleaddirectlytoprobablycause.
f. ThefollowingDACDatasourcedataarecategorizedascontainingPII
i. PortSecurityCameras
ii. IntrusionDetectionSystem(IDS)System
iii. PortVesselTracking
iv. PortTruckManagement
v. PoliceandFireCAD
vi. WebEOCNotifications
vii. FireAutomaticVehicleLocation(Phase2)
g. ThefollowingsystemsarecategorizedasnotcontainingPII
i. NOAAWeatherAlerts
ii. TsunamiAlerts
h. ThefollowingsystemsandtheuseintheDACneedadeeperscrutinybeforePII
Classificationcanbedetermined
i. CityGIS
ii. PortGIS
iii. Shotspotter

6. Data Retention
a. Datawillberetainedusingtheprincipleofdataminimization,a)ifwedonthavea
criticalneedforthedatarightnow,dontkeepitb)oncewearedonewiththedata
purgeit.
b. DataandinformationcontainingPIIthattriggersanactionfromtheDAC:e.g.
markedforlaterinvestigations,sendingoutapatrolcar,contactinganother
authority,requestingafiredepartmentresponseetc.mustbelogged.Eachlog
entrymustcontainadetailedjustificationfortheaction,e.g.forsuspicious
behaviorthejustificationmustdescribewhythebehaviorwasconsidered
suspicious.Whenanincidentrequiresinvestigativefollowupthedatamustbe
exportedattheendoftheshiftandhandedovertoinvestigations.
c. AllotherPIIdataandinformationisconsideredtocontaininformationofinnocent
peopleandmustbepurgedwithin24hours.

7. Changes to the privacy policy

ThisDACprivacypolicymuststaycurrentandrelevant.
a. Scheduleandwhocanchange
i. Thispolicycanbechangedfromtimetotimeasneeded
ii. ChangesmustbeproposedbyanAdHocadvisorycommitteeandratified
bytheCitycouncil
iii. TheAdHoccommitteemustbespecificallyassembledtoreviewtheDAC
Privacypolicy
iv. TheAdHoccommitteeisappointedbytheCitycouncilwitheachcouncil
memberbeingabletoappointupto2membersonthecommittee.
v. ThePrivacypolicymustbereviewedatleastevery5yearsbyan
appointedAdHocadvisoryCommittee
b. ChangestoCoreValues/UnbreakableprinciplesrequiresupermajorityoftheDAC
committee
c. ChangestothissectionChangestothePrivacyPolicyrequiresupermajorityof
theDACcommittee
d. AllotherchangesrequiresimplemajorityoftheDACcommittee
NewVersionreferencingPrivacyOfficerFunction
a. Scheduleandwhocanchange
i. Thispolicycanbechangedfromtimetotimeasneeded
ii. ChangesmustbeproposedbythePrivacyOfficerfunctionandratifiedby
theCitycouncil
iii. TheAdHoccommitteemustbespecificallyassembledtoreviewtheDAC
Privacypolicy
iv. TheAdHoccommitteeisappointedbytheCitycouncilwitheachcouncil
memberbeingabletoappointupto2membersonthecommittee.
v. ThePrivacypolicymustbereviewedatleastevery5yearsbyan
appointedPrivacyOfficerfunction
b. ChangestoCoreValues/Unbreakableprinciplesrequiresupermajorityofthe
PrivacyOfficerfunction
c. ChangestothissectionChangestothePrivacyPolicyrequiresupermajorityof
thePrivacyOfficerfunction
d. AllotherchangesrequiresimplemajorityofthePrivacyOfficerfunction