Академический Документы
Профессиональный Документы
Культура Документы
DRAFTDRAFTDRAFTDRAFTDRAFTDRAFTDRAFTDRAFTDRAFT
BLACK=ApprovedSections
RED=textsuggestedbydacmembersNOTyetdiscussedintheDACCommittee
BLUE=NotapprovedsuggestedwordingasaresultofdiscussionintheDACCommittee
Table of Contents
TableofContents
AllsubsequentrevisionsofthisPrivacyPolicymustaddresstheseissues:
CoreValues/UnbreakablePrinciples.
PurposeoftheDAC
HighLevelStrategies
DataandinformationdefinitionandClassification
DataRetention
Changestotheprivacypolicy
4. High-Level Strategies
a. Metrics
i. Doweachievewhatweintended?
ii. Atwhatcost?
b. DataMinimization
i. Onlycollectwhatisneeded
ii. ShortestpossibleDataretention
c. PreventionofAbuse
i. Datasafeguards
ii. PenaltiesforAbuse
iii. DataSecurity
iv. AbuseviaPublicaccesslaws
v. ChecksandBalances
d. Transparency
i. Auditability
ii. ProtectionofWhistleblowers
iii. PublicAccess
iv. DisputeResolution
v. Amendability
vi. Accessibilityofpolicyandworkingguidelines
vii. Understandability
e. Datasharingagreements
i. PurposeofDatasharingmustbenarrowlydefined
ii. DownstreamcannotshareourDACdataAllsharingofOaklandDAC
datamustbeapprovedaccordingtotheprivacypolicy
iii. Penaltiesfordownstreamsharing
iv. ClassificationofDatasharingagreementtypes(incidenttypesharing,
masssharing,etc.)
v. AllDatasharingagreementsmustbePublicbydefault
vi. AllDatasharingagreementsmustbereviewedbyPrivacyOfficer
function,whomustgivearecommendation(Accept/Reject)before
presentedtoCityCouncil
vii. AllDatasharingagreementsmustbeapprovedbycitycouncil.
viii. Confidentialagreementsareonlyallowedwhenmeetingcertainspecific
narrowcriteria
ix. PrivacyOfficerfunctiontoevaluateifcriteriaismetbeforeaconfidential
datasharingcanbeevaluated.
f. SuitablyaddtheElectronicFrontierFoundationssixevaluationcriteriaasgoals
fortheDACPolicy.
i. RequireaWarrant
ii. TellusersaboutGovernmentdatarequests
iii. Publishtransparencyreport
iv. PublishLawenforcementguidelines
v. FightforUsersprivacyrightsincourts
vi. FightforusersprivacyrightsinCongress
5. Data and information definition and Classification
a. Data:Dataisraw,unorganizedfactsthatneedtobeprocessed.Datacanbe
somethingsimpleandseeminglyrandomanduselessuntilitisorganized.
b. Information:Whendataisprocessed,organized,structuredorpresentedina
givencontextsoastomakeituseful,itiscalledInformation.
c. PersonallyIdentifiableInformation(calledPII)isisanydataorinformationthat
aloneortogetherwithotherinformationcanbetiedtoanindividualwith
reasonablecertainty.ThisincludePhotographsoffaces,movements,
distinguishingmarks,licenseplates,cellphonemetadata,internetconnection
metadataandsimilar.
d. PresumptionofInnocenceinpublicspace.Individualsrecordedinthepublic
spacearepresumedtobeinnocentuntilprobablecauseisestablishedonan
individualbasis.
e. Insomecaseslocalcircumstanceschangestheautomaticpresumptionof
innocence,e.g.thepresenceofunauthorizedpersonsinsiderestrictedareas,
canleaddirectlytoprobablycause.
f. ThefollowingDACDatasourcedataarecategorizedascontainingPII
i. PortSecurityCameras
ii. IntrusionDetectionSystem(IDS)System
iii. PortVesselTracking
iv. PortTruckManagement
v. PoliceandFireCAD
vi. WebEOCNotifications
vii. FireAutomaticVehicleLocation(Phase2)
g. ThefollowingsystemsarecategorizedasnotcontainingPII
i. NOAAWeatherAlerts
ii. TsunamiAlerts
h. ThefollowingsystemsandtheuseintheDACneedadeeperscrutinybeforePII
Classificationcanbedetermined
i. CityGIS
ii. PortGIS
iii. Shotspotter
6. Data Retention
a. Datawillberetainedusingtheprincipleofdataminimization,a)ifwedonthavea
criticalneedforthedatarightnow,dontkeepitb)oncewearedonewiththedata
purgeit.
b. DataandinformationcontainingPIIthattriggersanactionfromtheDAC:e.g.
markedforlaterinvestigations,sendingoutapatrolcar,contactinganother
authority,requestingafiredepartmentresponseetc.mustbelogged.Eachlog
entrymustcontainadetailedjustificationfortheaction,e.g.forsuspicious
behaviorthejustificationmustdescribewhythebehaviorwasconsidered
suspicious.Whenanincidentrequiresinvestigativefollowupthedatamustbe
exportedattheendoftheshiftandhandedovertoinvestigations.
c. AllotherPIIdataandinformationisconsideredtocontaininformationofinnocent
peopleandmustbepurgedwithin24hours.