7/7/2014

DAC Notes and Principles

DRAFTDRAFTDRAFTDRAFTDRAFTDRAFTDRAFTDRAFTDRAFT

BLACK=ApprovedSections
RED=textsuggestedbydacmembersNOTyetdiscussedintheDACCommittee
BLUE=NotapprovedsuggestedwordingasaresultofdiscussionintheDACCommittee
Table of Contents
TableofContents
AllsubsequentrevisionsofthisPrivacyPolicymustaddresstheseissues:
Corevaluesandunbreakableprinciples.
PurposeoftheDAC
Highlevelstrategies
DefinitionofPrivacy
Dataandinformationdefinitionandclassification
Dataretention
Changestotheprivacypolicy

1. All subsequent revisions of this Privacy Policy must address

these issues:
a. InformationSharingAgreements
b. PenaltiesforAbuse
c. Auditing
d. DataRetention
e. Analytics(CurrentlynotpartoftheDACwecouldpreemptfuturepolicyworkonthisby
havinganopinion.)
i. NeedgooddefinitionofAnalytics(PortconsidersMotionDetectionAnalyticswhich
iscriticalforthePorttobeincluded,DACcriticsconsiderFacialRecognitionand
Gaitrecognitionasanalyticswhichisimportanttothemnotbeincluded)
f. ProtectionofWhistleblowers
g. PurposedefinitionoftheDAC
h. DataMinimization
i. DataSafeguards(Preventionofabuse)
j. PublicAccess
k. Metrics(istheDAClivinguptoitsgoals,isitworththeongoingcost)
l. Security(PrimarilyDatasecurity)
m. Disputeresolution
n. ProjectInnocence(cantheDAChelpproveinnocenceandatwhatcost)
o. Procedureforrevisingthispolicy
7/7/2014
2. Core values and unbreakable principles.
NostrategieseitherhighleveloroperationalcanviolatethefollowingUnbreakable
PrinciplesifanypartofthispolicyislaterfoundtoviolateanyoftheseUnbreakable
principlesthentheviolatingpartisvoidandnull.RestofDACPrivacypolicyremainsin
effect.
a. Constitutionality(bothFederalandCaliforniaconstitution)
i. 1stamendment
ii. 4thamendment
b. Efficiency
c. Safety
i. EconomicRealities(Needmoredetails)
d. Transparency
e. AmendabilityCitizensabilitytoamendinformationabouther/himself
f. PresumptionofInnocence
g. Privacy
h. CivilLiberties
i. BalancebetweentheCoreValues

3. Purpose of the DAC

JonWactorsdraft:
ThePortofOaklandDomainAwarenessCenter(DAC)hasbeenestablishedbytheCityof
OaklandCityCouncil,tocoordinateandcontrolthecollection,disseminationandretentionofall
informationgatheredatthePortbyvariouspubliclawenforcementagencieswithjurisdiction
overthePortofOaklandtobetterprotectandservethepublic.TheDACshalloperatein
compliancewiththispolicydocument(Policy).

PhilwolffsDraft
Onedraft...TheDACisthevigilantpartoftheEOCthatstaysalertbetweenemergenciesand
triggersEOCactivations.Itcollectsandmonitorslivestreamsofvideo,audio,and/ordata,
watchingforcandidateincidents,andthenreferthemtotheEOCstafffortheEOCactivation
decision.WhiletherestoftheEOCactivates,theDACsharesrelevantinformationtoincident
participantsuntiltheEOCinfrastructuretakesover.

a. AllPort,OPD,FD
i. RealtimeDisasterResponse
1. Earthquake
2. Fire
b. Port
i. Realtimeexamplesbutnotlimitedto:
1. Tsunamiresponse
2. ShipBridgecollisionpreventionandresponse
7/7/2014
3. Hazardousmaterialresponse(HazMat)
4. Perimeterenforcement/PhysicalIntrusionprevention
ii. AftertheFact
1. PorthasNOneedforafterthefactaccesstoDACdataSuchdatacan
beaccessedfromothersources
c. OaklandPoliceDepartment(OPD)
i. Realtimeexamplesbutnotlimitedto:
1. CoordinationofinitialresponsetoCrime
2. OPDwouldliketousetheDACforresponsetoallkindsallthewaydown
tomisdemeanor
3. OPDwouldlikedatatoberetainedfor1shift(8hours)forthispurpose
ii. AftertheFact
1. PorthasNOneedforafterthefactaccesstoDACdataSuchdatacan
beaccessedfromothersources
d. OaklandFireDepartment(OFD)
i. Realtimeexamplesbutnotlimitedto:
1. CoordinationofrealtimeresponsetoOFDtaksincluding
a. Fire
b. Injury
c. Hazmat(likeRailcarincidents)
ii. AftertheFact
1. PorthasNOneedforafterthefactaccesstoDACdataSuchdatacan
beaccessedfromothersources

4. High-level strategies
a. Metrics
i. Doweachievewhatweintended?
ii. Atwhatcost?
b. DataMinimization
i. Onlycollectwhatisneeded
ii. ShortestpossibleDataretention
c. PreventionofAbuse
i. Datasafeguards
ii. PenaltiesforAbuse
iii. DataSecurity
iv. AbuseviaPublicaccesslaws
v. ChecksandBalances
d. Transparency
i. Auditability
ii. ProtectionofWhistleblowers
iii. PublicAccess
iv. DisputeResolution
v. Amendability
vi. Accessibilityofpolicyandworkingguidelines
7/7/2014
vii. Understandability
e. Datasharingagreements
i. PurposeofDatasharingmustbenarrowlydefined
ii. DownstreamcannotshareourDACdataAllsharingofOaklandDAC
datamustbeapprovedaccordingtotheprivacypolicy
iii. Penaltiesfordownstreamsharing
iv. ClassificationofDatasharingagreementtypes(incidenttypesharing,
masssharing,etc.)
v. AllDatasharingagreementsmustbePublicbydefault
vi. AllDatasharingagreementsmustbereviewedbyPrivacyOfficer
function,whomustgivearecommendation(Accept/Reject)before
presentedtoCityCouncil
vii. AllDatasharingagreementsmustbeapprovedbycitycouncil.
viii. Confidentialagreementsareonlyallowedwhenmeetingcertainspecific
narrowcriteria
ix. PrivacyOfficerfunctiontoevaluateifcriteriaismetbeforeaconfidential
datasharingcanbeevaluated.
f. SuitablyaddtheElectronicFrontierFoundationssixevaluationcriteriaasgoals
fortheDACPolicy.
i. RequireaWarrant
ii. TellusersaboutGovernmentdatarequests
iii. Publishtransparencyreport
iv. PublishLawenforcementguidelines
v. FightforUsersprivacyrightsincourts
vi. FightforusersprivacyrightsinCongress

5. Definition of Privacy
[RobertGreytoresearch(done)anddraftdefinition]

JJsdraftdefinition:
Privacyisarequirementofdemocracy.Privacycombines3things:
Secrecyourabilitytokeepouropinionsknownonlytothoseweintenttoreceivethem,
withoutsecrecy,peoplemaynotdiscussaffairswithwhomtheychoose,excludingthose
withwhomtheydonotwishtoconverse.
AnonymitySecrecyaboutwhoissendingandreceivinganopinionormessage,where
themessagemightnotbesecretatallAnonymityistheonlyprotectionagainst
retaliationforopinionsorwhistleblowing.
AutonomyAbilitytomakeourownlifedecisionfreefromanyforcethathasviolatedour
secrecyoranonymity.

7/7/2014
6. Data and information definition and classification
a. Data:Dataisraw,unorganizedfactsthatneedtobeprocessed.Datacanbe
somethingsimpleandseeminglyrandomanduselessuntilitisorganized.
b. Information:Whendataisprocessed,organized,structuredorpresentedina
givencontextsoastomakeituseful,itiscalledInformation.
c. PersonallyIdentifiableInformation(calledPII)isisanydataorinformationthat
aloneortogetherwithotherinformationcanbetiedtoanindividualwith
reasonablecertainty.ThisincludePhotographsoffaces,movements,
distinguishingmarks,licenseplates,cellphonemetadata,internetconnection
metadataandsimilar.
d. PresumptionofInnocenceinpublicspace.Individualsrecordedinthepublic
spacearepresumedtobeinnocentuntilprobablecauseisestablishedonan
individualbasis.
e. Insomecaseslocalcircumstanceschangestheautomaticpresumptionof
innocence,e.g.thepresenceofunauthorizedpersonsinsiderestrictedareas,
canleaddirectlytoprobablycause.
f. ThefollowingDACDatasourcedataarecategorizedascontainingPII
i. PortSecurityCameras
ii. IntrusionDetectionSystem(IDS)System
iii. PortVesselTracking
iv. PortTruckManagement
v. PoliceandFireCAD
vi. WebEOCNotifications
vii. FireAutomaticVehicleLocation(Phase2)
g. ThefollowingsystemsarecategorizedasnotcontainingPII
i. NOAAWeatherAlerts
ii. TsunamiAlerts
iii. USGSEarthquakeAlerts
h. ThefollowingsystemsandtheuseintheDACneedadeeperscrutinybeforePII
Classificationcanbedetermined
i. CityGIS
ii. PortGIS
iii. Shotspotter

7. Data Minimization

[DraftcontributedbyMattCagleandLindaLye]
Thespecific,targetedpurposesoftheDACwilldictatethelimitsonhowtheDACandits
associateddatamaybeused.AlistofapprovedandprohibitedusesoftheDACmust
bememorializedinthepolicy.Theseuseguidelinesshalltakeaccountofcivilliberties
7/7/2014
suchasprivacyandfreespeechaswellasotherrightsunderstateandfederallaw.The
policywillalsosetforthspecificprohibiteduses,includinguseoftheDACtotargetonthe
basisofrace,religiouspractice,orpoliticalviews.Clearusepolicieswillnotonlyprotect
individualrightsandliberties,theywillalsoensuretheDACisusedinatargetedmanner
thatdirectlyadvancescitygoalswhilepreventingmisusethatcouldinviteliability.
Collection:Onceapprovedusesarearticulated,thepolicycansetforthlimitsonthe
informationtobecollected,inamannerthatistailoredtoapproveduses.Conversely,no
dataistobecollectedunlessitdirectlyadvancesanapproveduse.
Retention:Thepolicyshallexpresslyincludearetentionpolicyfordataassociatedwith
theDAC.Datashallnotberetainedforanylongerthannecessarytodirectlyadvancethe
specificpurposesoftheDAC.BecausetheDACsprimarypurposeistomonitorreal
timesituationsatthePort,asageneralmatter,therewilloftenbenoneedforthe
retentionofdata.Itshallbenecessaryforspecificconditionstobesatisfiedbeforeany
DACdataisretainedbeyondthetypicalperiod.

8. Data retention
a. Datawillberetainedusingtheprincipleofdataminimization,a)ifwedonthavea
criticalneedforthedatarightnow,dontkeepitb)assoonaswearedonewith
thedatapurgeit.
b. DataandinformationcontainingPIIthattriggersanactionfromtheDAC:e.g.
markedforlaterinvestigations,sendingoutapatrolcar,contactinganother
authority,requestingafiredepartmentresponseetc.mustbelogged.Eachlog
entrymustcontainadetailedjustificationfortheaction,e.g.forsuspicious
behaviorthejustificationmustdescribewhythebehaviorwasconsidered
suspicious.Whenanincidentrequiresinvestigativefollowupthedatamustbe
exportedattheendoftheshiftandhandedovertoinvestigations.
c. AllotherPIIdataandinformationisconsideredtocontaininformationofinnocent
peopleandmustbepurgedwithin24hours.
d. Citywillnotretaindatafrom3rdparties.
e. IfPrivateinformationoperators(likecamerasoperators)wantstofeedacopyof
theirinformationintotheDAC,thedataoriginatorsetsandmaintainsproperdata
retention
i. Ifthedataoriginatorwantstocitytostorethedataduringthedata
retentionperiod,suchstoragemuchhappenoutsideoftheDACsystem
andunderaseparateprivacypolicy.

7/7/2014
9. Prevention of Abuse
1.Datasafeguards
[Aestetixtodraft]

2.PenaltiesforAbuse
[ContributedbyMattCagleandLindaLye]
Audits:Stronginternalauditingproceduresarenecessarybecausesurveillance
technologyinvitesabusebypersonswithaccesstoitstoolsanddata.Internalauditing
includesbutisnotlimitedtothemonitoringtheDACsystemsandoperatorsfor
compliancewiththeprivacyandretentionpolicy.Apersonorentity(i.e.,theprivacy
officer)independentoftheDACshalloverseeandconductinternalauditing.Theresults
ofanyinternalaudits,includinginstancesofmisuse,shallbeperiodicallysubmittedtothe
Councilandmadepublicallyavailable.Ongoingcheckswillhelppreventdatabase
abuses.TheCouncilshouldperiodicallyusethisinformationtopubliclyreassess
whethertheDAC'sbenefitsoutweighitsfiscalandcivillibertiescosts.
Consequences:Violationsoftheprivacyandretentionpolicyshallresultin
consequences.Consequencesmayincludesuspension,retraining,andfines.Thepolicy
shallalsoprovideforawayforpersonsharmedresultingfrommisuseoftheDACordata
toseekrecourseandbemadewhole.Toaccomplishthis,thepolicyshoulddefine
violationsoftheprivacyandretentionpolicyasaninjurytopersonsaffectedbysuch
violations.
3.DataSecurity
[Aestetixtodraft]

4.AbuseviaPublicaccesslaws
[Aestetixtodraft]

5.ChecksandBalances
[Aestetixtodraft]

7/7/2014
10. Transparency
[BrianHofertodraftclarification]
a. Auditability
b. ProtectionofWhistleblowers
c. PublicAccess
d. DisputeResolution[Philtodraftclarification]
e. Amendability[Philtodraftclarification]
f. Accessibilityofpolicyandworkingguidelines
g. Understandability

11. Metrics
[NadiatoDraft]
12. Changes to the privacy policy
ThisDACprivacypolicymuststaycurrentandrelevant.
a. Scheduleandwhocanchange
i. Thispolicycanbechangedfromtimetotimeasneeded
ii. ChangesmustbeproposedbyanAdHocadvisorycommitteeandratified
bytheCitycouncil
iii. TheAdHoccommitteemustbespecificallyassembledtoreviewtheDAC
Privacypolicy
iv. TheAdHoccommitteeisappointedbytheCitycouncilwitheachcouncil
memberbeingabletoappointupto2membersonthecommittee.
v. ThePrivacypolicymustbereviewedatleastevery5yearsbyan
appointedAdHocadvisoryCommittee
b. ChangestoCoreValues/UnbreakableprinciplesrequiresupermajorityoftheDAC
committee
c. ChangestothissectionChangestothePrivacyPolicyrequiresupermajorityof
theDACcommittee
d. AllotherchangesrequiresimplemajorityoftheDACcommittee
NewVersionreferencingPrivacyOfficerFunction
a. Scheduleandwhocanchange
i. Thispolicycanbechangedfromtimetotimeasneeded
ii. ChangesmustbeproposedbythePrivacyOfficerfunctionandratifiedby
theCitycouncil
iii. TheAdHoccommitteemustbespecificallyassembledtoreviewtheDAC
Privacypolicy
iv. TheAdHoccommitteeisappointedbytheCitycouncilwitheachcouncil
memberbeingabletoappointupto2membersonthecommittee.
7/7/2014
v. ThePrivacypolicymustbereviewedatleastevery5yearsbyan
appointedPrivacyOfficerfunction
b. ChangestoCoreValues/Unbreakableprinciplesrequiresupermajorityofthe
PrivacyOfficerfunction
c. ChangestothissectionChangestothePrivacyPolicyrequiresupermajorityof
thePrivacyOfficerfunction
d. AllotherchangesrequiresimplemajorityofthePrivacyOfficerfunction