The URL can be used to link to this page

Home My WebLink About2022-08-15 Tech Privacy Task Force Post Agenda Packet City of Chula Vista Technology and Privacy Advisory Task Force **POST-MEETING AGENDA** Date:Monday, August 15, 2022 Time:6:00 p.m. Location:Council Chambers, 276 Fourth Avenue, Chula Vista, CA Meeting Agenda Pages 1.CALL TO ORDER 2.ROLL CALL 3.PUBLIC COMMENTS 2 Any individual may address the task force on any matter within the subject area of the task force. Speakers will have a maximum of three minutes to provide their comments. A maximum of 20 minutes will be provided for public comment at this time. Speakers will be called in the order in which their requests to speak are received. If, after 20 minutes, there are still individuals in the queue to speak, they will be provided an opportunity to speak after the work session has concluded. 4.BUSINESS ITEMS 4.1 Receive and file meeting summaries 15 Task force members will receive and file the meeting summary from the August 1 meeting. 5.WORK SESSION 5.1 Work Session #3 17 Task force members will continue discussion of potential policy recommendations. 6.ADDITIONAL PUBLIC COMMENTS Any individual may address the task force on any matter within the subject area of the task force. Speakers will have a maximum of three minutes to provide their comments. 7.STAFF COMMENTS 8.TASK FORCE MEMBER COMMENTS 9.ADJOURNMENT 1 Jeremy Ogul From:Norah Shultz <nshultz@sdsu.edu> Sent:Friday, August 12, 2022 7:12 AM To:privacytaskforce@chulavistaca.gov Subject:Concerns about survey conducted for policy consideration Dear Members of the Chula Vista Privacy Advisory Task Force, I am a Professor of Sociology at San Diego State University. I have been a professor and a senior administrator in higher education for over thirty years. Since my undergraduate days, one of my core specializations has been in the area of survey research. I’ve reviewed the report and the survey and I have a lot of questions. I’m going to write about them in groups and put representative examples for the types of concerns, rather than go through each question and/or finding. My overall concern is that while this is a well-known firm that has conducted a classic phone/email survey with traditional methodology (and for that there are strengths to what they have presented), it is not getting to the answers that are needed for the questions that a city council should be seeking. What is needed is a study to determine the needs and concerns of all community members, which is different from a study to determine the likelihood of something occurring – a market research study or a political poll, for example. In other words, a more nuanced study and analysis is required for a study of community needs and concerns. I’m sure the firm can answer a few questions I have about their work, however, as I explained I will list the overall issues with their approach: (1) It is very reassuring to read the words random sample and statistically significant. This sounds scientific and unbiased. However, a truly random sample is one in which every person has the same chance as any other person to participate in the survey. That means every person in your population – the group you are interested in learning about. I’m assuming that you are all interested in learning about all the residents of Chula Vista. So if this were truly a random sample of the residents of Chula Vista, then that means that each person in Chula Vista had the same chance of ending up in the final group as any other. But this is not true because of the following: a. The sample was originally constructed from a list. Unless that list was all of the residents (over 18) of Chula Vista, then not everyone has the opportunity to be selected. Where is the list from? Phone directories and car registrations? There is bias there. Voter registration? We know the bias there. I didn’t see reported in the materials how the list was generated. b. When you generate your random sample from your list, you decide to select every Xth person depending upon how many you need in your sample as you allude to in your notes on effect size. But again, unless every Xth person agrees to participate and complete the survey, bias has crept in again. Do you know how different the participants are from those who do not participate? One way is to try to get non- participants and those who do not complete the survey to provide some demographic information, particularly on relevant variables such as income, or some indicator of Warning: External Email 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 2 of 32 2 socio-economic status, and ethnic group identity and, in this case, also on perceived knowledge of the technology, so that some comparisons can be made to determine if your final sample is representative of the population and if these changes along the way have not introduced a bias that impacts your study questions. Again, while this check on the representativeness of the sample may be included in the final report, it was hard to find. c. The easiest way to reassure those reviewing the report would be to take the demographic information from p. 2 and on p. 6 and compare it to the data from the Census Bureau for the city. You explain that you applied weights (and only on four variables from what I can discern) but do not provide detail about the demographic characteristics that were impacted. The weighting statistical technique will not account for missing information from groups. The weighting technique also would not impact the open-ended questions. This is an extremely long questionnaire. We have no idea what percentage of the original group actually completed the questionnaire. Even with the weighting, it makes it very difficult to assess many of the findings - particularly when critical policy issues are being considered. (2) The questionnaire is extremely long. This in itself is of concern. People who complete a survey of this length are different from those who don’t. While there are some very good aspects to the questionnaire, there are some that I find concerning, besides the length. For example, let’s look at Q7a. Part of the intro reads, “…where engineers use it to manage traffic signal timing in an effort to improve traffic flow and safety.” It is not surprising that 77% of the respondents approved of this. Who is going to say they don’t approve of improving safety? If a question has an 80/20 split, it is not differentiating. Now it may be that everyone is okay with this, but the question wording makes me wonder. Were there skip sequences? For example, if I don’t know anything about the use of drones, did I answer Q9? After that, Q11 and A12 really start out with sentences that make it pretty hard to answer anything other than beneficial. I actually think it is problematic that those with little or no knowledge seem to be included in the analyses along with those who claim some awareness of the technology or Chula Vista’s programs, as well as others who may have actual experience or understanding of the technology use and privacy issues and implications, beyond what is written in this survey as the lead-ins to the questions. That may be one of the most problematic aspects. It is very good that you include the opposite questions, however the language is subtly different, “Some people worry the drones might,…..” [emphasis mine]. Again, not to throw this out entirely but I think problems with wording and sequencing of questions should be brought to the attention of those who might want to use the reported findings to make policy decisions that impact people’s lives. (3) My last points are about the analysis. The vast number of crosstabs, many with small cell sizes, makes it hard to go back and make any independent judgments. I also did not see any statistical analysis, such as a chi-square, associated with these data. Since chi-square is sensitive to overall sample size and the cell sizes are so variable, a discussion of statistical significance related to this information would, admittedly, be problematic. But there are other ways to address this. You mention sampling error several times in the report, but I haven’t been able to find any discussion of effect size. In a study such as this, one that is impacting policy and citizens lives, I’d be curious about meaningful differences rather than statistically significant differences. I did appreciate the explanation of how to properly read a cross tab! I also reviewed the section discussing the multivariate analysis, but would like to have seen the actual analysis in the appendix and not just the cloud replication. What was the overall R2? Was this explaining the outcome in any significant way? It is, as I stated above, important to discuss the meaning and not just the statistical significance but the findings are presented in a way that makes it hard to understand overall how much is being explained here. Were all responses put into your model? 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 3 of 32 3 Another key concern is that we don’t know who is really being represented in this analysis. The very people who may be most impacted by such a policy may be silenced. As I wrote at the beginning, this does not call for a piece of market research. What is needed is a study that looks at the differential impacts on the highly diverse population of Chula Vista. In a situation such as this, I would not have used a random sample. With a simple random sample, you cannot create a stratified random sample, to make sure you are reaching enough of the people who may have particular concerns so that you can adequately analyze their position vis-à-vis the other groups. This requires a more complex sampling design. I realize that important steps were taken to have a Spanish language and a Tagalog version, and to conduct several focus groups drawn again from some lists, but this falls far short of capturing the voices of many others in the community whose opinions and concerns should be a part of the crafting of such a policy. Finally, I also would add that the survey report is incredibly long, just like the survey, and very difficult for any lay person to digest. I spend a lot of time teaching students not only how to work on surveys but how to prepare their reports for their audience. Ultimately, as decision makers, the city council has the moral obligation to be sure they understand the information that they are given and to be able to interpret it properly. I pose these questions with respect for the work done; but also with great respect for all of the residents of Chula Vista. Sincerely, Norah P. Shultz, Ph.D. -- Norah P. Shultz, Ph.D. Pronouns: She / Her Professor of Sociology College of Arts & Letters Doctoral Faculty EdD Educational Leadership Community College & Post-Secondary Education Program College of Education Director of Inclusive Curriculum Division of Student Affairs & Campus Diversity nshultz@sdsu.edu Nasatir Hall 210 San Diego State University SafeZones@SDSU Ally. Military Ally. Ability Ally. Indigenous hostlands: Birthplace: Lenapehoking; Residence: Kumeyaay 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 4 of 32 4 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 5 of 32 1 Jeremy Ogul From:Seth Hall Sent:Sunday, August 14, 2022 8:32 PM To:privacytaskforce@chulavistaca.gov Subject:Items to consider regarding August 15 Subcommittee reports Attachments:2208 Tech Lead SD - Consideration Items RE Subcommittee Reports.pdf Distinguished task force members, Please see the attached document regarding items for your consideration as you continue to discuss your recommendations. I would appreciate a confirmation that this email has been received and distributed appropriately. Thank you all for your continued work on this important topic. Seth Hall, techleadsd.org 520-991-3962 Warning: External Email 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 6 of 32 1 “Technologists Tending the Grass Roots” August 14, 2022 Dear distinguished task force members, Please consider the attached suggestions as you deliberate regarding your final recommendations. Chula Vista residents deserve to determine for themselves how they will leverage new technology while protecting themselves from its many potential harms. The attached suggestions are sent in the spirit of collaboration among neighbors who are both actively working to answer similar questions, while also striving for the safest and healthiest city we can create. Sincerely and with respect, Seth Hall Tech Lead San Diego (member of the TRUST SD Coalition) 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 7 of 32 2 Items for Consideration Regarding August 15 Subcommittee Reports 1. The task force should consider making clear its intentions behind any exception to its recommendation prohibiting nondisclosure agreements, so that subsequent city attorneys reviewing the recommendation can provide proper guidance on how such an ordinance would be drafted. Many NDAs can be argued to contain “proprietary information,” and I don’t believe it is the desire of the task force to incentivize vendors to include proprietary information in the contract for the specific purpose of making contracts undisclosable under the task force’s recommended exception. In my experience, such tactics, while reprehensible from a public perspective, are entirely common in the for-profit vendor context. 2. The task force recommends that a convenience termination clause be added into vendor contracts for cases when a vendor requires their contract be placed under a NDA. If the task force chooses to recommend this, they may wish to further clarify what the task force believes the correct conditions are that would satisfy your intentions for convenience termination. For example, without additional guidance, convenience termination could be offered by a vendor, but only under the condition the City pays penalty fees that could equal the buyout cost of the contract. I don’t believe that the intention of the task force is to allow vendors to force the City to buy out the entire contract term in exchange for convenience termination in the case of an undisclosable NDA, because that does not protect Chula Vista taxpayers from predatory practices by vendors, and wouldn’t achieve any meaningful options or protection for the City. If the task force’s intention is that the city can terminate a vendor contract for convenience without any penalty whatsoever imposed by the vendor, the task force should make that intention clear in its recommendation. 3. The task force should reconsider its recommendation that allows for NDAs on vendor contracts in cases of proprietary information. Other subcommittee recommendations (PO&T) require vendor contracts to be posted publicly, and those recommendations do not provide for any exceptions. Upon Items regarding the Procurement Subcommittee Report 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 8 of 32 3 further deliberation, the task force may find that hiding vendor contracts from the public is always harmful to public interests and only serves the interests of private parties. 1. Each restriction placed on board membership carries a risk the board will not be able to be fully populated, which raises the risk of not achieving quorums, or that a minority of members could control the board’s decisions. The current recommendation potentially restricts 6 of the 9 seats, and does so in 3 different ways (residency, district residency, professional background). A minimum of 3 board members would have no restrictions whatsoever, beyond applicable law, which gives significant power to an individual who can appoint to those seats. Consider issues such as redistricting, as well as the ability of council members to interfere with the board’s functions by withholding nominations in their district. The task force should deliberate regarding the risks of board membership they are trying to mitigate, and ensure their final recommendation addresses the risks the task force believes are the highest and most likely risks. 2. Prior to making final recommendations, the task force should receive advice from city attorneys regarding the creation of boards and commissions, if the task force has not already received such advice. Existing limitations within the charter or municipal code could have the effect of substantially changing the task force’s recommendations if, for example, the task force’s preferred appointment process does not comply with current municipal code. 3. The task force is undecided on whether a seat on the board should be reserved for a past member of law enforcement. The task force should consider the option of neither reserving a seat for police, nor prohibiting police from the board. This model leaves the decision up to those responsible for appointments, who may have contemporary insights on the appropriateness of police membership on the board, at the time vacancies occur. If a seat is reserved for police, future appointees supported by the community may be ineligible for appointment, due to the strict requirement recommended by this task force. Items regarding the Privacy Advisory Board Subcommittee Report 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 9 of 32 4 4. The task force should consider whether it wants to recommend that a future privacy board be allowed to assemble via virtual meeting in addition to in-person meetings. Virtual meetings can be helpful to ensure quorums are achieved, and virtual meetings can also be helpful with increasing public participation. If the task force does not recommend the accommodation of virtual meetings, the city may not consider supporting that capability. 1. The task force recommends allowing the city to prioritize the surveillance technologies that should be reviewed by the board. Consider that the task force is recommending a board of community members, and that the community members are being carefully selected for residency and professional qualifications to ensure they provide trustworthy recommendations. Considering the careful requirements placed on board membership, the task force should consider capturing those board members’ input on the prioritization of technology to be reviewed. Appointed board members’ qualifications hopefully indicate a deeper knowledge of what technology is sensitive than what city staff may be aware of. Current task force recommendations cut board members entirely out of the prioritization process and put city staff in the driver’s seat. 1. Regarding data minimization, the task force should consider adding a recommendation that sensitive personal information in particular be specially handled and retained for only the minimum amount of time necessary to accomplish the most immediate and pressing goal of data collection. See later recommendation that “sensitive personal information” be defined as a term. 2. When the task force makes recommendations that items (such as sale of the public’s information) should not occur without “sign off,” the task force should consider being more specific with regard to its intention on the process of those approvals. For example, does the task force advise that the sale of public information should require a majority vote of city council, or merely the approval of a particular individual within City staff? Items regarding the Use Policies Subcommittee Report Items regarding the Data Subcommittee Report 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 10 of 32 5 3. Because the City’s Data Governance Committee is made up of only City staff, which variates with turnover, and is not structured by municipal code governing the City’s boards and commissions, the task force may want to consider removing references to the Data Governance Committee from the recommendations. The current recommendation attempts to incorporate the Data Governance Committee into the new privacy process, which may create conflicts of authority and process. 4. The task force should consider incorporating the term “Sensitive Personal Information” into the terms in need of definition, and the task force should consider recommending that the definition of the term permanently track the definition of Sensitive Personal Information as it is defined in the California Privacy Rights Act. See above #1 for recommendation on using this term to apply stronger protections for the public’s most sensitive data. 1. Nowhere in the subcommittee report are public meetings, community forums, or other live community education offered by City staff recommended. The task force should deliberate on whether posting signs, or posting links on the city website, is sufficient to ensure Chula Vista residents receive an acceptable level of awareness regarding the technology being deployed in their neighborhoods. 1. The task force includes activity covered by a NDA to be “Confidential Data” and undisclosable to the public. This is very broad because the task force does not know what data could be considered to be “covered” by any given future NDA, since NDAs are negotiable and generally favorable to the non- city party. The task force should deliberate on whether this definition of Confidential Data is too favorable to vendors and poses unquantifiable risks to the public. 2. The task force includes in its definition of confidential data “information related to an allegation or investigation of misconduct.” This recommendation pulls the task force and privacy board into the controversy around public records controversies and California laws governing misconduct, such as SB 1421. The task force should deliberate on whether they believe a privacy ordinance is the proper Items regarding the Privacy Oversight & Transparency Subcommittee Report Items regarding the Information Security Subcommittee Report 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 11 of 32 6 venue to engage those controversies or whether the task force’s recommendation should instead lean on existing laws and public records processes and policies that already exist within the city. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 12 of 32 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 13 of 32 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 14 of 32 Technology and Privacy Advisory Task Force Meeting Summary July 18, 2022 Task Force members present: City staff and consultants present: Mae Case Carlos De La Toba Rafal Jankowski, Co-Chair Dominic LiMandri Lucia Napolez Art Pacheco Pedro Rios Sophia Rodriguez, Chair Maria Whitehorse Maria Kachadoorian Dennis Gakunga Glen Googins Adrianna Hernandez Jeremy Ogul Additional staff as noted in Item 4.2 Task Force members absent: Petrina Branch Carlos De La Toba Patricia Ruiz Charles Walker 1. CALL TO ORDER Chair Rodriguez called the meeting to order at 6:01 p.m. 2. ROLL CALL Adrianna Hernandez called the roll. 3. PUBLIC COMMENTS Public comments were received from Marla Kincaid. 4. PRESENTATIONS 4.1. CHECK-IN WITH THE CITY MANAGER Maria Kachadoorian provided brief remarks regarding the role of the Task Force, the role of the City Manager, and the process following the Task Force’s submission of policy recommendations. Task Force members engaged in a dialogue of questions and answers with the City Manager. 4.2. CITY DEPARTMENT BRIEFINGS Courtney Chase provided a presentation on the use of technology and data in the Human Resources Department. Task force members engaged in a dialogue of questions and answers regarding the presentation. Erin Dempster responded to some of the questions. Adrian Del Rio and Victor De La Cruz provided a presentation on the technologies used and types of data gathered in the Finance Department, as well as an overview of the City’s procurement process. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 15 of 32 Task force members engaged in a dialogue of questions and answers regarding the presentation. Meya Alomar responded to some of the questions. Tiffany Allen provided brief remarks on the technologies used and data gathered by the Development Services Department. Stacey Kurz provided a presentation on technology and data management in the Housing Division. Task force members engaged in a dialogue of questions and answers regarding the presentation. 4.3. REVIEW PLANS FOR COMMUNITY MEETINGS Jeremy Ogul provided brief remarks outlining plans for the upcoming community meetings on July 27 and 28 and ask for support from task force members. 5. BUSINESS ITEMS 5.1. RECEIVE AND FILE MEETING SUMMARIES Jeremy Ogul presented the meeting summaries from the June 8 and June 27 meetings of the task force. Task force members had no questions or comments on the meeting summaries as presented. 6. WORK SESSION 6.1. WORK SESSION #1 Task force members discussed their priorities for elements to include in the policy recommendations. The conversation focused on the role of the Chief Privacy Officer and the role and composition of a Privacy Advisory Board. Glen Googins answered questions and provided feedback during the discussion. 7. ADDITIONAL PUBLIC COMMENTS A written public comment card from Dr. Robert Lee Brown was submitted. 8. STAFF COMMENTS None. 9. TASK FORCE MEMBER COMMENTS None. 10. ADJOURNMENT The meeting was adjourned at 9:48 p.m. - Meeting summary prepared by Jeremy Ogul 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 16 of 32 Technology and Privacy Advisory Task Force Work Session #3 Discussion Guide August 15, 2022 GOALS FOR THIS WORK SESSION The primary recommended goal for Work Session #3 (and continuing with Work Session #4) is to develop consensus on a semi-final list of policy recommendations. What are the high-level ideas that everyone agrees should be included in the final policy? These ideas do not need to be fully formed — some details can be filled in later — but by the end of this work session the task force should be able to point to a semi-final list of high-level bullet points that they would like to include in their final recommendations. By providing this list by the end of this meeting, the task force will enable City staff to begin reviewing and considering the operation impacts of the policy ideas under discussion. City staff will take two to three weeks to solicit internal input from department managers, key staff, and the City Attorney’s office, so that by the Sept. 12 task force meeting, staff can provide a response to the task force in terms of suggested modifications, concerns, questions that need further discussion, etc. This would allow the task force to then use the Sept. 12 and Sept. 26 meetings to make modifications in response to the feedback provided by staff. FORMAT FOR THIS WORK SESSION We recommend that tonight’s Work Session be organized as follows: 1. Report out: A representative from each subcommittee will take two to three minutes to explain the results of their work and what their subcommittee recommends to the full task force. Other task force members may ask clarifying questions but should refrain from discussing, deliberating, or offering opinions at this point. 2. Measure current agreement level: Using the Gradients of Agreement method introduced by Member Case, each policy idea will be rated by each task force member using the scale provided. Task force members should refrain from discussing or deliberating at this point. 3. Deeper dive: For those policy ideas that have less consensus, the task force should discuss the issues that are driving disagreement and explore what changes could be made to increase support and agreement among the group. GRADIENTS OF AGREEMENT Is this something you agree on moving forward with or signing on to? Choose from one of the following answers: 1. Yes! 2. Yes, with minor reservations, which are… 3. Yes, with significant reservations, which are… 4. Neither / I feel indifferent / I have no opinion 5. No, but I don’t want to stop the group from moving forward or signing on to this idea. 6. No, and I don’t think the group should move forward or sign on to this idea. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 17 of 32 Procurement Subcommittee Report August 15, 2022 Members: Dominic LiMandri, Rafal Jankowski Prohibit nondisclosure agreements in vendor contracts except to protect proprietary information • Do you agree this should be part of the task force’s policy recommendations? o Yes, though contingent on those firms possessing the proprietary information confirming they will not transfer (in any way) said information to a 3rd party. • Is any additional detail or clarification needed to make this policy recommendation effective? o If vendor can’t work around the prohibition of non -disclosure agreements, a clause of convenience should be inserted to allow for the City to willfully terminate the agreement at any point in time at Council discretion. Require all contracts with privacy implications to be presented to the City Council, regardless of dollar amount • Do you agree this should be part of the task force’s policy recommendations? o Yes, though subsequent to the review of the contract by the Privacy Advisory Board (PAB) with input from the Chief Privacy Officer (CPO). All contracts already go before the City Council for review and approval, but this way, the contract comes before the City Council accompanied by a thorough evaluation from the PAB and CPO. This allows the Council to make informed decision based off the feedback from a community-led board and expert City staff. • If so, how should the City determine whether a contract has privacy implications? o By running said contract through the PAB and CPO for review and re porting. The CPO will be crucial in assisting the PAB in evaluating contracts with privacy implications and vulnerabilities. Both entities should review contracts solicited via Request for Proposal and Sole Source processes. Require an evaluation of the potential for hardware to be maliciously accessed by a third party as part of the procurement process • Do you agree this should be part of the task force’s policy recommendations? o Yes, an impact assessment report should be drafted by the CPO and Chief Information Security Officer (CISO) for presentation to the PAB for review and consideration that would examine the potential for this sort of hardware vulnerability. • Who should be responsible for performing this evaluation? o CPO & CISO Require vendors to give City the capability to audit who has accessed what information • Do you agree this should be part of the task force’s policy recommendations? Page 1 of 152022-08-15 Technology & Privacy Advisory Task Force Agenda Page 18 of 32 o Yes, we agree, and would insist vendors automatically provide access reports to the designated auditors (whether internal or third party) at predesignated, routine intervals. • Is any additional detail or clarification necessary to make this policy recommendation effective? o We recommend the designated auditor interface with the CPO and CISO in their dealings with the vendor. Auditor should not have any existing or ongoing contracts with the City of Chula Vista. Provide additional specialized training to procurement staff and City Attorney staff on recognizing contractual red flags related to data and privacy • Do you agree this should be part of the task force’s policy recommendations? o Yes, the CPO and CISO should organize and facilitate specialized training sessions (as needed) on privacy-centric and security-centric matters for all procurement staff as well as all City staff associated with surveillance technology use and deployment. • Is any additional detail or clarification necessary to make this policy recommendation effective? o CPO should be facilitating the content covered in these training sessions and should be expected to establish a regular frequency to remain up-to-date with emerging surveillance technologies. Ensure that contracts include a prohibition on the use or sale of personal information outside except as necessary to provide a service to the City • Do you agree this should be part of the task force’s policy recommendations? o Yes • Is any additional detail or clarification necessary to make this policy recommendation effective? o We would like to further stipulate that all captured data must be anonymized and repackaged metadata with no Personally Identifiable Information or packaged in a dataset for third-party entities. Page 2 of 152022-08-15 Technology & Privacy Advisory Task Force Agenda Page 19 of 32 Privacy Advisory Board Subcommittee Report August 15, 2022 Members: Dominic LiMandri, Mae Case, Pedro Rios, Maria Whitehorse The task force has generally agreed that all members of this board should be Chula Vista residents, however there is some disagreement. Some task force members believe there may need to be an allowance for non-residents, while others have noted that the City is large enough to find all the desired qualified applicants among City residents. What should the task force recommend as far as residency requirements? After some very thoughtful discussion, our group settled on endorsing a 2/3 citizen- mandate split on a proposed 9-person Advisory Board. So, of the nine total members, we recommend the total Board consist of at least six Chula Vista residents. Additionally, four of the nine candidates should be from each respective council district, to ensure equal representation. The task force has generally agreed that each City Councilmember should get one appointment to the task force (for a total of five members), while the remaining members will be determined through a process that may be similar to the one used to establish this Technology and Privacy Advisory Task Force. Under that process, a panel of community leaders and city staff reviewed and ranked the applications, and the City Manager interviewed the finalists and made the final choice. What should the task force recommend as far as selection process? Remember that regardless of the particulars of the selection process, the City Charter requires that all appointments to a City Board or Commission be approved by a vote of the City Council. Our group acknowledged the need for a rigorous vetting process in the evaluation of the prospective Advisory Board nominees, similarly to how our own Task Force composition was finally selected. Dominic referenced the two-tier panel review process (the City has used in the past) as a viable model to emulate to ensure practical knowledge is balanced with civic responsibility in a candidate’s profile. The members present were also unclear about the vetting process for selected Council nominees and requested additional information on how conventional Council appointments or nominations to City Commission or Boards are processed and/or evaluated currently. The task force has generally agreed that members of the board should include a mix of technology experts, legal experts, auditing experts, privacy advocates. Board members have also acknowledged the suggestions of additional criteria submitted via public comment and community forums. What other criteria should be included? Is there a minimum number or maximum number of Board members who meet certain criteria? For example, should the policy say there must be no fewer than one and no more than three attorneys? After some robust deliberation, our group consensus coalesced around the following Advisory Board member criteria: Page 3 of 152022-08-15 Technology & Privacy Advisory Task Force Agenda Page 20 of 32 Nine (9) total members. 1. 2/3 Citizen Majority, w/ at least one (1) member from each council district 2. Five Nominations total from Council and Mayor; the remaining would be selected from public applications 3. A Hardware, Software, Encryption Security Professional 4. An Auditor or Certified Public Accountant (CPA) 5. An attorney, legal scholar or recognized academic with expertise in privacy and/or civil rights 6. A Member of an organization that focuses on government transparency or citizen privacy 7. Human Relations Commission Representative/Rep. from an Equity-Based Organization 8. [Undecided] A past or retired member of law enforcement unaffiliated with the Chula Vista Police Department [We wanted the full Task Force to decide this one] Page 4 of 152022-08-15 Technology & Privacy Advisory Task Force Agenda Page 21 of 32 Use Policies Subcommittee Report August 15, 2022 Members: Petrina Branch and Art Pacheco Create acceptable use policies and retention policies for privacy-impacting technologies that are consistent across departments, enforceable, auditable, and reviewed/refreshed on a regular basis they are still adequate to address evolving uses of the technology. Do you agree this should be part of the task force’s policy recommendations? • Yes, this task force should make recommendations regarding the acceptable use of technologies that collect citizen data that is provided both voluntarily and involuntarily. • The use policy should include how the data is used, who has access to it and how long the information is retained by the City. Once a policy is established compliance should be audited. • Any changes in technology and/or deviation from the original intended use should go through a review and approval process. An example of a use charge would be expanding the use of the drone for surveillance when there is not a reported incident. Who will create these policies? • A high level process for creation of a use policy by each department should be recommended by the current task force. • Use policies should be created by each department with the Chief Privacy Of ficer (CPO), and then reviewed by the proposed Privacy Commission. The CPO would create a city- wide template for use policies. Each department would fill out the template for the current use of technology and proposed future technology. • The use of various technology tools should be documented as well as their intended purpose • [We need to check with Dennis Gakunga to see how technology review is being done currently and how we avoid duplicity in technology. Moreover, we can learn how we could possibly adapt his process to include the proposed use policies.] Who will review them? • The CPO will work with each department to document use of technology. The CPO and Privacy commission should review these use policy documents for adherence to privacy policies. How often should they be reviewed? Page 5 of 152022-08-15 Technology & Privacy Advisory Task Force Agenda Page 22 of 32 • Once they are established, they should be reviewed yearly. But, if there is a proposed major change in the technology or use of the technology then the policy should be reviewed prior to the proposed change. Given the potentially large number of privacy-impacting technologies the City currently uses, how should the City prioritize which use policies are developed/reviewed first? For example, if it is only feasible for the City to review / approve one per month, how should these be prioritized? • The city should prioritize items with the greatest privacy impact such as surveillance technology used for policing. The impact and risk to privacy are factors that should be weighed when considering these technologies. The city should create a scale to score privacy risk. This scale should be used to assess risk and impact to privacy of Chula Vista residents. Technologies that involve medium-to-high risk should be reviewed as priorities by the CPO and Privacy Committee. Access to Data • Access to technology and sharing of data needs to go through an auditable approval process to ensure the access is limited to those who those have a legitimate need to use or access the data. • An example of unacceptable access was the sharing of ALPR data with certain external law enforcement agencies. • Granting access to 3rd parties should be documented and have a formal approval process with accountable leadership. Currently, it appears that the approval process is ad hoc, informal and cannot be audited. • Sharing data within the city should also be audited and reviewed by the CPO. For example, the sharing of the traffic engineering camera feed between the Traffic Engineering and Police Departments should be audited and reviewed the CPO and proposed Privacy Commission. It appears there is not clear policy or procedure governing how the traffic engineering camera feed was shared with the police. Furthermore, there appears to be no documented policy regarding how the data is being used or shared by each department. Page 6 of 152022-08-15 Technology & Privacy Advisory Task Force Agenda Page 23 of 32 Data Subcommittee Report August 15, 2022 Members: Patricia Ruiz, Mae Case, and Art Pacheco Reduce the amount of time data is retained to what is necessary and expunge the data whenever possible. (metadata and datasets) • Do you agree this should be part of the task force’s policy recommendations? o Yes o The city has a retention schedule published but is not tied to the type of privacy data being retained. It should be simplified and there needs to be a better way to audit and enforce the said retention schedule. o We need to identify data and categorize by type of data in addition to department and existing categories. • What standard or process should the City use to determine the appropriate retention periods for given types of data? o We recommend that the existing retention policy be simplified and modified to include privacy data retention and minimization considerations. Do not retain data unless absolutely necessary to provide the core service (library example) • Do you agree this should be part of the task force’s policy recommendations? o Yes • How will this policy be managed/enforced? o City wide policy that applies to all deparments and there should be some way to do a sampling and audit of departments? Exhaustive audit may be time and cost prohibitive. Info needs to be shared with CPO and report should be provided to Privacy Commitee\Commisision Shared with the public? Anonymize or de-identify data • Do you agree this should be part of the task force’s policy recommendations? o It is generally understood that anonymization strategies will not completely protect or prevent reverse engineering access to the personal identifying data; however, anonymization is recommended as a mitigation strategy. The city should implement a mechanism to remove or de-identify data as much as possible, especially for longer retention periods. Provide disclaimers to let people know when their data is being collected and how it will be used and by what groups/people • At a minimum, Chula Vista residents should be made aware, by digital and analog/non- digital notification from the city (written mailed notification and notice on the city’s website are suggestions), of data being collected and/or the potential for their data to be collected. e.g. ALPR. This is what is being collected and this is what that data is being used for. Impacted individuals should be made aware that their information is being collected. Page 7 of 152022-08-15 Technology & Privacy Advisory Task Force Agenda Page 24 of 32 Provide information about how the data collected will be sold or shared with second or third parties. • If data collected will be shared with second or third parties, there should be notification to the CPO, the Chula Vista Privacy Commission, and Chula Vista city residents should be notified in both digital and analog formats. In the case of the change in ownership of a vendor, the updated contract should be reviewed for adherence to the City’s privacy and data retention policies as a new contract • We should not allow data to be sold or shared. Any sort of action like this needs to be communicated somehow and audited • Information should not be sold or shared without public notification, approval, and sign off from city leadership. This includes contracts signed during the procurement process. Recommend that the Data Governance Committee have citizen/privacy perspective representatives. • concern about the Data Governance Committee’s ability to make “high-level decisions about data-sharing agreements, open data, data publication priority, and other related issues.” • What happens when there is disagreement between the Chula Vista Privacy Commission and the Data Governance Committee Definitions needed The City of Chula Vista needs to define terms including, but not limited to the ones below. We recommend adoption of definitions shared by Pegah Parsi at UCSD and recommend the City of Chula Vista work with Experts like her to arrive at these definitions. • Data • Personal Data • Personal information/data • Data Breach • Data Access • Data Protection • Data Retention • Public Access • Third Party Data Sharing • Training • Auditing and Oversight: Data Privacy Breaches • Maintenance Page 8 of 152022-08-15 Technology & Privacy Advisory Task Force Agenda Page 25 of 32 Privacy Oversight & Transparency Subcommittee Report August 15, 2022 Members: Lucia Napolez and Sophia Rodriguez Provide proactive disclaimers to let people know when their data is being collected and how it is being used. • Do you agree that this should be part of the task force’s policy recommendations? Should this be done on a case-by-case basis, or should there be a central place (on the City website?) where these disclaimers are held? o Yes. Each of the department’s websites, including under the City of Chula, must include a disclaimer regarding the collection of data for their needs. This includes, disclaiming all associated third-party vendors with the most recent contract o Third-party vendor contracts should be publicly available at all times o Any Data Breaches under any department must be publicly announced within 1 business day of confirmation. This includes: Posting on all City Social Media, and a Press Announcement, and must be CLEARLY visible on the City Website. In addition, there must be links to resources for affected parties • What does this policy look like for direct interactions between residents and the City? What does this policy look like for indirect interactions between residents and the City? o Every Department must have a disclaimer regarding data collection under the City Website as well as an FAQ section o Street signs clearly stating a person is entering an ALPR area or “recording in progress with a camera" area Committee Board • The Board must have meetings with all departments to discuss new interesting technologies prior to procurement of those technologies • Online Newsletter for interested CV residents to subscribe to for updates • A member must be responsible and held accountable for providing regular announcements to the public • Oversight MUST be open to the public and accept public comments • All languages must be accepted - translation services are available Inter-Departmental Sharing • Sharing of data between departments must be done by formal request to City Management. • If approved, City Management must provide a reason for its use Procurement • Prohibit NDA’s between vendors and city Page 9 of 152022-08-15 Technology & Privacy Advisory Task Force Agenda Page 26 of 32 OTHER: • Audits must be regularly done on who has access to data collection • What is “The Data Governance Committee”??? • Make the definition of Open Data Policy clear. And what is it? • There needs to be a tab on the website that shows what new technologies are acquired. • Contract status needs to be available, for example, upcoming renewal or termination. • SMART CITY needs to have its own tab, not under businesses on the city website. Page 10 of 152022-08-15 Technology & Privacy Advisory Task Force Agenda Page 27 of 32 Information Security Subcommittee Report August 15, 2022 Members: Charles Walker and Carlos De La Toba Recommended City Information Security Policies PURPOSE: To provide guidelines with regard to the responsibility of every City of Chula Vista (City) employee who accesses Data and information in electronic formats and to provide for the security of that Data and to restrict unauthorized access to such information. POLICY: Electronic Data is important to the City assets that must be protected by appropriate safeguards and managed with respect to Data stewardship. This policy defines the required Electronic Data ma nagement environment and classifications of Data, and assigns responsibility for ensuring Data and information privacy and security at each level of access and control. SCOPE AND APPLICABILITY: This policy applies to all City personnel and affiliated users with access to City Data. DEFINITIONS: Affiliated Users: Vendors and guests who have a relationship to the City and need access to City systems. Application or App: A software program run on a computer or mobile device for the purpose of providing a business/academic/social function. Cloud: An on-demand availability, geographically dispersed infrastructure of computer system resources, especially data storage (cloud storage) and computing power, without direct active management by the end user. Clouds may be limited to a single organization (Private Cloud), or be available to many organizations (Public Cloud). Cloud-computing providers offer their “services” according to three standard models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Confidential Data: Data that are specifically restricted from open disclosure to the public by law are classified as Confidential Data. Confidential Data requires a high level of protection against unau thorized disclosure, modification, transmission, destruction, and use. Confidential Data include, but are not limited to: • Medical Data, such as Electronic Protected Health Information and Data protected by the Health Insurance Portability and Accountability Act (HIPAA); • Investigation. Only investigation data and information within the following broad categories is to be considered Confidential Data: o Active Investigations; o Activity that is covered by a fully executed non-disclosure agreement (NDA); o Information, data, etc., that is proprietary or confidential (whether it belongs to an internal investigator or an outside collaborator), regardless of whether it is subject to an NDA; o Information or data that is required to be deemed confidential by state or federal law (e.g., personally identifying information about research subjects, HIPAA or FERPA protected information, etc.); and o Information related to an allegation or investigation into misconduct. • Information access security, such as login passwords, Personal Identification Numbers (PINS), logs with personally identifiable Data, digitized signatures, and encryption keys; Page 11 of 152022-08-15 Technology & Privacy Advisory Task Force Agenda Page 28 of 32 • Primary account numbers, cardholder Data, credit card numbers, payment card information, banking information, employer or taxpayer identification number, demand deposit account number, savings account number, financial transaction device account number, account password , stock or other security certificate or account number (such as Data protected by the Payment Card Indu stry Data Security Standard) ; • Personnel file, including Social Security Numbers; • Library records; • Driver’s license numbers, state personal identification card numbers, Social Security Numbers, employee identification numbers, government passport numbers, and other personal information that is protected from disclosure by state and federal identity theft laws and regulations. Data Classifications: All Electronic Data covered by this policy are assigned one of three classifications: • Confidential • Operation Critical • Unrestricted Data Custodian: Persons or departments providing operational support for an information system and having responsibility for implementing the Data Maintenance and Control Method defined by the Data Steward. Data Maintenance and Control Method: The process defined and approved by the Data Steward to handle the following tasks: • Definition of access controls with assigned access, privilege enablement, and documented management approval, based on job functions and requirements. • Identification of valid Data sources • Acceptable methods for receiving Data from identified sources • Process for the verification of received Data • Rules, standards and guidelines for the entry of new Data, change of existing Data or deletion of Data • Rules, standards and guidelines for controlled access to Data • Process for Data integrity verification • Acceptable methods for distributing, releasing, sharing, storing or transferring Data • Acceptable Data locations • Providing for the security of Confidential Data and Operation Critical Data • Assuring sound methods for handling, processing, security and disaster recovery of Data • Assuring that Data are gathered, processed, shared and stored in accordance with the City privacy statement (to be written). Data Steward: The persons responsible for City functions and who determine Data Maintenance and Control Methods are Data Stewards. Electronic Data/Data: Distinct pieces of information, intentionally or unintentionally provided to the City in a variety of administrative, academic and business processes. This policy covers all Data stored on any electronic media, and within any computer systems defined as a City information technology resource. Mobile Computing Devices: Information technology resources of such devices include, but are not limited to, laptops, tablets, cell phones, smart phones, and other portable devices. Operation Critical Data: Data determined to be critical and essential to the successful operation of the City as a whole, and whose loss or corruption would cause a severe detrimental impact to continued operations. Page 12 of 152022-08-15 Technology & Privacy Advisory Task Force Agenda Page 29 of 32 Data receiving this classification require a high level of protection against accidental d istribution, exposure or destruction, and must be covered by high quality disaster recovery and business contin uity measures. Data in this category include Data stored on Enterprise Systems such as Data passed through networked communications systems. Such Data may be released or shared under defined, specific procedures for disclosure, such as departmental guidelines, documented procedures or policies. City Provided Data Systems: Information technology resources, as defined and described by the City and used for the storage, maintenance and processing of City Data. Unrestricted Data: Information that may be released or shared as needed. Usage/Data Use: Usage and Data Use are used interchangeably and are defined as gathering, viewing, storing, sharing, transferring, distributing, modifying, printing and otherwise acting to provide a Data maintenance environment. PROCEDURES: 1. Data Stewardship Data Stewards are expected to create, communicate and enforce Data Maintenance and Control Methods. Data Stewards are also expected to have knowledge of functions in their areas and the Data and information used in support of those functions. The Chief Information Officer(CIO) is ultimately accountable for the Data management and stewardship of all the City data. The CIO may appoint others in their respective areas of responsibility. 2. Data Maintenance and Control Method Data Stewards will develop and maintain Data Maintenance and Control Methods for their assigned systems. When authorizing and assigning access controls defined in the Data Maintenance and Control Methods involving Confidential Data and Operation Critical Data, Data Stewards will restrict user privileges to the least access necessary to perform job functions based on job role and res ponsibility. If the system is a City Provided Data System, City Technology Services will provide, upon request, guidance and services for the tasks identified in the Data Maintenance and Control Method. If the system is provided by a Public Cloud, the Data Steward must still verify that the Data Maintenance and Control Method used by the Public Cloud provider meets current City technology standards (to be written)?. Further, ongoing provisions for meeting current City technology and security standards (to be written)? must be included in the service contract. Review of Public Cloud solutions must include City Technology Services and City Attorney prior to final solution selection and purchase. Use of personal equipment to conduct City business must comply with all guidance provided by City policies (to be written)?. 3. Data Custodianship Data Custodians will use Data in compliance with the established Data Maintenance and Control Method. Failure to process or handle Data in compliance with the established method for a system will be considered a violation of the City policies. Page 13 of 152022-08-15 Technology & Privacy Advisory Task Force Agenda Page 30 of 32 4. Data Usage In all cases, Data provided to the City will be used in accordance with the Privacy Statement (to be written) Software solutions, including SaaS solutions, are selected to manage Data and are procured, purchased and installed in conjunction with City (to be written) Data will be released in accordance with City (to be written). Requests for information from external agencies (such as Freedom of Information Act requests, subpoenas, law enforcement agency requests, or any other request for Data from an external source) must be directed to the City Attorney and processed in accordance with existing policies. Standards for secure file transmissions, or Data exch anges, must be evaluated by the CIO when a system other than a City Provided Data System is selected or when a Public Cloud is utilized. Specific contract language may be required. The City Attorney must be consulted regarding such language. Unencrypted authorization and Data transmission are not acceptable. Communication of Confidential Data via end-user messaging technologies (i.e., email, instant messaging, chat or other communication methods) is prohibited 5. Storing Data Data cannot be stored on a system other than a City Provided Data System without the advance permission of the Data Steward and demonstrated legitimate ne ed. Data should be stored in encrypted formats whenever possible. Confidential Data must be stored in encrypted formats. Encryption strategies should be reviewed with City Technology Services in advance to avoid accidental Data lockouts. Data cannot be stored on a City-provided Computing Device unless the device is encrypted without the advance permission of the Data Steward and demonstrated legitimate need. Data must be stored on devices and at locations approved by Data Stewards. If information techn ology resources (computers, printers and other items) are stored at an off-campus location, the location must be approved by Data Stewards prior to using such resources to store City Data. Technology enables the storage of Data on fax machines, copiers, cell phones, point-of-sale devices and other electronic equipment. Data Stewards are responsible for discovery of stored Data and removal of the Data prior to release of the equipment. When approving Mobile Computing Device Usage, Data Stewards must verify that those using Mobile Computing Devices can provide information about what Data was stored on the device (such as a cop y of the last backup) in the event the device is lost or stolen. In all cases, Data storage must comply with City retention policies. Data Usage in a Public Cloud system must have specific retention standards(to be written)? written in the service contract. The City Attorney must be consulted regarding such language. Provisions for the return of all City Data in the event of contract termination must be included in the contract, when Data is stored on a Public Cloud. The City Attorney must be consulted regarding such language. Current Page 14 of 152022-08-15 Technology & Privacy Advisory Task Force Agenda Page 31 of 32 security standards (to be written)? (such as controlled access, personal firewalls, antivirus, fully updated and patched operating systems, etc.) will be evaluated when a system other than a City Provided Data System is selected and must be covered in contract language. The City Attorney must be consulted regarding such language. Data stored on Mobile Computing Devices must be protected by current security standard methods (such as controlled access, firewalls, antivirus, fully updated and patched operating systems, etc.). City standard procedures (to be written) for the protection and safeguarding of Confidential Data and Operation Critical Data must be applied equally and without exception to City Provided Data Systems, Mobile Computing Devices and systems other than City Provided Data Systems, such as Public Cloud solution. 6. Systems and network Data Systems and network Data, generated through systems or network administration, logs or other system recording activities, cannot be used, or captured, gathered, analyzed or disseminated, without the advance permission of the Chief Information Officer. 7. Value of Data In all cases where Data are to be processed through a Public Cloud, the following assessment must be d one: The value of the Data must be determined in some tangible way. Signature approval from the Data Steward’s division vice president or ap propriate party with the ability to authorize activity at the level of the value of the Data must be obtained. 8. Sanctions Failure to follow the guidelines contained in this document will be considered inappropriate use of a City information technology resource and therefore a violation of the City policy(to be written). 9. Data Security Breach Review Panel A Data Security Breach Review Panel (Panel) comprised of the following members will be established: o Chief Information Officer o Chief of Police o City Attorney o Chief Privacy Officer 10. Data Loss Prevention Software Define granular access rights for removable devices and peripheral ports and establish policies for users, computers and groups, maintaining productivity while enforcing device security 11. Audits All City owned equipment is subject to audit for unauthorized storage of regulated data. Devices authorized to store regulated data are subject to audits as deemed necessary by the CIO. Reasonable prior notification of an audit will be provided. Audit results are handled confidentially by Information Security staff and are reported to the CIO in aggregate. 12. Mobile Devices City owned mobile equipment will be exclusively allowed on the City’s primary network and use two factor authentication. All personal devices must use “guest” access if provided. Page 15 of 152022-08-15 Technology & Privacy Advisory Task Force Agenda Page 32 of 32