The URL can be used to link to this page

Home My WebLink About2022-07-18 Tech Privacy Task Force Post Agenda Packet City of Chula Vista Technology and Privacy Advisory Task Force **POST-MEETING AGENDA** Date:Monday, July 18, 2022 Time:6:00 p.m. Location:Council Chambers, 276 Fourth Avenue, Chula Vista, CA Meeting Agenda Pages 1.CALL TO ORDER 2.ROLL CALL 3.PUBLIC COMMENTS Any individual may address the task force on any matter within the subject area of the task force. Speakers will have a maximum of three minutes to provide their comments. A maximum of 20 minutes will be provided for public comment at this time. Speakers will be called in the order in which their requests to speak are received. If, after 20 minutes, there are still individuals in the queue to speak, they will be provided an opportunity to speak after the business items have concluded. 4.PRESENTATIONS 4.1.Check-in with the City Manager Maria Kachadoorian will provide remarks and answer questions from the Task Force. 4.2.City Department Briefings 3 The following departments will provide briefings on technologies and privacy protections within their service areas: •Human Resources (Courtney Chase) •Finance (Adrian Del Rio and Victor de la Cruz) •Development Services (Tiffany Allen) •Housing Division (Stacey Kurz) 4.3.Review Plans for Community Meetings Madaffer Enterprises will provide an update on plans for the community meetings on July 27 and July 28. 5.BUSINESS ITEMS 5.1.Receive and File Meeting Summaries 32 Task Force members will receive and file the meeting summaries from the June 8 and June 27 meetings. 6.WORK SESSION 6.1.Work Session #1 36 The Task Force will discuss potential policy recommendations. 7.ADDITIONAL PUBLIC COMMENTS 37 Any individual may address the task force on any matter within the subject area of the task force. Speakers will have a maximum of three minutes to provide their comments. 8.STAFF COMMENTS 9.TASK FORCE MEMBER COMMENTS 10.ADJOURNMENT 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 2 of 37 Technology and Privacy Advisory Task Force Meeting Finance Department July 18, 2022 Presenters: Adrian Del Rio and Victor De La Cruz 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 3 of 37 Discussion Topics 2 •Finance Department Overview •Personal Data Questions •Procurement Overview 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 4 of 37 Finance Department Overview 3 Finance Department administers the City's financial affairs, including disbursements of monies, collections of revenue, fiscal systems, financial reporting and accounting, preparation of the budget, investments and borrowing, and centralized procurement services to all City departments. Budget and Analysis –Coordinates the development and monitoring of the budget. Fiscal analysis support Comptroller –responsible for citywide accounting and financial reporting. City payroll and accounts payable Revenue and Recovery –supports payments for various fees, taxes and services. City investments Procurement –manages citywide procurement processes for goods and services 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 5 of 37 Personal Data Questions 4 Why does finance collect personal data? Comptroller Pay Vendors/Tax Reporting Refund Customers Manage grant and loan programs Revenue and Recovery Business Licenses Parking Citations Sewer Billing RV Permits General Billing/Cashiering Procurement Pay Vendors/Tax Reporting 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 6 of 37 Personal Data Questions 5 What kinds of personal data does Finance collect or have access to? Budget N/A Comptroller Names Email/Phone #s Addresses/Parcel #s Tax IDs SSN Revenue and Recovery Names Email/Phone #s Addresses Tax IDs SSN Bank Statements/Income Info DL #s / Vehicle Plates Procurement Names Email/Phone #s Addresses W9/Tax ID 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 7 of 37 Personal Data Questions 6 •Enterprise Asset System (Munis) –Established roles and security provisions •Third Party Systems –Business Licenses Software –Sewer Billing Software –Parking Citation Software •Databases and files •Password protected systems and databases/files •System and databases/files are within the secured networks •Access is always limited to users that need to view and edit information How is this information stored/managed/maintained? 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 8 of 37 Personal Data Questions 7 •Enterprise Asset System –Tyler Munis, External Auditor •Third Party Systems –Business Licenses Software –HDL, Economic Development, Fire, PD, Engineering, IT –Sewer Billing Software –Springbrook, IT –Parking Citation Software –ACE and Duncan Solutions, PD and IT •Databases and files –Parking Citation Database -PD and IT –RV Permits Database –IT Who has access to this data and do any vendors or third parties have access? 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 9 of 37 Personal Data Questions 8 •Access is always limited to users that need to view and edit information •Always password protected using system technology •Access is approved by system administrators and supervisors/managers •Staff is trained on all system use and the importance of protecting all personal information What guidelines or policies currently exist to control and protect personal data? 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 10 of 37 Procurement Overview 9 The City’s Charter, Municipal Code and Policies support all purchasing initiatives and activities in transparent manner while promoting fair and open competition. Risk Control/Liability –In a partnership with the City Attorney’s Office and Risk Management we are charged with the duty of minimizing risk and preventing litigation as a result of a purchase/contract. Audit/Compliance –Purchases must follow the City Charter, Municipal Code and Best Practices, along with all State & Federal laws and regulations. Must maintain compliance when utilizing specific funding sources (e.g., Measures A & P and Grants) Procurement and Contracting Purpose 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 11 of 37 Procurement Overview 10 Roles and Responsibilities •The Role of the Purchasing Division is to establish procedures for the purchase, lease or other acquisition of services, supplies and equipment –Guide City Department representatives through the solicitation and acquisition process •Departments are responsible for identifying need, anticipated costs and developing the scope/specification for the project or equipment Chula Vista Municipal Code Section 2.56 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 12 of 37 Procurement Overview 11 General Supplies & Services •$10,001 -$100,000 -Three Informal Quotes Required •Awarding Authority -Purchasing Agent •$100,001 -$250,000 -Formal Solicitation Required •Awarding Authority -City Manager •>$250,000 -Formal Solicitation Required •Awarding Authority -City Council Professional Services •$10,001 -$50,000 -Three Informal Quotes Required •Awarding Authority -City Manager •>$50,000 -Formal Solicitation Required •Awarding Authority -City Council Bidding Thresholds and Award Authority 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 13 of 37 Procurement Overview 12 Public Work Non-CIP (Capital Improvement Program) •≦$100,000 -Informal Bid Three Quotes Required •Awarding Authority -Purchasing Agent •$100,000 $250,000 -Informal Bid Three Quotes Required •Awarding Authority -City Manager •>$250,000 –Competitive Bid Required •Awarding Authority -City Council Public Work CIP •≦$2,000,000 -Competitive Bid Required •Awarding Authority -Purchasing Agent •>$2,000,000 -Competitive Bid Required •Awarding Authority -City Council Bidding Thresholds and Award Authority 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 14 of 37 Questions/Comments 132022-07-18 Technology & Privacy Advisory Task Force Agenda Page 15 of 37 Presented by: Stacey Kurz, Housing Manager TECHNOLOGY & PRIVACY ADVISORY TASK FORCE July 18, 2022 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 16 of 37 HUD strictly mandates how Housing staff & subrecipients collect and store data: •Required Documents -“..shall maintain client data demonstrating client eligibility for services provided.Such data shall include,but not be limited to,client name,address,income level or other basis for determining eligibility,and description of service provided.Such information shall be made available to Grantee monitors or their designees for review upon request.” •Record Maintenance -Retain all financial records,supporting documents,statistical records,and all other records for a period of four (4)years after program participation/loan closure. HUD Record Keeping Requirements 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 17 of 37 ➢Personal information to determine program eligibility •Government IDs •Bank statements/Income documentation •Residential addresses •Contact Information Types of Data Collected 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 18 of 37 ➢Physical Data Storage •Files are stored in locked cabinets. •Only Housing Division staff have access. ➢Electronic Storage •Files stored on secure city network. •Secure housing folder with permissions to Housing staff. •Individuals outside of the housing staff do not have access to the housing folder without authorization from the City's IT department. How Data is Stored 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 19 of 37 ➢Electronic Correspondence •Encrypted emails. Third Party 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 20 of 37 THANK YOU! 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 21 of 37 Technology and Privacy Advisory Task Force Department of Human Resources July 18, 2022 Courtney Chase, Director of Human Resources/Risk Management 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 22 of 37 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 23 of 37 Summary of Employer Data •Job Applications •Resume •Letters of Recommendation •Transcripts/Degrees •Certificates •Preemployment •Reference checks •Background checks •Criminal history •Medical •Social media (Police) •Personnel Records •Personnel transactions •Leave usage •Evaluations •Discipline documents •Medical/Disability •Workers’ Compensation •Benefit election •Training •Compliance •Retirement 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 24 of 37 Software/Vendor Matrix •Software/Vendor Name •Does the City collect or access data •Data collected •Who is maintaining/storing the data •What third party vendors have access to the data •Can other City departments access this data freely •What controls are in place to protect personal data •Where is the data stored 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 25 of 37 Feedback/Questions Contact Courtney Chase Director of Human Resources/Risk Management cchase@chulavistaca.gov 619/409-5927 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 26 of 37 Page 1 of 5 Technology and Privacy Advisory Task Force Briefing | Department of Human Resources July 18, 2021 Human Resources Operations Division Software/ Vendor Name Collect or Access Data Data Collected/Accessed Who is maintaining/storing the Data? What vendors or third parties have access to this data? Can other City departments access this data freely? What controls are in place to protect personal data? Where is the data stored? NEOGOV Insight Collect Address, Email and Phone Date of Birth (Month/Day only) Ethnicity Gender Driver’s License Information Education Information Employment History Vendor maintained website NEOGOV No. Departments only have access to limited applications/data referred per Civil Service Rules. Authorized users have their own login. Servers in the United States NEOGOV Onboard Collect Address and Phone Date of Birth SSN COVID Vaccination Record I-9 Documents Ethnicity Gender Emergency Contact Direct Deposit/Banking Information Vendor maintained website NEOGOV No Authorized users have their own login. Servers in the United States DOJ Applicant Agency Justice Connection Access Criminal History and Subsequent Arrest Information Vendor maintained website California Department of Justice No Authorized users must be live scanned and approved by the DOJ. Each user has their own unique log in and must enter a one-time temporary password for increased authentication. The DOJ uses encryption software to protect the security of individuals' personal information during transmission of such information through the Department's Websites. Such personal information is stored by the Department in secure locations. Health Connections Network (HCN) Access Pre-employment work restrictions/limitations Vendor maintained website Sharp Rees Stealy No Authorized users have their own login. Amazon Web Services secure ISP. All data resides there in an encrypted form Concentra Employer Portal Access Pre-employment work restrictions/limitations Vendor maintained website Sharp Rees Stealy No Authorized users have their own login. Company server in Addison, TX eScreen Access Pre-employment drug screen results Vendor maintained website eScreen No Authorized users have their own login. Information requested. 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 27 of 37 Page 2 of 5 Human Resources Operations Division (continued) Software/ Vendor Name Collect or Access Data Data Collected/Accessed Who is maintaining/storing the Data? What vendors or third parties have access to this data? Can other City departments access this data freely? What controls are in place to protect personal data? Where is the data stored? Google Drive Access Employment applications which contain: Address, Email and Phone Date of Birth (Month/Day only) Driver’s License Information Education Information Employment History Google drive Panel members (internal and other cities) No. Restricted to those being interviewed. Access is restricted to panel members until interviews are completed. Applications and recruitment related documents are deleted after panel interviews are completed. Cloud on Google’s servers Dropbox Access Employment applications which contain: Address, Email and Phone Date of Birth (Month/Day only) Driver’s License Information Education Information Employment History PDF applications stored for interview use and accessed on iPad; deleted after panel interviews are completed Panel members (internal and other cities) No. Restricted to those being interviewed. Applications are deleted after panel interviews are completed. Secure data centers in the United States Volgistics Collect Address, Email and Phone Education Information Date of Birth SSN Driver’s License Information Employment and Volunteer Service History Education Information Vendor maintained website Volgistics No. Restricted to department’s volunteer coordinator. Authorized users have their own login. Secure data center in Grand Rapids, Michigan Training and Development Division Software/ Vendor Name Collect or Access Data Data Collected/Accessed Who is maintaining/storing the Data? What vendors or third parties have access to this data? Can other City departments access this data freely? What controls are in place to protect personal data? Where is the data stored? Target Solutions/Vector Solutions Collect Training Records Certificates, Credentials COVID Vaccination Records Vendor maintained website Vector Solutions No. Limited access/information to department liaison. Authorized users have their own login. Authorized Administrative users have admin access. Amazon Web Services Global Infrastructure Survey Monkey Collect Employee name, email and phone number Vendor maintained website SurveyMonkey No. Authorized Administrative users have admin access. Servers in the United States Wise@Work Collect Employee name, email address Vendor maintained website Wisdom Labs No. Authorized users have their own login. Authorized Administrative users have admin access. Data center in Virginia 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 28 of 37 Page 3 of 5 Benefits Division Software/ Vendor Name Collect or Access Data Data Collected/Accessed Who is maintaining/storing the Data? What vendors or third parties have access to this data? Can other City departments access this data freely? What controls are in place to protect personal data? Where is the data stored? Munis Collect and Access Address and Phone Date of Birth Email Address (Work and Personal) SSN ID Number Ethnicity Gender Emergency Contact Beneficiaries Direct Deposit/Banking Info Benefits Info Etc. Records created and maintained by City staff Munis No. Each employee has specific access based on position and department. Authorized users have their own login. Cloud-based application. Servers are located in Maine and Texas Aetna Access SSN (last 4) Date of Birth Gender, Address Phone Number Insurance coverage Dependents Vendor maintained Aetna No. Authorized users have their own login. Hybrid cloud deployment model, using both public and private cloud services. All public cloud data centers are located within the United States. Kaiser Access SSN (last 4) Date of Birth Gender Address Phone Number Email Address Insurance coverage Dependents Transaction history per user Vendor maintained EE records can be created/updated by Benefits staff Kaiser No. Authorized users have their own login. Information requested MES Vision Access SSN (last 4) Date of Birth Gender Address Phone Number Insurance coverage Dependents Vendor maintained MES Vision No. Authorized users have their own login. Information requested 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 29 of 37 Page 4 of 5 Benefits Division (continued) Software/ Vendor Name Collect or Access Data Data Collected/Accessed Who is maintaining/storing the Data? What vendors or third parties have access to this data? Can other City departments access this data freely? What controls are in place to protect personal data? Where is the data stored? HealthEquity Collect and Access SSN (last 4) Date of Birth (MO/DAY) Address Phone Number Coverage Vendor maintained HealthEquity No. Authorized users have their own login. Information requested Cigna (Dental) Collect and Access SSN (last 4) Date of Birth Gender Address Phone Number Insurance coverage Dependents Vendor maintained EE records can be created/updated by Benefits staff Cigna (Dental) No. Authorized users have their own login. Domestically located data centers. Cigna’s primary data center is Cigna owned and operated with Cigna as the only occupant. CalPERS Collect and Access SSN Date of Birth Address Phone Number CoCV Membership Info Vendor maintained EE appointment records created/updated by Benefits staff CalPERS No. Authorized users have their own login. Information requested Payflex Collect and Access SSN Date of Birth Gender Address Phone Number Email Address Insurance coverage Dependents Vendor maintained EE records can be created/updated by Benefits staff Payflex No. Authorized users have their own login. Information requested Hartford Collect and Access SSN Date of Birth Gender Marital Status Address Phone Number Insurance coverage EE records can be created/updated by Benefits staff Hartford No. Authorized users have their own login. Servers in the United States 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 30 of 37 Page 5 of 5 Risk Management Division Software/ Vendor Name Collect or Access Data Data Collected/Accessed Who is maintaining/storing the Data? What vendors or third parties have access to this data? Can other City departments access this data freely? What controls are in place to protect personal data? Where is the data stored? Intercare Access WC Claims Address, Email and Phone Date of Birth SSN Medical information Claims submitted via secured e-mail. Records stored internally in confidential medical files Intercare No. Authorized users have their own login Servers located in Rockland, CA A Check Global Collect and Access Driving Record Passthrough with DMV DMV No. General Consent From signed by new hires Information requested Clearinghouse – Department of Transportation Collect and access Driving record, drug & alcohol test records Entered by City staff FMCSA DOT National Safety Compliance No. General Consent Form signed by candidates Information requested 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 31 of 37 Technology and Privacy Advisory Task Force Meeting Summary June 8, 2022 Task Force members present: City staff and consultants present: Petrina Branch Mae Case Rafal Jankowski, Co-Chair Lucia Napolez Art Pacheco Sophia Rodriguez, Chair Charles Walker Maria Whitehorse Dennis Gakunga Simon Silva Adrianna Hernandez Anne Steinberger Jim Madaffer Jeremy Ogul Task Force members absent: Carlos De La Toba Dominic LiMandri Pedro Rios Patricia Ruiz 1. CALL TO ORDER Chair Rodriguez called the meeting to order at 6:05 p.m. 2. ROLL CALL Adrianna Hernandez called the roll. 3. PUBLIC COMMENTS – ITEMS NOT ON THE AGENDA Public comments were provided by the following speakers: Nancy Relaford and Margaret Baker. 4. PRESENTATIONS 4.1. PRESENTATION: PRIVACY 101 Pegah Parsi, Chief Privacy Officer at UC San Diego, provided a presentation touching on the philosophical and legal history of the concept of privacy, the wide variety of data that can be collected from an individual going about their daily life, the meaning of personal information, the risks of long-term privacy degradation, and related topics. Task force members engaged in a dialogue of questions and answers with the presenter. 4.2. PRESENTATION: FOCUS GROUPS AND COMMUNITY MEETINGS John Nienstedt, CEO of Competitive Edge Research and Communications, provided a presentation outlining the approach to four upcoming focus groups, including the composition and balancing of each group, timing, compensation, and related topics. 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 32 of 37 Jeremy Ogul presented an outline of the proposed community meetings, including potential dates, locations, and formats. Task force members engaged in a dialogue of questions and answers with the presenters. 5. BUSINESS ITEMS 5.1. MEETING SCHEDULE AND REVIEW OF UPCOMING AGENDA ITEMS Jeremy Ogul presented three options for upcoming meeting schedules, including the option to add one or two additional regular task force meetings between July and the end of September. Task force members discussed the need for additional meetings. Chair Rodriguez moved to adopt Meeting Sequence C, with two additional meetings, as the calendar for regular meetings of the task force through September. The motion was seconded by Member Walker. The motion passed unanimously. 5.2. RECEIVE AND FILE MEETING SUMMARIES Jeremy Ogul presented the meeting summaries from the April 24 and May 9 meetings of the Task Force. An e-comment was submitted by Margaret Baker. Task force members had no questions or comments on the meeting summaries as presented. 6. STAFF COMMENTS None. 7. TASK FORCE MEMBER COMMENTS Chair Rodriguez and Members Pacheco, Whitehorse, Walker, Jankowski, and Case provided miscellaneous comments. 8. ADJOURNMENT The meeting was adjourned at 9:51 p.m. - Meeting summary prepared by Jeremy Ogul 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 33 of 37 Technology and Privacy Advisory Task Force Meeting Summary June 27, 2022 Task Force members present: City staff and consultants present: Petrina Branch Mae Case Carlos De La Toba Rafal Jankowski, Co-Chair Dominic LiMandri Lucia Napolez Pedro Rios Patricia Ruiz Sophia Rodriguez, Chair Charles Walker Maria Whitehorse Dennis Gakunga Megan McClurg Adrianna Hernandez Anne Steinberger Jeremy Ogul Additional staff as noted in Items 4.1 and 4.2 Task Force members absent: Art Pacheco 1. CALL TO ORDER Chair Rodriguez called the meeting to order at 6:01 p.m. 2. ROLL CALL Adrianna Hernandez called the roll. 3. PUBLIC COMMENTS None. 4. PRESENTATIONS 4.1. CITY DEPARTMENT BRIEFINGS Tim Jones provided a presentation on the use of drones in the Engineering and Capital Projects Department. Task force members engaged in a dialogue of questions and answers regarding the presentation. Fire Chief Harry Muns provided a presentation on technology and privacy practices in the Fire Department. Task force members engaged in a dialogue of questions and answers regarding the presentation. Tracy Lamb and Joy Whatley provided a presentation on technology and privacy practices in the Parks and Recreation and Library departments. Task force members engaged in a dialogue of questions and answers regarding the presentation. The planned presentation by Adrian Del Rio and Victor De La Cruz was delayed to a future meeting. 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 34 of 37 4.2. DEBRIEF AND FOLLOW-UP Q&A FROM ON-SITE TOURS Jeremy Ogul introduced the item and referred the task force to the handout of questions and answers prepared by the Police Department in response to questions that arose during and after the June 2 tour. Task force members engaged in discussion and dialogue regarding impressions and questions they had following tours of the Police Department, Traffic Engineering Division, and presentations by the City Clerk and ITS Director. Chief of Police Roxana Kennedy, Executive Captain Phil Collum, Captain Eric Thunberg, and Captain Miriam Foxx were present to respond to questions from the task force. Deputy City Attorney Megan McClurg addressed questions regarding pending litigation against the City. 4.3. AD HOC STOP CHULA VISTA PD SURVEILLANCE GROUP Norell Martinez, Nancy Relaford, and Margaret Baker provided a presentation on behalf of the Ad Hoc STOP Chula Vista Surveillance Group, outlining the group’s proposed Surveillance & Community Safety Ordinance and Privacy Advisory Commission Ordinance. Task force members engaged in a dialogue of questions and answers regarding the presentation and the group’s proposals. 5. BUSINESS ITEMS 5.1. MINUTES FROM THE JUNE 8, 2022 MEETING The item was delayed to a future meeting. 6. ADDITIONAL PUBLIC COMMENTS Public comments were provided by the following speakers: Kevin O’Neill, James Zuffoletto, Seth Hall, and Kristina Mananquil. 7. STAFF COMMENTS Jeremy Ogul provided comments regarding the process that was used to recruit and select members of the task force. 8. TASK FORCE MEMBER COMMENTS Chair Rodriguez, Co-Chair Jankowski, and Members Case, Rios, LiMandri, and Ruiz provided miscellaneous comments. 9. ADJOURNMENT The meeting was adjourned at 10:11 p.m. - Meeting summary prepared by Jeremy Ogul 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 35 of 37 Preliminary List of Policy Ideas As of July 15, 2022 Procurement 1. Prohibit nondisclosure agreements in vendor contracts except to protect proprietary information 2. Require all contracts with privacy implications to be presented to the City Council, regardless of dollar amount 3. Require an evaluation of the potential for hardware to be maliciously accessed by a third party as part of the procurement process 4. Require vendors to give City the capability to audit who has accessed what information 5. Provide additional specialized training to procurement staff and City Attorney staff on recognizing contractual red flags related to data and privacy 6. Ensure that contracts include a prohibition on the use or sale of personal information outside except as necessary to provide a service to the City Data Retention and Minimization 7. Reduce the amount of time data is retained (ALPR, health data) 8. Do not retain data unless absolutely necessary to provide the core service (library example) 9. Anonymize or de-identify data when possible Information Security 10. Prohibit the use of non-City devices to access City networks unless two-factor authentication is used 11. Regularly audit who has access to information to ensure access is limited to only those with a current need to access Use Policies 12. Require the use policies for privacy-impacting technology to be reviewed at a certain interval to determine whether existing privacy protections are still adequate to address evolving uses of the technology Privacy Oversight 13. Establish a Privacy Advisory Board 14. Hire a Chief Privacy Officer to manage all privacy oversight functions 15. Require proactive disclosure of data breaches and privacy policy violations IMPORTANT NOTES: • The below list contains ideas that have been mentioned by task force members, city staff, and members of the public during meetings, tours, and briefings since April 2022. • This is not an exhaustive list of ideas that can or should be considered by the task force. It is only a list of ideas that have come up so far. More ideas may be shared and considered by the group. • Items on this list have the support or interest of at least one task force member, but they do not necessarily yet have the support of a plurality or a majority of the task force. • The purpose of providing this list is to create a starting point for discussion during the first Work Session of the task force on July 18, 2022. 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 36 of 37 2022-07-18 Technology & Privacy Advisory Task Force Agenda Page 37 of 37