The URL can be used to link to this page

Home My WebLink About2022-09-12 Tech Privacy Task Force Agenda Packet City of Chula Vista Technology and Privacy Advisory Task Force Date:Monday, September 12, 2022 Time:6:00 p.m. Location:Council Chambers, 276 Fourth Avenue, Chula Vista, CA Meeting Agenda Pages 1.CALL TO ORDER 2.ROLL CALL 3.PUBLIC COMMENTS Any individual may address the task force on any matter within the subject area of the task force. Speakers will have a maximum of three minutes to provide their comments. A maximum of 20 minutes will be provided for public comment at this time. Speakers will be called in the order in which their requests to speak are received. If, after 20 minutes, there are still individuals in the queue to speak, they will be provided an opportunity to speak after the business items have concluded. 4.BUSINESS ITEMS 4.1.Receive and file meeting summaries Task force members will receive and file the meeting summaries from the August 15 and August 22 meetings. 5.WORK SESSION 5.1.Work Session #5 2 Task force members will continue discussion of potential policy recommendations. 6.ADDITIONAL PUBLIC COMMENTS Any individual may address the task force on any matter within the subject area of the task force, including on the Work Session discussion. Speakers will have a maximum of three minutes to provide their comments. 7.STAFF COMMENTS 8.TASK FORCE MEMBER COMMENTS 9.ADJOURNMENT Chula Vista Technology and Privacy Advisory Task Force Summary of Policy Recommendations DRAFT VERSION – August 25, 2022 Note: To facilitate discussion and review, the policy recommendations are numbered in this document. There is no particular order or significance to the numbering scheme or the section headings in this draft. Privacy Advisory Board 1. The City should establish a Privacy Advisory Board responsible for carrying out a broad range of advisory duties. a. The Board’s duties are described throughout this document, including: i. Holding regular meetings that are open to the public, including opportunities for public comment in English and other languages. ii. Reviewing Use Policies for privacy-impacting technologies and making recommendations on changes iii. Reviewing data sharing agreements. iv. Reviewing new technology-related contracts. 2. The Privacy Advisory Board should have nine members, at least two-thirds of whom are Chula Vista residents. a. Chula Vista residents should comprise a super-majority of Board members because residents experience the impacts of City decisions on privacy and technology to a much greater degree than non-residents do. b. The purpose of allowing non-residents to serve on the Board is to recognize that non-residents also experience the impacts of City decisions on privacy and technology, especially if they work, own a business, or attend school in Chula Vista. Additionally, non-residents may have valuable expertise or perspectives that should be included on the Board. c. There is no requirement to include non-residents on the Board. 3. Privacy Advisory Board members will be selected through a combination of City staff review, community review, and City Council review. a. Members of the Board should be selected through a process that includes review and vetting by both City staff and by community leaders, similar to the process used to appoint members of the Technology and Privacy Advisory Task Force. b. All members of the Board must be approved by a majority vote of the City Council pursuant to the City Charter. c. The purpose of involving community leaders in the selection process for some members is to ensure that Board membership is not exclusively determined by City staff or elected officials. 4. Selections to the Board should reflect the City’s diversity in terms of race, gender, and age. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 2 of 59 All Board members shall be persons who have an interest in privacy rights as demonstrated by work experience, civic participation, and/or political advocacy. No member may be an elected official. No member may have a financial interest, employment, or policy-making position in any commercial or for-profit facility, research center, or other organization that sells surveillance equipment or profits from decisions made by the Board. Each of the following perspectives should be represented by at least one member of the Board: a. A resident of Council District 1 b. A resident of Council District 2 c. A resident of Council District 3 d. A resident of Council District 4 e. A technology professional with expertise in emerging technologies and systems (this perspective should be represented by three members of the board) f. A professional financial auditor or Certified Public Accountant (CPA) g. An attorney, legal scholar, or recognized academic with expertise in privacy and/or civil rights h. A member of an organization that focuses on government transparency or individual privacy i. A representative from an equity-based organization or a member of the Human Relations Commission. j. A former member of the Technology and Privacy Advisory Task Force (only applies to the first year of appointments) Chief Privacy Officer 5. The City should hire a full-time Chief Privacy Officer responsible for carrying out a broad range of duties related to privacy. a. Until a full-time Chief Privacy Officer can be budgeted and hired, the duties of the Chief Privacy Officer should be carried out by the Chief Information Security Officer. b. The Chief Privacy Officer should report to the City Manager to ensure they are accountable to City Council and the voters of Chula Vista. i. A minority of task force members believes the Chief Privacy Officer should report to the City Attorney to ensure they are accountable to the voters of Chula Vista. c. The Chief Privacy Officer’s responsibilities include, but are not limited to: i. Provide regular training sessions and guidance to City staff on privacy issues. ii. Serve as the primary City staff liaison to the Privacy Advisory Board, including: 1. Managing agendas and coordinating meetings 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 3 of 59 2. Managing the selection process for Privacy Advisory Board members 3. Assisting in the preparation and presentation of technology Use Policies for Board review iii. Performing internal audits and ensuring compliance with data retention standards and use policies, and coordinating with external privacy auditors when applicable iv. Evaluating new technology acquisitions for potential privacy issues Use Policies 6. The City should create written Use Policies that govern the use of each privacy-impacting technology and the data generated by those technologies. a. Each policy should clearly state the purpose of the technology, who will be allowed to access the technology, how the technology can be used, what kind of data the technology generates, how that data can be used, how that data is protected, and the retention period for that data. 7. Use Policies should be drafted by the applicable department in consultation with the Chief Privacy Officer, then reviewed by the Privacy Advisory Board. a. Departments will use a template created by the Chief Privacy Officer. 8. Use Policies should be reviewed annually and updated if necessary. Use policies should also be reviewed and updated any time there is a significant change in the function or purpose of the technology. 9. Due to the large number of use policies that may need to be created or updated, the Chief Privacy Officer and Privacy Advisory Board will perform an analysis that prioritizes current and future technologies based on the impact and risks to individual privacy. Based on the results of this analysis, use policies will be reviewed for the highest-ranked technologies first. a. Facial recognition technology, other biometric systems, surveillance systems, and systems that use machine learning algorithms should be a top priority for Board review. Data Retention and Data Sharing 10. The City should never sell the data it collects nor allow third parties working on behalf of the City to sell or use data owned by the City except as necessary to provide the contracted service to the City. 11. Internal data-sharing between City Departments should be subject to a review process that includes approval by the City Manager and periodic review by the Chief Privacy Officer and Privacy Advisory Board. a. The purpose of this policy recommendation is to ensure there is a clear understanding of how data is being used and shared between departments, and to 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 4 of 59 prevent situations where there is uncertainty around how data is being used, such as in the case of the informal data-sharing that occurred between Engineering and the Police Department regarding traffic signal camera feeds. 12. External data-sharing between the City and third parties must be approved through a formal, auditable process that includes the Chief Privacy Officer and Privacy Advisory Board. a. The purpose of this policy recommendation is to prevent situations like the sharing of ALPR data with law enforcement agencies that should not have had access to it. b. The review should ensure that personal information is not being shared and that the data has been repackaged and de-identified to minimize the possibility of privacy violations. 13. The City Records Retention Schedule should be re-organized and expanded to include information on what personal data is collected and when that data will be deleted. a. As part of these updates, the Records Retention schedule should be presented in a format that provides a category for data type in addition to the existing categories. b. The Chief Privacy Officer should collaborate with the City Clerk to lead this process. 14. The City should establish a more formal process for ensuring that personal data is being deleted according to the Use Policies established for that data. 15. The City should establish a policy that it will not collect personal data unless it is absolutely necessary to provide the core service. a. The Chula Vista Public Library’s approach to personal data is a model that should be followed citywide. Personal data is only collected and retained for the period necessary to provide the service. For example, the library keeps a record of an item checked out by an individual borrower only until that item is returned, at which point data related to that transaction is deleted. b. To ensure compliance with this policy, the Chief Privacy Officer should randomly sample Departments or data sets to review on a periodic basis. 16. Where possible, the City should anonymize, remove, or de-identify data that relates to a person. a. It must be understood and acknowledged that anonymization strategies will not completely protect individuals from having their identities reverse-engineered from otherwise anonymized datasets, but these strategies are still valuable in mitigating risks to individual privacy. 17. The role of the City’s Data Governance Committee should be more clearly defined and communicated to the public. a. The City should ensure that the work of the Data Governance Committee is consistent with the City’s adopted privacy policies and with the role or recommendations of the Privacy Advisory Board. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 5 of 59 Transparency and Oversight 18. City staff should provide the public with full disclosures about what technologies have been acquired, what data is being collected, and how that data is being used. a. These disclosures should happen in a variety of ways, including on the City’s website, through email newsletters, social media, and in printed communications mailed to residents. b. These disclosures should address what data is being collected, what department is collecting it, how it is being used, who has access to it, how long it is retained, etc. c. Where feasible, signs should be posted to notify and disclose surveillance technology. For example, if surveillance cameras are added to parks, signs should be posted notifying visitors that they are under video surveillance. d. The City should hold public forums, educational seminars, and other types of community events to ensure the public is informed and has an opportunity to hold the City accountable for how privacy-impacting technologies are being used. e. All public disclosures related to technology, data, and privacy should be provided with adequate time for public review before any meeting. The 72-hour standard is not sufficient for the public to review and consider new information, especially when that time period coincides with weekends and holidays. 19. Information about privacy and technology that is provided on the City website should be easy to find and easy to understand. a. Links to disclosures should be provided on each Department’s page within the City website. b. The City’s “smart city” webpages should have their own navigational tab or section on the City website, rather than being contained under the Business / Economic Development section. 20. Contracts with technology vendors should be easy for the public to find and review. a. This should include information about the status of existing contracts, including upcoming renewal or termination dates. 21. Data breaches should be publicly disclosed as soon as possible. a. Notification should happen within 24 hours of the data breach being confirmed. b. Notification should occur through a wide range of communications channels, including social media, news media, and the City website. 22. Residents should have the opportunity to opt-out or have their data deleted if it was provided voluntarily to the City and is not needed for City operations. a. It is understood that individuals will not be able to opt-out of certain types of data collection, such as a drone responding to 9-1-1 calls, or medical data being retained following a emergency medical service call. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 6 of 59 Procurement 23. All contracts with privacy implications must be presented to the City Council, regardless of whether they meet standard purchasing and contracting thresholds that typically trigger City Council review. 24. Prior to City Council presentation, contracts with privacy implications must be reviewed by the Chief Privacy Officer and the Privacy Advisory Board. The evaluation provided by the Chief Privacy Officer and the Privacy Advisory Board must be included as part of the report presented to City Council. 25. When acquiring new technology systems, the Chief Information Security Officer and Chief Privacy Officer should prepare an assessment of the technology’s potential impact on the City’s information security and detail any mitigation strategies. This assessment should be provided to the Privacy Advisory Board and the City Council at the same time as any other documents provided for review, such as the contract for the technology (Item 24) and the technology's proposed Use Policy (Item 7). 26. The City may not enter into any agreement that prohibits the City from publicly acknowledging that it has acquired or is using a particular technology. Nondisclosure agreements are acceptable only to extent that they protect a vendor’s proprietary information without prohibiting the City’s acknowledgement of a relationship with the vendor. 27. Contracts should include a clause of convenience that allows the City to terminate the agreement in the event the vendor violates any restriction on the sale or sharing of data or otherwise violates individual privacy protections. 28. Technology contracts should require that vendors provide the City with the capability to audit or review who has accessed what information. a. These access reports should be provided at pre-designated intervals to City staff or third-party auditors. 29. City staff should be provided with additional training to assist in recognizing potential data privacy issues in contracts. a. Key staff to receive additional training includes the Chief Privacy Officer, Chief Information Security Officer, City Attorney staff, and purchasing and contracting staff. 30. Changes in the ownership of a privacy-impacting technology that has already been reviewed by the Privacy Advisory Board should trigger a new review by the Privacy Advisory Board. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 7 of 59 Information Security 31. Establish a comprehensive information security policy that addresses procedures for maintaining and controlling access to data and articulates the roles and responsibilities of data stewards and data custodians. a. An outline of such a policy has been developed by the Information Security subcommittee of this Task Force and will be submitted as part of this recommendation. b. The policy should make clear that only City-owned mobile equipment using two- factor authentication should be allowed to connect to the City’s primary network. Any personal devices connecting to the City’s network must use restricted “guest” access. c. The policy should provide for audits of all City-owned equipment to protect against unauthorized storage of regulated data. d. The policy should require data security breaches to be reviewed and addressed by an established panel that includes the Director of Information Technology Services, the Chief Information Security Officer, the Chief of Police, the City Attorney, and the Chief Privacy Officer. e. The policy should require that data is stored and transmitted in encrypted formats whenever possible and prohibit the communication of confidential data through end-user messaging technologies such as email, instant messaging, chat, or other communication methods. f. The policy should specifically address mobile computing devices, including recovery of data in the event a mobile computing device is lost or stolen. Additional Comments The Task Force has received multiple public comments regarding the methodology used to conduct the public opinion survey and focus groups. The Task Force encourages City staff and City Councilmembers to consider the potential for bias in the results of the public opinion research, particularly as described in the letter from Dr. Norah Shultz of San Diego State University, which was provided as part of the August 15 Task Force meeting agenda. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 8 of 59 Appendix A: Definitions DRAFT – August 25, 2022 1.“Annual Surveillance Report” means a written report concerning a specific surveillance technology that includes all the following: a. A description of how the surveillance technology was used, including the type and quantity of data gathered or analyzed by the technology; b. Whether and how often data acquired through the use of the surveillance technology was shared with internal or external entities, the name of any recipient entity, the type(s) of data disclosed, under what legal standard(s) the information was disclosed, and the justification for the disclosure(s) except that no confidential or sensitive information should be disclosed that would violate any applicable law or would undermine the legitimate security interests of the City; c. Where applicable, a description of the physical objects to which the surveillance technology hardware was installed without revealing the specific location of such hardware; for surveillance technology software, a breakdown of what data sources the surveillance technology was applied to; d. Where applicable, a description of where the surveillance technology was deployed geographically, by each Police Area in the relevant year; e. A summary of community complaints or concerns about the surveillance technology, and an analysis of its Surveillance Use Policy and whether it is adequate in protecting civil rights and civil liberties. The analysis shall consider whether, and to what extent, the use of the surveillance technology disproportionately impacts certain groups or individuals; f. The results of any internal audits or investigations relating to surveillance technology, any information about violations or potential violations of the Surveillance Use Policy, and any actions taken in response. To the extent that the public release of such information is prohibited by law, City staff shall provide a confidential report to the City Council regarding this information to the extent allowed by law; g. Information about any data breaches or other unauthorized access to the data collected by the surveillance technology, including information about the scope of the breach and the actions taken in response, except that no confidential or sensitive information should be disclosed that would violate any applicable law or would undermine the legitimate security interests of the City; h. A general description of all methodologies used to detect incidents of data breaches or unauthorized access, except that no confidential or sensitive information should be disclosed that would violate any applicable law or would undermine the legitimate 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 9 of 59 security interests of the City; I. Information, including crime statistics, that helps the community assess whether the surveillance technology has been effective at achieving its identified purposes; i. Statistics and information about Public Records Act requests regarding the relevant subject surveillance technology, including response rates, such as the number of Public Records Act requests on such surveillance technology and the open and close date for each of these Public Records Act requests; j. Total annual costs for the surveillance technology, including personnel and other ongoing costs, and what source of funding will fund the surveillance technology in the coming year; and k. Any requested modifications to the Surveillance Use Policy and a detailed basis for the request. 2. “City” means any department, unit, program, and/or subordinate division of the City of Chula Vista as provided by Chapter XXXX of the Chula Vista Municipal Code. 3. “City staff” means City personnel authorized by the City Manager or appropriate City department head to seek City Council Approval of Surveillance Technology in conformance with this Chapter. 4. “Community meeting” means a publicly held meeting that is accessible, noticed at least seventy-two hours in advance in at least two languages, for the purpose of educating communities, answering questions, and learning about potential impacts of surveillance technology on disadvantaged groups. 5. “Continuing agreement” means a written agreement that automatically renews unless terminated by one or more parties. 6. “Exigent circumstances” means a City department’s good faith belief that an emergency involving imminent danger of death or serious physical injury to any individual requires the use of surveillance technology that has not received prior approval by City Council. 7. “Facial recognition technology” means an automated or semi-automated process that assists in identifying or verifying an individual based on an individual’s face. 8. “Individual” means a natural person. 9. “Personal communication device” means a mobile telephone, a personal digital assistant, a wireless capable tablet and a similar wireless two-way communications and/or portable internet- accessing device, whether procured or subsidized by a City entity or personally owned, that is used in the regular course of City business. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 10 of 59 10. “Police area” refers to each of the geographic districts assigned to a Chula Vista Police Department captain or commander and as such districts are amended from time to time. 11. “Sensitive personal information” will reflect the California Privacy Rights Act (CPRA) definition of personal information which defines the term to include: (l) personal information that reveals: (A) a consumer’s social security, driver’s license, state identification card, or passport number; (B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer’s precise geolocation; (D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; (F) a consumer’s genetic data; and (2) (A) the processing of biometric information for the purpose of uniquely identifying a consumer; (B) personal information collected and analyzed concerning a consumer’s health; or (C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation. 12. “Surveillance” (or “spying”) means to observe or analyze the movements, behavior, data, or actions of individuals. Individuals include those whose identity can be revealed by data or combinations of data, such as license plate data, images, IP addresses, user identifications, unique digital identifiers, or data traces left by the individual. 13. “Surveillance technology” means any software (e.g., scripts, code, Application Programming Interfaces), electronic device, or system utilizing an electronic device used, designed, or primarily intended to observe, collect, retain, analyze, process, or share audio, electronic, visual, location, thermal, olfactory, biometric, or similar information specifically associated with, or capable of being associated with, any individual or group. It also includes the product (e.g., audiovisual recording, data, analysis, report) of such surveillance technology. Examples of surveillance technology include, but are not limited to the following: cell site simulators (Stingrays); automated license plate readers; gunshot detectors (ShotSpotter); drone-mounted data collection; facial recognition software; thermal imaging systems; body-worn cameras; social media analytics software; gait analysis software; video cameras that can record audio or video and transmit or be remotely accessed. It also includes software designed to monitor social media services or forecast and/or predict criminal activity or criminality, and biometric identification hardware or software. “Surveillance technology” does not include devices, software, or hardware, unless they have been equipped with, or are modified to become or include, a surveillance technology beyond what is set forth below or used beyond a purpose as set forth below: 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 11 of 59 a. Routine office hardware, such as televisions, computers, credit card machines, badge readers, copy machines, and printers, that is in widespread use and will not be used for any public surveillance or law enforcement functions related to the public; b. Parking Ticket Devices (PTDs) used solely for parking enforcement-related purposes, including any sensors embedded in parking sensors to detect the presence of a car in the space; c. Manually-operated, non-wearable, handheld digital cameras, audio recorders, and video recorders that are not designed to be used surreptitiously and whose functionality is limited to manually-capturing and manually-downloading video and/or audio recordings; d. Surveillance devices that cannot record or transmit audio or video or be remotely accessed, such as image stabilizing binoculars or night vision goggles; e. Manually-operated technological devices used primarily for internal municipal entity communications and are not designed to surreptitiously collect surveillance data, such as radios and email systems; f. City databases that do not contain any data or other information collected, captured, recorded, retained, processed, intercepted, or analyzed by surveillance technology, including payroll, accounting, or other fiscal databases; g. Medical equipment used to diagnose, treat, or prevent disease or injury, provided that any information obtained from this equipment is used solely for medical purposes; h. Police department interview room cameras; i. City department case management systems; j. Personal Communication Devices that have not been modified beyond stock manufacturer capabilities in a manner described above; k. Surveillance technology used by the City solely to monitor and conduct internal investigations involving City employees, contractors, and volunteers; and, l. Systems, software, databases, and data sources used for revenue collection on behalf of the City by the City Treasurer, provided that no information from these sources is shared by the City Treasurer with any other City department or third-party except as part of efforts to collect revenue that is owed to the City. 14. “Surveillance Impact Report” means a publicly-posted written report including, at a minimum, the following: a. Description: Information describing the surveillance technology and how it works, including product descriptions from manufacturers; 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 12 of 59 b. Purpose: Information on the proposed purposes(s) for the surveillance technology; c. Location: The physical or virtual location(s) it may be deployed, using general descriptive terms, and crime statistics for any location(s); d. Impact: An assessment of the Surveillance Use Policy for the particular technology and whether it is adequate in protecting civil rights and liberties and whether the surveillance technology was used or deployed, intentionally or inadvertently, in a manner that may disproportionately affect marginalized communities; e. Mitigations: Identify specific, affirmative technical and procedural measures that will be implemented to safeguard the public from each identified impact; f. Data Types and Sources: A list of all types and sources of data to be collected, analyzed, or processed by the surveillance technology, including open source data, scores, reports, logic or algorithm used, and any additional information derived therefrom; g. Data Security: Information about the controls that will be designed and implemented to ensure that adequate security objectives are achieved to safeguard the data collected or generated by the surveillance technology from unauthorized access or disclosure; h. Fiscal Costs and Sources: The forecasted, prior, and ongoing fiscal costs for the surveillance technology, including initial purchase, personnel, and other ongoing costs, and any past, current or potential sources of funding; i. Third-Party Dependence: Whether use or maintenance of the surveillance technology will require data gathered by the surveillance technology to be handled or stored by a third-party vendor at any time; j. Alternatives: A summary of all alternative methods (whether involving the use of a new technology or not) considered before deciding to use the proposed surveillance technology, including the costs and benefits associated with each alternative and an explanation of the reasons why each alternative is inadequate; k. Track Record: A summary of the experience (if any) other entities, especially government entities, have had with the proposed technology, including, if available, quantitative information about the effectiveness of the proposed surveillance technology in achieving its stated purpose in other jurisdictions, and any known adverse information about the surveillance technology such as unanticipated costs, failures, or civil rights and civil liberties abuses, existing publicly reported controversies, and any court rulings in favor or in opposition to the surveillance; and l. Public engagement and comments: A description of any community engagement held and any future community engagement plans, number of attendees, a compilation of all comments received and City departmental responses given, and City departmental 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 13 of 59 conclusions about potential neighborhood impacts and how such impacts may differ as it pertains to different segments of the community that may result from the acquisition of surveillance technology. 15. "Surveillance Use Policy" means a publicly-released and legally-enforceable policy for use of the surveillance technology that at a minimum specifies the following: a. Purpose: The specific purpose(s) that the surveillance technology is intended to advance; b. Use: The specific uses that are authorized, and the rules and processes required prior to such use; c. Data Collection: The information that can be collected, captured, recorded, intercepted, or retained by the surveillance technology, as well as data that might be inadvertently collected during the authorized uses of the surveillance technology and what measures will be taken to minimize and delete such data. Where applicable, any data sources the surveillance technology will rely upon, including open source data, should be listed; d. Data Access: The job classification of individuals who can access or use the collected information, and the rules and processes required prior to access or use of the information; e. Data Protection: The safeguards that protect information from unauthorized access, including logging, encryption, and access control mechanisms; f. Data Retention: The time period, if any, for which information collected by the surveillance technology will be routinely retained, the reason such retention period is appropriate to further the purpose(s), the process by which the information is regularly deleted after that period lapses, and the specific conditions that must be met to retain information beyond that period; g. Public Access: A description of how collected information can be accessed or used by members of the public, including criminal defendants; h. Third Party Data Sharing: If and how information obtained from the surveillance technology can be used or accessed, including any required justification or legal standard necessary to do so and any obligations imposed on the recipient of the information; i. Training: The training required for any individual authorized to use the surveillance technology or to access information collected by the surveillance technology; j. Auditing and Oversight: The procedures used to ensure that the Surveillance Use Policy is followed, including internal personnel assigned to ensure compliance with the policy, internal recordkeeping of the use of the surveillance technology or access to information 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 14 of 59 collected by the surveillance technology, technical measures to monitor for misuse, any independent person or entity with oversight authority, and the legally enforceable sanctions for violations of the policy; and k. Maintenance: The procedures used to ensure that the security and integrity of the surveillance technology and collected information will be maintained. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 15 of 59 Information Security Subcommittee Report August 15, 2022 Members: Charles Walker and Carlos De La Toba Recommended City Information Security Policies PURPOSE: To provide guidelines with regard to the responsibility of every City of Chula Vista (City) employee who accesses Data and information in electronic formats and to provide for the security of that Data and to restrict unauthorized access to such information. POLICY: Electronic Data is important to the City assets that must be protected by appropriate safeguards and managed with respect to Data stewardship. This policy defines the required Electronic Data ma nagement environment and classifications of Data, and assigns responsibility for ensuring Data and information privacy and security at each level of access and control. SCOPE AND APPLICABILITY: This policy applies to all City personnel and affiliated users with access to City Data. DEFINITIONS: Affiliated Users: Vendors and guests who have a relationship to the City and need access to City systems. Application or App: A software program run on a computer or mobile device for the purpose of providing a business/academic/social function. Cloud: An on-demand availability, geographically dispersed infrastructure of computer system resources, especially data storage (cloud storage) and computing power, without direct active management by the end user. Clouds may be limited to a single organization (Private Cloud), or be available to many organizations (Public Cloud). Cloud-computing providers offer their “services” according to three standard models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Confidential Data: Data that are specifically restricted from open disclosure to the public by law are classified as Confidential Data. Confidential Data requires a high level of protection against unau thorized disclosure, modification, transmission, destruction, and use. Confidential Data include, but are not limited to: • Medical Data, such as Electronic Protected Health Information and Data protected by the Health Insurance Portability and Accountability Act (HIPAA); • Investigation. Only investigation data and information within the following broad categories is to be considered Confidential Data: o Active Investigations; o Activity that is covered by a fully executed non-disclosure agreement (NDA); o Information, data, etc., that is proprietary or confidential (whether it belongs to an internal investigator or an outside collaborator), regardless of whether it is subject to an NDA; o Information or data that is required to be deemed confidential by state or federal law (e.g., personally identifying information about research subjects, HIPAA or FERPA protected information, etc.); and o Information related to an allegation or investigation into misconduct. • Information access security, such as login passwords, Personal Identification Numbers (PINS), logs with personally identifiable Data, digitized signatures, and encryption keys; 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 16 of 59 • Primary account numbers, cardholder Data, credit card numbers, payment card information, banking information, employer or taxpayer identification number, demand deposit account number, savings account number, financial transaction device account number, account password , stock or other security certificate or account number (such as Data protected by the Payment Card Indu stry Data Security Standard) ; • Personnel file, including Social Security Numbers; • Library records; • Driver’s license numbers, state personal identification card numbers, Social Security Numbers, employee identification numbers, government passport numbers, and other personal information that is protected from disclosure by state and federal identity theft laws and regulations. Data Classifications: All Electronic Data covered by this policy are assigned one of three classifications: • Confidential • Operation Critical • Unrestricted Data Custodian: Persons or departments providing operational support for an information system and having responsibility for implementing the Data Maintenance and Control Method defined by the Data Steward. Data Maintenance and Control Method: The process defined and approved by the Data Steward to handle the following tasks: • Definition of access controls with assigned access, privilege enablement, and documented management approval, based on job functions and requirements. • Identification of valid Data sources • Acceptable methods for receiving Data from identified sources • Process for the verification of received Data • Rules, standards and guidelines for the entry of new Data, change of existing Data or deletion of Data • Rules, standards and guidelines for controlled access to Data • Process for Data integrity verification • Acceptable methods for distributing, releasing, sharing, storing or transferring Data • Acceptable Data locations • Providing for the security of Confidential Data and Operation Critical Data • Assuring sound methods for handling, processing, security and disaster recovery of Data • Assuring that Data are gathered, processed, shared and stored in accordance with the City privacy statement (to be written). Data Steward: The persons responsible for City functions and who determine Data Maintenance and Control Methods are Data Stewards. Electronic Data/Data: Distinct pieces of information, intentionally or unintentionally provided to the City in a variety of administrative, academic and business processes. This policy covers all Data stored on any electronic media, and within any computer systems defined as a City information technology resource. Mobile Computing Devices: Information technology resources of such devices include, but are not limited to, laptops, tablets, cell phones, smart phones, and other portable devices. Operation Critical Data: Data determined to be critical and essential to the successful operation of the City as a whole, and whose loss or corruption would cause a severe detrimental impact to continued operations. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 17 of 59 Data receiving this classification require a high level of protection against accidental d istribution, exposure or destruction, and must be covered by high quality disaster recovery and business contin uity measures. Data in this category include Data stored on Enterprise Systems such as Data passed through networked communications systems. Such Data may be released or shared under defined, specific procedures for disclosure, such as departmental guidelines, documented procedures or policies. City Provided Data Systems: Information technology resources, as defined and described by the City and used for the storage, maintenance and processing of City Data. Unrestricted Data: Information that may be released or shared as needed. Usage/Data Use: Usage and Data Use are used interchangeably and are defined as gathering, viewing, storing, sharing, transferring, distributing, modifying, printing and otherwise acting to provide a Data maintenance environment. PROCEDURES: 1. Data Stewardship Data Stewards are expected to create, communicate and enforce Data Maintenance and Control Methods. Data Stewards are also expected to have knowledge of functions in their areas and the Data and information used in support of those functions. The Chief Information Officer(CIO) is ultimately accountable for the Data management and stewardship of all the City data. The CIO may appoint others in their respective areas of responsibility. 2. Data Maintenance and Control Method Data Stewards will develop and maintain Data Maintenance and Control Methods for their assigned systems. When authorizing and assigning access controls defined in the Data Maintenance and Control Methods involving Confidential Data and Operation Critical Data, Data Stewards will restrict user privileges to the least access necessary to perform job functions based on job role and res ponsibility. If the system is a City Provided Data System, City Technology Services will provide, upon request, guidance and services for the tasks identified in the Data Maintenance and Control Method. If the system is provided by a Public Cloud, the Data Steward must still verify that the Data Maintenance and Control Method used by the Public Cloud provider meets current City technology standards (to be written)?. Further, ongoing provisions for meeting current City technology and security standards (to be written)? must be included in the service contract. Review of Public Cloud solutions must include City Technology Services and City Attorney prior to final solution selection and purchase. Use of personal equipment to conduct City business must comply with all guidance provided by City policies (to be written)?. 3. Data Custodianship Data Custodians will use Data in compliance with the established Data Maintenance and Control Method. Failure to process or handle Data in compliance with the established method for a system will be considered a violation of the City policies. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 18 of 59 4. Data Usage In all cases, Data provided to the City will be used in accordance with the Privacy Statement (to be written) Software solutions, including SaaS solutions, are selected to manage Data and are procured, purchased and installed in conjunction with City (to be written) Data will be released in accordance with City (to be written). Requests for information from external agencies (such as Freedom of Information Act requests, subpoenas, law enforcement agency requests, or any other request for Data from an external source) must be directed to the City Attorney and processed in accordance with existing policies. Standards for secure file transmissions, or Data exch anges, must be evaluated by the CIO when a system other than a City Provided Data System is selected or when a Public Cloud is utilized. Specific contract language may be required. The City Attorney must be consulted regarding such language. Unencrypted authorization and Data transmission are not acceptable. Communication of Confidential Data via end-user messaging technologies (i.e., email, instant messaging, chat or other communication methods) is prohibited 5. Storing Data Data cannot be stored on a system other than a City Provided Data System without the advance permission of the Data Steward and demonstrated legitimate ne ed. Data should be stored in encrypted formats whenever possible. Confidential Data must be stored in encrypted formats. Encryption strategies should be reviewed with City Technology Services in advance to avoid accidental Data lockouts. Data cannot be stored on a City-provided Computing Device unless the device is encrypted without the advance permission of the Data Steward and demonstrated legitimate need. Data must be stored on devices and at locations approved by Data Stewards. If information techn ology resources (computers, printers and other items) are stored at an off-campus location, the location must be approved by Data Stewards prior to using such resources to store City Data. Technology enables the storage of Data on fax machines, copiers, cell phones, point-of-sale devices and other electronic equipment. Data Stewards are responsible for discovery of stored Data and removal of the Data prior to release of the equipment. When approving Mobile Computing Device Usage, Data Stewards must verify that those using Mobile Computing Devices can provide information about what Data was stored on the device (such as a cop y of the last backup) in the event the device is lost or stolen. In all cases, Data storage must comply with City retention policies. Data Usage in a Public Cloud system must have specific retention standards(to be written)? written in the service contract. The City Attorney must be consulted regarding such language. Provisions for the return of all City Data in the event of contract termination must be included in the contract, when Data is stored on a Public Cloud. The City Attorney must be consulted regarding such language. Current 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 19 of 59 security standards (to be written)? (such as controlled access, personal firewalls, antivirus, fully updated and patched operating systems, etc.) will be evaluated when a system other than a City Provided Data System is selected and must be covered in contract language. The City Attorney must be consulted regarding such language. Data stored on Mobile Computing Devices must be protected by current security standard methods (such as controlled access, firewalls, antivirus, fully updated and patched operating systems, etc.). City standard procedures (to be written) for the protection and safeguarding of Confidential Data and Operation Critical Data must be applied equally and without exception to City Provided Data Systems, Mobile Computing Devices and systems other than City Provided Data Systems, such as Public Cloud solution. 6. Systems and network Data Systems and network Data, generated through systems or network administration, logs or other system recording activities, cannot be used, or captured, gathered, analyzed or disseminated, without the advance permission of the Chief Information Officer. 7. Value of Data In all cases where Data are to be processed through a Public Cloud, the following assessment must be d one: The value of the Data must be determined in some tangible way. Signature approval from the Data Steward’s division vice president or ap propriate party with the ability to authorize activity at the level of the value of the Data must be obtained. 8. Sanctions Failure to follow the guidelines contained in this document will be considered inappropriate use of a City information technology resource and therefore a violation of the City policy(to be written). 9. Data Security Breach Review Panel A Data Security Breach Review Panel (Panel) comprised of the following members will be established: o Chief Information Officer o Chief of Police o City Attorney o Chief Privacy Officer 10. Data Loss Prevention Software Define granular access rights for removable devices and peripheral ports and establish policies for users, computers and groups, maintaining productivity while enforcing device security 11. Audits All City owned equipment is subject to audit for unauthorized storage of regulated data. Devices authorized to store regulated data are subject to audits as deemed necessary by the CIO. Reasonable prior notification of an audit will be provided. Audit results are handled confidentially by Information Security staff and are reported to the CIO in aggregate. 12. Mobile Devices City owned mobile equipment will be exclusively allowed on the City’s primary network and use two factor authentication. All personal devices must use “guest” access if provided. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 20 of 59 1 Jeremy Ogul From:Eric Wood <ewood@outlook.com> Sent:Sunday, August 28, 2022 10:03 PM To:privacytaskforce@chulavistaca.gov Subject:Feedback on DRAFT Policy Recommendations Hello, My name is Eric Wood and I am a resident of Chula Vista. In the past, I was the Police Technology Manager and Smart Technology Officer for the City of Chula Vista. I currently have no official or formal relationship or role with the city aside from being a resident and former employee. I have spent over 20 years as a technology consultant, much of that was under the employment of Microsoft. I have also worked in the public sector driving technology innovation, security and compliance. I hold CISSP and CCSP credentials for information system security. I’m currently employed by a private sector firm which helps law enforcement gain insights from their existing data systems; which are often separated in vendor, departmental or technology silos. I’m accustomed to dealing with very sensitive data sets and security compliance that must meet FBI standards (CJIS) and NIST:800-53. I have attended several of the task force meetings at the Council Chambers and the public engagement event at the Otay Ranch Library. With that background, let me offer you some of my feedback after reviewing the DRAFT Policy Recommendations that the task force has published for comment. General Feedback: As a whole, I believe that the task force is misguided with their approach in several aspects. It is my opinion that the purpose of the task force was to propose policies or practices for the purpose of establishing safe and reasonable protections against the misuse or abuse of Personally Identifiable Information within the city. However, what I notice in the discussions at meetings and within the proposed policies and practices is a much more controlling or gating role in city operations born from a foundation of mistrust. I will provide some specific examples to support this observation. This DRAFT policy recommendations document reads as if this was a Surveillance Task Force. There are 68 occurrences of the word ‘Surveillance’ in the document. Please consider the impression that your language will leave on the public and be leveraged by the media to create negative connotations that are unwarranted in my opinion. The focus should be on data privacy protections…yes surveillance systems are an element of privacy protections but the systems this task force is aware of and have described as surveillance systems include the Police Drones and LPR cameras, neither of which collect identifiable information…you would have to take information from those and have access and cause to search another system in order to make any identification….and that’s not identifying the occupants…just the registered owner. My ask here is for the task force to rebalance the language used with the purpose and real risk that exists today to privacy. An ongoing PAB would keep those in check down the road…but I believe this heavy lean on the use of surveillance is not warranted and does not serve the city or the citizens. It’s unnecessarily alarming and if you outline these to the average citizen, as has been done for each of you, they would agree that it’s been overblown. Specific Points of Feedback: Section 1.A.II through 1.A.IV – The language used here implies (based on other language and open discussion at the task force meetings) that the Policy Advisory Board (will review Use Policies, Data Sharing Agreements and new technology- related contracts) in a gating function…meaning if the outcome of the review is not satisfactory then some delay or denial will occur as a result. In reality, Use Policies, Data Sharing Agreements and Contracts are all discoverable and there’s no need to include this within the recommendations unless the intent is for the PAB to act as a gating function. The PAB should absolutely review those and provide any recommended changes to the city manager’s office Warning: External Email 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 21 of 59 2 and the CISO. The PAB will not have the requisite background and training in Federal, State and Local laws on contracting, interagency collaboration, mutual-aid and jurisdiction. I recommend clarifying that these types of documents may be reviewed along with other established (not proposed, planned or work-in-progress) policies, practices and contracts, just as any member of the public is able to. Section 5 – I strongly disagree with the recommendation for a Chief Privacy Officer. Managing and being accountable for data privacy is included in the discipline and profession of a Chief Information Security Officer. Data is both an asset and a liability. If PII data is not adequately protected against misuse, abuse, manipulation, denial of access or unwanted disclosure then this is an Information Security problem. How many other cities that are comparable to Chula Vista do you see with a Chief Privacy Officer? This would be an anomaly and it’s poorly envisioned in my opinion. I would not be surprised if this recommendation was not supported by the City Manager. If what you are con cerned about is that there is clear accountability and job focus, then a more preferred approach in my opinion would be to recommend that the CISO must personally report progress/challenges regarding Data Privacy to the City Attorney and Risk Management Officer and in order to conduct the desired level of internal audits, investigations of practices not aligned with policy, then an analyst position should be created to perform the discovery, monitoring and reporting of data privacy related activities, developments, areas of non-compliance to the CISO. The CISO must be capable of managing the city’s cybersecurity posture and strike a balance between usability for city functions and security and compliance for risk management. The CISO should have direct oversight of external audits or vendors which may periodically augment the data privacy or cyber security functions. Section 11 – Internal data sharing between city departments should be encouraged. This is actually a core competency that underpins smart-cities and more effective/efficient government services. The Data owner is ultimately the department head that is deciding the if, who, what, where, when, how and why they would share their departments data with another city department. Are there concerns about oversharing or how the information will be utilized by the other city department, absolutely. But I guarantee that those city department heads and their senior managers will work through those details. I know this because I was involved in the example used by the task force. The ‘informal sharing agreement’ between Traffic Engineering and the Police Department. I directly led this effort from the PD by requesting access from Traffic Engineering. The Distinguished Traffic Engineer went directly to the department head to seek authorization. We outlined use cases, permissions, authorized personnel, etc. This was handled in email, phone calls and face-to-face meetings. To what degree of formality does the task force desire department heads to work together to save the taxpayer money while also improving service delivery? The video management system that enabled this sharing was under the control of the Data Owner and the permissions and audit logs assured that only the agreed upon people and permissions were utilized. This is another area where the Task Force is over-stepping what is being asked….describe the safe-guards you would like to see, don’t inject a review process and a board that bogs down good public service leaders making responsible decisions. Please focus on transparency and trust…let periodic audits by the CISO verify that the safety measures are having the desired effect. Section 12 – External data sharing between the city and third parties must be approved through a formal, auditable process that includes the PAB? Data is shared with 3rd party agencies and entities on a regular basis and cannot be gated by the PAB who doesn’t meet often enough or have a working understanding of the nature of the data sharing. The Police Department shares data with investigators from other agencies in the region and with the District Attorney’s office. Traffic engineering collect non-identifiable data on traffic flow and patterns based on cell phones passing by various points on surface streets and that data can be shared with 3rd parties to help inform commuters where there is congestion so that they can choose an alternate/faster route. This section of your recommendations needs significant revision in my opinion and frankly, I would focus on requiring that the data owners document the current practices sharing of Identifiable data to 3rd parties, rather than submitting all data sharing to 3rd parties for review. I would also like to add some insight to the example the task force used in section 12 with regard to the sharing of LPR data with law enforcement agencies that should not have had access to it. I suspect the task force is not aware that this was a result of a software user interface design flaw which I, as the Police Technology Manager at the time, had reported to the vendor. The vendor said it was not a bug and it was by design. If so, it was a design to trick people into clicking a ‘Yes’ button about data sharing broadly right after a typical prompt appears during user login wher e clicking ‘Yes’ is necessary to continue into the platform. The look and feel between the two dialogs was nearly identical yet the impact of clicking 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 22 of 59 3 the second ‘Yes’ button was dramatically different than the first. We had no leverage to force the vendor to change the behavior and it was inevitable that a user would Click ‘Yes’ twice in order to get into the platform to do their job. There was no alert email to indicate that this sharing was enabled. It was a horrible design but it is not a reason to throw shame on the city and employ some level of oversight that wouldn’t have prevented the sharing or detected in for perhaps months. Allowing the city to have legal language in the contract to terminate at our convenience if the vendor is putting our data privacy/sharing policies in jeopardy would have resolved this. I defer to the City attorney’s office for the best way to proceed. Section 22 – In general, I agree with this section as it’s also already supported by California Privacy laws and is therefore redundant and unnecessary to include in your recommendations. This section should be more about tracking and reporting on compliance with existing applicable laws and statutes and less about trying to implement what you believed to be new technical controls. I also wanted to take a moment to highlight that last sentence of 22.a which should include LPR data as a type of data collection that a person cannot reasonably opt-out of. And for the same reason, why signage of ‘surveillance cameras in use’ should not be posted as it gives an improper expectation that if they are nowhere near one of those signs, they are not subject to LPR cameras which would generate plate reads that are available to the city (which I believe is the intent based on conversation at a public meeting of the task force). Commercial vehicles such as tow trucks, garbage trucks and HOA owned LPR cameras are everywhere and moving constantly. That’s technically where most of the license plate reads come from that all law enforcement agencies utilize to investigate crimes that have occurred. A reasonable control to request for LPR systems is that whenever a search of LPR data is done by authorized personnel, the reason for the search must include a CAD incident number or a crime case number. This would make audits of the approved use of LPR data much more usable in terms of finding abuses/misuses. I am happy to take calls and meetings to respond to any of my comments here. But I also know that each of you are also very busy and so I understand that I will likely hear nothing in response. I do empathize with each of you. You have volunteered to do a job that you only discover the challenges in doing it well once you’re already in the midst of it. I know that you all have great intentions but I do encourage you to take a trust but verify approach rather than mistrust and review approach. The city has done nothing to deserve that posture. Best Regards, Eric Wood ewood@outlook.com 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 23 of 59 1 Jeremy Ogul From:David Stucky <david.stucky@sbcglobal.net> Sent:Saturday, August 27, 2022 12:58 PM To:privacytaskforce@chulavistaca.gov Subject:Task Force Recommendations Attachments:Summary of Policy Recommendations with comments.pdf Attached is the task force document with comments and observations. Please feel free to contact me for any needed explanations or clarifications. David Stucky 619-972-3721 david.stucky@sbcglobal.net Warning: External Email Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:3 Page 1 Notes 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 24 of 59 Chula Vista Technology and Privacy Advisory Task Force Summary of Policy Recommendations DRAFT VERSION – August 25, 2022 Note: To facilitate discussion and review, the policy recommendations are numbered in this document. There is no particular order or significance to the numbering scheme or the section headings in this draft. Privacy Advisory Board 1. The City should establish a Privacy Advisory Board responsible for carrying out a broad range of advisory duties. a. The Board’s duties are described throughout this document, including: i. Holding regular meetings that are open to the public, including opportunities for public comment in English and other languages. ii. Reviewing Use Policies for privacy-impacting technologies and making recommendations on changes iii. Reviewing data sharing agreements. iv. Reviewing new technology-related contracts. 2. The Privacy Advisory Board should have nine members, at least two-thirds of whom are Chula Vista residents. a. Chula Vista residents should comprise a super-majority of Board members because residents experience the impacts of City decisions on privacy and technology to a much greater degree than non-residents do. b. The purpose of allowing non-residents to serve on the Board is to recognize that non-residents also experience the impacts of City decisions on privacy and technology, especially if they work, own a business, or attend school in Chula Vista. Additionally, non-residents may have valuable expertise or perspectives that should be included on the Board. c. There is no requirement to include non-residents on the Board. 3. Privacy Advisory Board members will be selected through a combination of City staff review, community review, and City Council review. a. Members of the Board should be selected through a process that includes review and vetting by both City staff and by community leaders, similar to the process used to appoint members of the Technology and Privacy Advisory Task Force. b. All members of the Board must be approved by a majority vote of the City Council pursuant to the City Charter. c. The purpose of involving community leaders in the selection process for some members is to ensure that Board membership is not exclusively determined by City staff or elected officials. 4. Selections to the Board should reflect the City’s diversity in terms of race, gender, and age. Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:3 Page 2 Notes 1 08/27/2022 12:14:581Dave This should be the only criterion for including non-residents 2 08/27/2022 12:16:102Dave Define community leader. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 25 of 59 All Board members shall be persons who have an interest in privacy rights as demonstrated by work experience, civic participation, and/or political advocacy. No member may be an elected official. No member may have a financial interest, employment, or policy-making position in any commercial or for-profit facility, research center, or other organization that sells surveillance equipment or profits from decisions made by the Board. Each of the following perspectives should be represented by at least one member of the Board: a. A resident of Council District 1 b. A resident of Council District 2 c. A resident of Council District 3 d. A resident of Council District 4 e. A technology professional with expertise in emerging technologies and systems (this perspective should be represented by three members of the board) f. A professional financial auditor or Certified Public Accountant (CPA) g. An attorney, legal scholar, or recognized academic with expertise in privacy and/or civil rights h. A member of an organization that focuses on government transparency or individual privacy i. A representative from an equity-based organization or a member of the Human Relations Commission. j. A former member of the Technology and Privacy Advisory Task Force (only applies to the first year of appointments) Chief Privacy Officer 5. The City should hire a full-time Chief Privacy Officer responsible for carrying out a broad range of duties related to privacy. a. Until a full-time Chief Privacy Officer can be budgeted and hired, the duties of the Chief Privacy Officer should be carried out by the Chief Information Security Officer. b. The Chief Privacy Officer should report to the City Manager to ensure they are accountable to City Council and the voters of Chula Vista. i. A minority of task force members believes the Chief Privacy Officer should report to the City Attorney to ensure they are accountable to the voters of Chula Vista. c. The Chief Privacy Officer’s responsibilities include, but are not limited to: i. Provide regular training sessions and guidance to City staff on privacy issues. ii. Serve as the primary City staff liaison to the Privacy Advisory Board, including: 1. Managing agendas and coordinating meetings Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:3 Page 3 Notes 1 08/27/2022 12:20:041Dave Don't forget the need for an appropriate level of support staff. 2 08/27/2022 12:13:142Dave In a representative democracy, the City Council are the representatives of the voters. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 26 of 59 2. Managing the selection process for Privacy Advisory Board members 3. Assisting in the preparation and presentation of technology Use Policies for Board review iii. Performing internal audits and ensuring compliance with data retention standards and use policies, and coordinating with external privacy auditors when applicable iv. Evaluating new technology acquisitions for potential privacy issues Use Policies 6. The City should create written Use Policies that govern the use of each privacy-impacting technology and the data generated by those technologies. a. Each policy should clearly state the purpose of the technology, who will be allowed to access the technology, how the technology can be used, what kind of data the technology generates, how that data can be used, how that data is protected, and the retention period for that data. 7. Use Policies should be drafted by the applicable department in consultation with the Chief Privacy Officer, then reviewed by the Privacy Advisory Board. a. Departments will use a template created by the Chief Privacy Officer. 8. Use Policies should be reviewed annually and updated if necessary. Use policies should also be reviewed and updated any time there is a significant change in the function or purpose of the technology. 9. Due to the large number of use policies that may need to be created or updated, the Chief Privacy Officer and Privacy Advisory Board will perform an analysis that prioritizes current and future technologies based on the impact and risks to individual privacy. Based on the results of this analysis, use policies will be reviewed for the highest-ranked technologies first. a. Facial recognition technology, other biometric systems, surveillance systems, and systems that use machine learning algorithms should be a top priority for Board review. Data Retention and Data Sharing 10. The City should never sell the data it collects nor allow third parties working on behalf of the City to sell or use data owned by the City except as necessary to provide the contracted service to the City. 11. Internal data-sharing between City Departments should be subject to a review process that includes approval by the City Manager and periodic review by the Chief Privacy Officer and Privacy Advisory Board. a. The purpose of this policy recommendation is to ensure there is a clear understanding of how data is being used and shared between departments, and to Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:3 Page 4 Notes 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 27 of 59 prevent situations where there is uncertainty around how data is being used, such as in the case of the informal data-sharing that occurred between Engineering and the Police Department regarding traffic signal camera feeds. 12. External data-sharing between the City and third parties must be approved through a formal, auditable process that includes the Chief Privacy Officer and Privacy Advisory Board. a. The purpose of this policy recommendation is to prevent situations like the sharing of ALPR data with law enforcement agencies that should not have had access to it. b. The review should ensure that personal information is not being shared and that the data has been repackaged and de-identified to minimize the possibility of privacy violations. 13. The City Records Retention Schedule should be re-organized and expanded to include information on what personal data is collected and when that data will be deleted. a. As part of these updates, the Records Retention schedule should be presented in a format that provides a category for data type in addition to the existing categories. b. The Chief Privacy Officer should collaborate with the City Clerk to lead this process. 14. The City should establish a more formal process for ensuring that personal data is being deleted according to the Use Policies established for that data. 15. The City should establish a policy that it will not collect personal data unless it is absolutely necessary to provide the core service. a. The Chula Vista Public Library’s approach to personal data is a model that should be followed citywide. Personal data is only collected and retained for the period necessary to provide the service. For example, the library keeps a record of an item checked out by an individual borrower only until that item is returned, at which point data related to that transaction is deleted. b. To ensure compliance with this policy, the Chief Privacy Officer should randomly sample Departments or data sets to review on a periodic basis. 16. Where possible, the City should anonymize, remove, or de-identify data that relates to a person. a. It must be understood and acknowledged that anonymization strategies will not completely protect individuals from having their identities reverse-engineered from otherwise anonymized datasets, but these strategies are still valuable in mitigating risks to individual privacy. 17. The role of the City’s Data Governance Committee should be more clearly defined and communicated to the public. a. The City should ensure that the work of the Data Governance Committee is consistent with the City’s adopted privacy policies and with the role or recommendations of the Privacy Advisory Board. Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:3 Page 5 Notes 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 28 of 59 Transparency and Oversight 18. City staff should provide the public with full disclosures about what technologies have been acquired, what data is being collected, and how that data is being used. a. These disclosures should happen in a variety of ways, including on the City’s website, through email newsletters, social media, and in printed communications mailed to residents. b. These disclosures should address what data is being collected, what department is collecting it, how it is being used, who has access to it, how long it is retained, etc. c. Where feasible, signs should be posted to notify and disclose surveillance technology. For example, if surveillance cameras are added to parks, signs should be posted notifying visitors that they are under video surveillance. d. The City should hold public forums, educational seminars, and other types of community events to ensure the public is informed and has an opportunity to hold the City accountable for how privacy-impacting technologies are being used. e. All public disclosures related to technology, data, and privacy should be provided with adequate time for public review before any meeting. The 72-hour standard is not sufficient for the public to review and consider new information, especially when that time period coincides with weekends and holidays. 19. Information about privacy and technology that is provided on the City website should be easy to find and easy to understand. a. Links to disclosures should be provided on each Department’s page within the City website. b. The City’s “smart city” webpages should have their own navigational tab or section on the City website, rather than being contained under the Business / Economic Development section. 20. Contracts with technology vendors should be easy for the public to find and review. a. This should include information about the status of existing contracts, including upcoming renewal or termination dates. 21. Data breaches should be publicly disclosed as soon as possible. a. Notification should happen within 24 hours of the data breach being confirmed. b. Notification should occur through a wide range of communications channels, including social media, news media, and the City website. 22. Residents should have the opportunity to opt-out or have their data deleted if it was provided voluntarily to the City and is not needed for City operations. a. It is understood that individuals will not be able to opt-out of certain types of data collection, such as a drone responding to 9-1-1 calls, or medical data being retained following a emergency medical service call. Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:3 Page 6 Notes 1 08/27/2022 12:30:381Dave Contracts with technology vendors should be subject to the same disclosure standards as those of any other vendor contracts. 2 08/27/2022 12:33:342Dave "Voluntarily" provided data implies the option to decline to provide in the first place. And if it not needed for City operations, it probably should not have been collected in the first place. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 29 of 59 Procurement 23. All contracts with privacy implications must be presented to the City Council, regardless of whether they meet standard purchasing and contracting thresholds that typically trigger City Council review. 24. Prior to City Council presentation, contracts with privacy implications must be reviewed by the Chief Privacy Officer and the Privacy Advisory Board. The evaluation provided by the Chief Privacy Officer and the Privacy Advisory Board must be included as part of the report presented to City Council. 25. When acquiring new technology systems, the Chief Information Security Officer and Chief Privacy Officer should prepare an assessment of the technology’s potential impact on the City’s information security and detail any mitigation strategies. This assessment should be provided to the Privacy Advisory Board and the City Council at the same time as any other documents provided for review, such as the contract for the technology (Item 24) and the technology's proposed Use Policy (Item 7). 26. The City may not enter into any agreement that prohibits the City from publicly acknowledging that it has acquired or is using a particular technology. Nondisclosure agreements are acceptable only to extent that they protect a vendor’s proprietary information without prohibiting the City’s acknowledgement of a relationship with the vendor. 27. Contracts should include a clause of convenience that allows the City to terminate the agreement in the event the vendor violates any restriction on the sale or sharing of data or otherwise violates individual privacy protections. 28. Technology contracts should require that vendors provide the City with the capability to audit or review who has accessed what information. a. These access reports should be provided at pre-designated intervals to City staff or third-party auditors. 29. City staff should be provided with additional training to assist in recognizing potential data privacy issues in contracts. a. Key staff to receive additional training includes the Chief Privacy Officer, Chief Information Security Officer, City Attorney staff, and purchasing and contracting staff. 30. Changes in the ownership of a privacy-impacting technology that has already been reviewed by the Privacy Advisory Board should trigger a new review by the Privacy Advisory Board. Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:3 Page 7 Notes 1 08/27/2022 12:36:171Dave "Privacy implications" is too broad a term. The standard needs to be more narrowly defined. 2 08/27/2022 12:38:592Dave It is not inconceivable that an agreement with, for example, a federal agency could reasonably prohibit public disclosure. 3 08/27/2022 12:40:153Dave Virtually all municipal contracts should already include the right to terminate for convenience. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 30 of 59 Information Security 31. Establish a comprehensive information security policy that addresses procedures for maintaining and controlling access to data and articulates the roles and responsibilities of data stewards and data custodians. a. An outline of such a policy has been developed by the Information Security subcommittee of this Task Force and will be submitted as part of this recommendation. b. The policy should make clear that only City-owned mobile equipment using two- factor authentication should be allowed to connect to the City’s primary network. Any personal devices connecting to the City’s network must use restricted “guest” access. c. The policy should provide for audits of all City-owned equipment to protect against unauthorized storage of regulated data. d. The policy should require data security breaches to be reviewed and addressed by an established panel that includes the Director of Information Technology Services, the Chief Information Security Officer, the Chief of Police, the City Attorney, and the Chief Privacy Officer. e. The policy should require that data is stored and transmitted in encrypted formats whenever possible and prohibit the communication of confidential data through end-user messaging technologies such as email, instant messaging, chat, or other communication methods. f. The policy should specifically address mobile computing devices, including recovery of data in the event a mobile computing device is lost or stolen. Additional Comments The Task Force has received multiple public comments regarding the methodology used to conduct the public opinion survey and focus groups. The Task Force encourages City staff and City Councilmembers to consider the potential for bias in the results of the public opinion research, particularly as described in the letter from Dr. Norah Shultz of San Diego State University, which was provided as part of the August 15 Task Force meeting agenda. Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:3 Page 8 Notes 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 31 of 59 Appendix A: Definitions DRAFT – August 25, 2022 1.“Annual Surveillance Report” means a written report concerning a specific surveillance technology that includes all the following: a. A description of how the surveillance technology was used, including the type and quantity of data gathered or analyzed by the technology; b. Whether and how often data acquired through the use of the surveillance technology was shared with internal or external entities, the name of any recipient entity, the type(s) of data disclosed, under what legal standard(s) the information was disclosed, and the justification for the disclosure(s) except that no confidential or sensitive information should be disclosed that would violate any applicable law or would undermine the legitimate security interests of the City; c. Where applicable, a description of the physical objects to which the surveillance technology hardware was installed without revealing the specific location of such hardware; for surveillance technology software, a breakdown of what data sources the surveillance technology was applied to; d. Where applicable, a description of where the surveillance technology was deployed geographically, by each Police Area in the relevant year; e. A summary of community complaints or concerns about the surveillance technology, and an analysis of its Surveillance Use Policy and whether it is adequate in protecting civil rights and civil liberties. The analysis shall consider whether, and to what extent, the use of the surveillance technology disproportionately impacts certain groups or individuals; f. The results of any internal audits or investigations relating to surveillance technology, any information about violations or potential violations of the Surveillance Use Policy, and any actions taken in response. To the extent that the public release of such information is prohibited by law, City staff shall provide a confidential report to the City Council regarding this information to the extent allowed by law; g. Information about any data breaches or other unauthorized access to the data collected by the surveillance technology, including information about the scope of the breach and the actions taken in response, except that no confidential or sensitive information should be disclosed that would violate any applicable law or would undermine the legitimate security interests of the City; h. A general description of all methodologies used to detect incidents of data breaches or unauthorized access, except that no confidential or sensitive information should be disclosed that would violate any applicable law or would undermine the legitimate Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:3 Page 9 Notes 1 08/27/2022 12:52:451Dave Nowhere in this report is surveillance mentioned until now. Where does this come from and how does this fit into the overall scheme of the report? Who is responsible for the creation of this "Annual Surveillance Report" and to whom is it presented? 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 32 of 59 security interests of the City; I. Information, including crime statistics, that helps the community assess whether the surveillance technology has been effective at achieving its identified purposes; i. Statistics and information about Public Records Act requests regarding the relevant subject surveillance technology, including response rates, such as the number of Public Records Act requests on such surveillance technology and the open and close date for each of these Public Records Act requests; j. Total annual costs for the surveillance technology, including personnel and other ongoing costs, and what source of funding will fund the surveillance technology in the coming year; and k. Any requested modifications to the Surveillance Use Policy and a detailed basis for the request. 2. “City” means any department, unit, program, and/or subordinate division of the City of Chula Vista as provided by Chapter XXXX of the Chula Vista Municipal Code. 3. “City staff” means City personnel authorized by the City Manager or appropriate City department head to seek City Council Approval of Surveillance Technology in conformance with this Chapter. 4. “Community meeting” means a publicly held meeting that is accessible, noticed at least seventy-two hours in advance in at least two languages, for the purpose of educating communities, answering questions, and learning about potential impacts of surveillance technology on disadvantaged groups. 5. “Continuing agreement” means a written agreement that automatically renews unless terminated by one or more parties. 6. “Exigent circumstances” means a City department’s good faith belief that an emergency involving imminent danger of death or serious physical injury to any individual requires the use of surveillance technology that has not received prior approval by City Council. 7. “Facial recognition technology” means an automated or semi-automated process that assists in identifying or verifying an individual based on an individual’s face. 8. “Individual” means a natural person. 9. “Personal communication device” means a mobile telephone, a personal digital assistant, a wireless capable tablet and a similar wireless two-way communications and/or portable internet- accessing device, whether procured or subsidized by a City entity or personally owned, that is used in the regular course of City business. Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:3 Page 10 Notes 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 33 of 59 10. “Police area” refers to each of the geographic districts assigned to a Chula Vista Police Department captain or commander and as such districts are amended from time to time. 11. “Sensitive personal information” will reflect the California Privacy Rights Act (CPRA) definition of personal information which defines the term to include: (l) personal information that reveals: (A) a consumer’s social security, driver’s license, state identification card, or passport number; (B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer’s precise geolocation; (D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; (F) a consumer’s genetic data; and (2) (A) the processing of biometric information for the purpose of uniquely identifying a consumer; (B) personal information collected and analyzed concerning a consumer’s health; or (C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation. 12. “Surveillance” (or “spying”) means to observe or analyze the movements, behavior, data, or actions of individuals. Individuals include those whose identity can be revealed by data or combinations of data, such as license plate data, images, IP addresses, user identifications, unique digital identifiers, or data traces left by the individual. 13. “Surveillance technology” means any software (e.g., scripts, code, Application Programming Interfaces), electronic device, or system utilizing an electronic device used, designed, or primarily intended to observe, collect, retain, analyze, process, or share audio, electronic, visual, location, thermal, olfactory, biometric, or similar information specifically associated with, or capable of being associated with, any individual or group. It also includes the product (e.g., audiovisual recording, data, analysis, report) of such surveillance technology. Examples of surveillance technology include, but are not limited to the following: cell site simulators (Stingrays); automated license plate readers; gunshot detectors (ShotSpotter); drone-mounted data collection; facial recognition software; thermal imaging systems; body-worn cameras; social media analytics software; gait analysis software; video cameras that can record audio or video and transmit or be remotely accessed. It also includes software designed to monitor social media services or forecast and/or predict criminal activity or criminality, and biometric identification hardware or software. “Surveillance technology” does not include devices, software, or hardware, unless they have been equipped with, or are modified to become or include, a surveillance technology beyond what is set forth below or used beyond a purpose as set forth below: Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:3 Page 11 Notes 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 34 of 59 a. Routine office hardware, such as televisions, computers, credit card machines, badge readers, copy machines, and printers, that is in widespread use and will not be used for any public surveillance or law enforcement functions related to the public; b. Parking Ticket Devices (PTDs) used solely for parking enforcement-related purposes, including any sensors embedded in parking sensors to detect the presence of a car in the space; c. Manually-operated, non-wearable, handheld digital cameras, audio recorders, and video recorders that are not designed to be used surreptitiously and whose functionality is limited to manually-capturing and manually-downloading video and/or audio recordings; d. Surveillance devices that cannot record or transmit audio or video or be remotely accessed, such as image stabilizing binoculars or night vision goggles; e. Manually-operated technological devices used primarily for internal municipal entity communications and are not designed to surreptitiously collect surveillance data, such as radios and email systems; f. City databases that do not contain any data or other information collected, captured, recorded, retained, processed, intercepted, or analyzed by surveillance technology, including payroll, accounting, or other fiscal databases; g. Medical equipment used to diagnose, treat, or prevent disease or injury, provided that any information obtained from this equipment is used solely for medical purposes; h. Police department interview room cameras; i. City department case management systems; j. Personal Communication Devices that have not been modified beyond stock manufacturer capabilities in a manner described above; k. Surveillance technology used by the City solely to monitor and conduct internal investigations involving City employees, contractors, and volunteers; and, l. Systems, software, databases, and data sources used for revenue collection on behalf of the City by the City Treasurer, provided that no information from these sources is shared by the City Treasurer with any other City department or third-party except as part of efforts to collect revenue that is owed to the City. 14. “Surveillance Impact Report” means a publicly-posted written report including, at a minimum, the following: a. Description: Information describing the surveillance technology and how it works, including product descriptions from manufacturers; Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:3 Page 12 Notes 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 35 of 59 b. Purpose: Information on the proposed purposes(s) for the surveillance technology; c. Location: The physical or virtual location(s) it may be deployed, using general descriptive terms, and crime statistics for any location(s); d. Impact: An assessment of the Surveillance Use Policy for the particular technology and whether it is adequate in protecting civil rights and liberties and whether the surveillance technology was used or deployed, intentionally or inadvertently, in a manner that may disproportionately affect marginalized communities; e. Mitigations: Identify specific, affirmative technical and procedural measures that will be implemented to safeguard the public from each identified impact; f. Data Types and Sources: A list of all types and sources of data to be collected, analyzed, or processed by the surveillance technology, including open source data, scores, reports, logic or algorithm used, and any additional information derived therefrom; g. Data Security: Information about the controls that will be designed and implemented to ensure that adequate security objectives are achieved to safeguard the data collected or generated by the surveillance technology from unauthorized access or disclosure; h. Fiscal Costs and Sources: The forecasted, prior, and ongoing fiscal costs for the surveillance technology, including initial purchase, personnel, and other ongoing costs, and any past, current or potential sources of funding; i. Third-Party Dependence: Whether use or maintenance of the surveillance technology will require data gathered by the surveillance technology to be handled or stored by a third-party vendor at any time; j. Alternatives: A summary of all alternative methods (whether involving the use of a new technology or not) considered before deciding to use the proposed surveillance technology, including the costs and benefits associated with each alternative and an explanation of the reasons why each alternative is inadequate; k. Track Record: A summary of the experience (if any) other entities, especially government entities, have had with the proposed technology, including, if available, quantitative information about the effectiveness of the proposed surveillance technology in achieving its stated purpose in other jurisdictions, and any known adverse information about the surveillance technology such as unanticipated costs, failures, or civil rights and civil liberties abuses, existing publicly reported controversies, and any court rulings in favor or in opposition to the surveillance; and l. Public engagement and comments: A description of any community engagement held and any future community engagement plans, number of attendees, a compilation of all comments received and City departmental responses given, and City departmental Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:3 Page 13 Notes 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 36 of 59 conclusions about potential neighborhood impacts and how such impacts may differ as it pertains to different segments of the community that may result from the acquisition of surveillance technology. 15. "Surveillance Use Policy" means a publicly-released and legally-enforceable policy for use of the surveillance technology that at a minimum specifies the following: a. Purpose: The specific purpose(s) that the surveillance technology is intended to advance; b. Use: The specific uses that are authorized, and the rules and processes required prior to such use; c. Data Collection: The information that can be collected, captured, recorded, intercepted, or retained by the surveillance technology, as well as data that might be inadvertently collected during the authorized uses of the surveillance technology and what measures will be taken to minimize and delete such data. Where applicable, any data sources the surveillance technology will rely upon, including open source data, should be listed; d. Data Access: The job classification of individuals who can access or use the collected information, and the rules and processes required prior to access or use of the information; e. Data Protection: The safeguards that protect information from unauthorized access, including logging, encryption, and access control mechanisms; f. Data Retention: The time period, if any, for which information collected by the surveillance technology will be routinely retained, the reason such retention period is appropriate to further the purpose(s), the process by which the information is regularly deleted after that period lapses, and the specific conditions that must be met to retain information beyond that period; g. Public Access: A description of how collected information can be accessed or used by members of the public, including criminal defendants; h. Third Party Data Sharing: If and how information obtained from the surveillance technology can be used or accessed, including any required justification or legal standard necessary to do so and any obligations imposed on the recipient of the information; i. Training: The training required for any individual authorized to use the surveillance technology or to access information collected by the surveillance technology; j. Auditing and Oversight: The procedures used to ensure that the Surveillance Use Policy is followed, including internal personnel assigned to ensure compliance with the policy, internal recordkeeping of the use of the surveillance technology or access to information Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:3 Page 14 Notes 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 37 of 59 collected by the surveillance technology, technical measures to monitor for misuse, any independent person or entity with oversight authority, and the legally enforceable sanctions for violations of the policy; and k. Maintenance: The procedures used to ensure that the security and integrity of the surveillance technology and collected information will be maintained. Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:2 Page 15 Notes 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 38 of 59 Information Security Subcommittee Report August 15, 2022 Members: Charles Walker and Carlos De La Toba Recommended City Information Security Policies PURPOSE: To provide guidelines with regard to the responsibility of every City of Chula Vista (City) employee who accesses Data and information in electronic formats and to provide for the security of that Data and to restrict unauthorized access to such information. POLICY: Electronic Data is important to the City assets that must be protected by appropriate safeguards and managed with respect to Data stewardship. This policy defines the required Electronic Data ma nagement environment and classifications of Data, and assigns responsibility for ensuring Data and information privacy and security at each level of access and control. SCOPE AND APPLICABILITY: This policy applies to all City personnel and affiliated users with access to City Data. DEFINITIONS: Affiliated Users: Vendors and guests who have a relationship to the City and need access to City systems. Application or App: A software program run on a computer or mobile device for the purpose of providing a business/academic/social function. Cloud: An on-demand availability, geographically dispersed infrastructure of computer system resources, especially data storage (cloud storage) and computing power, without direct active management by the end user. Clouds may be limited to a single organization (Private Cloud), or be available to many organizations (Public Cloud). Cloud-computing providers offer their “services” according to three standard models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Confidential Data: Data that are specifically restricted from open disclosure to the public by law are classified as Confidential Data. Confidential Data requires a high level of protection against unau thorized disclosure, modification, transmission, destruction, and use. Confidential Data include, but are not limited to: • Medical Data, such as Electronic Protected Health Information and Data protected by the Health Insurance Portability and Accountability Act (HIPAA); • Investigation. Only investigation data and information within the following broad categories is to be considered Confidential Data: o Active Investigations; o Activity that is covered by a fully executed non-disclosure agreement (NDA); o Information, data, etc., that is proprietary or confidential (whether it belongs to an internal investigator or an outside collaborator), regardless of whether it is subject to an NDA; o Information or data that is required to be deemed confidential by state or federal law (e.g., personally identifying information about research subjects, HIPAA or FERPA protected information, etc.); and o Information related to an allegation or investigation into misconduct. • Information access security, such as login passwords, Personal Identification Numbers (PINS), logs with personally identifiable Data, digitized signatures, and encryption keys; Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:2 Page 16 Notes 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 39 of 59 • Primary account numbers, cardholder Data, credit card numbers, payment card information, banking information, employer or taxpayer identification number, demand deposit account number, savings account number, financial transaction device account number, account password , stock or other security certificate or account number (such as Data protected by the Payment Card Indu stry Data Security Standard) ; • Personnel file, including Social Security Numbers; • Library records; • Driver’s license numbers, state personal identification card numbers, Social Security Numbers, employee identification numbers, government passport numbers, and other personal information that is protected from disclosure by state and federal identity theft laws and regulations. Data Classifications: All Electronic Data covered by this policy are assigned one of three classifications: • Confidential • Operation Critical • Unrestricted Data Custodian: Persons or departments providing operational support for an information system and having responsibility for implementing the Data Maintenance and Control Method defined by the Data Steward. Data Maintenance and Control Method: The process defined and approved by the Data Steward to handle the following tasks: • Definition of access controls with assigned access, privilege enablement, and documented management approval, based on job functions and requirements. • Identification of valid Data sources • Acceptable methods for receiving Data from identified sources • Process for the verification of received Data • Rules, standards and guidelines for the entry of new Data, change of existing Data or deletion of Data • Rules, standards and guidelines for controlled access to Data • Process for Data integrity verification • Acceptable methods for distributing, releasing, sharing, storing or transferring Data • Acceptable Data locations • Providing for the security of Confidential Data and Operation Critical Data • Assuring sound methods for handling, processing, security and disaster recovery of Data • Assuring that Data are gathered, processed, shared and stored in accordance with the City privacy statement (to be written). Data Steward: The persons responsible for City functions and who determine Data Maintenance and Control Methods are Data Stewards. Electronic Data/Data: Distinct pieces of information, intentionally or unintentionally provided to the City in a variety of administrative, academic and business processes. This policy covers all Data stored on any electronic media, and within any computer systems defined as a City information technology resource. Mobile Computing Devices: Information technology resources of such devices include, but are not limited to, laptops, tablets, cell phones, smart phones, and other portable devices. Operation Critical Data: Data determined to be critical and essential to the successful operation of the City as a whole, and whose loss or corruption would cause a severe detrimental impact to continued operations. Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:2 Page 17 Notes 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 40 of 59 Data receiving this classification require a high level of protection against accidental d istribution, exposure or destruction, and must be covered by high quality disaster recovery and business contin uity measures. Data in this category include Data stored on Enterprise Systems such as Data passed through networked communications systems. Such Data may be released or shared under defined, specific procedures for disclosure, such as departmental guidelines, documented procedures or policies. City Provided Data Systems: Information technology resources, as defined and described by the City and used for the storage, maintenance and processing of City Data. Unrestricted Data: Information that may be released or shared as needed. Usage/Data Use: Usage and Data Use are used interchangeably and are defined as gathering, viewing, storing, sharing, transferring, distributing, modifying, printing and otherwise acting to provide a Data maintenance environment. PROCEDURES: 1. Data Stewardship Data Stewards are expected to create, communicate and enforce Data Maintenance and Control Methods. Data Stewards are also expected to have knowledge of functions in their areas and the Data and information used in support of those functions. The Chief Information Officer(CIO) is ultimately accountable for the Data management and stewardship of all the City data. The CIO may appoint others in their respective areas of responsibility. 2. Data Maintenance and Control Method Data Stewards will develop and maintain Data Maintenance and Control Methods for their assigned systems. When authorizing and assigning access controls defined in the Data Maintenance and Control Methods involving Confidential Data and Operation Critical Data, Data Stewards will restrict user privileges to the least access necessary to perform job functions based on job role and res ponsibility. If the system is a City Provided Data System, City Technology Services will provide, upon request, guidance and services for the tasks identified in the Data Maintenance and Control Method. If the system is provided by a Public Cloud, the Data Steward must still verify that the Data Maintenance and Control Method used by the Public Cloud provider meets current City technology standards (to be written)?. Further, ongoing provisions for meeting current City technology and security standards (to be written)? must be included in the service contract. Review of Public Cloud solutions must include City Technology Services and City Attorney prior to final solution selection and purchase. Use of personal equipment to conduct City business must comply with all guidance provided by City policies (to be written)?. 3. Data Custodianship Data Custodians will use Data in compliance with the established Data Maintenance and Control Method. Failure to process or handle Data in compliance with the established method for a system will be considered a violation of the City policies. Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:2 Page 18 Notes 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 41 of 59 4. Data Usage In all cases, Data provided to the City will be used in accordance with the Privacy Statement (to be written) Software solutions, including SaaS solutions, are selected to manage Data and are procured, purchased and installed in conjunction with City (to be written) Data will be released in accordance with City (to be written). Requests for information from external agencies (such as Freedom of Information Act requests, subpoenas, law enforcement agency requests, or any other request for Data from an external source) must be directed to the City Attorney and processed in accordance with existing policies. Standards for secure file transmissions, or Data exch anges, must be evaluated by the CIO when a system other than a City Provided Data System is selected or when a Public Cloud is utilized. Specific contract language may be required. The City Attorney must be consulted regarding such language. Unencrypted authorization and Data transmission are not acceptable. Communication of Confidential Data via end-user messaging technologies (i.e., email, instant messaging, chat or other communication methods) is prohibited 5. Storing Data Data cannot be stored on a system other than a City Provided Data System without the advance permission of the Data Steward and demonstrated legitimate need. Data should be stored in encrypted formats whenever possible. Confidential Data must be stored in encrypted formats. Encryption strategies should be reviewed with City Technology Services in advance to avoid accidental Data lockouts. Data cannot be stored on a City-provided Computing Device unless the device is encrypted without the advance permission of the Data Steward and demonstrated legitimate need. Data must be stored on devices and at locations approved by Data Stewards. If information technology resources (computers, printers and other items) are stored at an off-campus location, the location must be approved by Data Stewards prior to using such resources to store City Data. Technology enables the storage of Data on fax machines, copiers, cell phones, point-of-sale devices and other electronic equipment. Data Stewards are responsible for discovery of stored Data and removal of the Data prior to release of the equipment. When approving Mobile Computing Device Usage, Data Stewards must verify that those using Mobile Computing Devices can provide information about what Data was stored on the device (such as a cop y of the last backup) in the event the device is lost or stolen. In all cases, Data storage must comply with City retention policies. Data Usage in a Public Cloud system must have specific retention standards(to be written)? written in the service contract. The City Attorney must be consulted regarding such language. Provisions for the return of all City Data in the event of contract termination must be included in the contract, when Data is stored on a Public Cloud. The City Attorney must be consulted regarding such language. Current Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:2 Page 19 Notes 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 42 of 59 security standards (to be written)? (such as controlled access, personal firewalls, antivirus, fully updated and patched operating systems, etc.) will be evaluated when a system other than a City Provided Data System is selected and must be covered in contract language. The City Attorney must be consulted regarding such language. Data stored on Mobile Computing Devices must be protected by current security standard methods (such as controlled access, firewalls, antivirus, fully updated and patched operating systems, etc.). City standard procedures (to be written) for the protection and safeguarding of Confidential Data and Operation Critical Data must be applied equally and without exception to City Provided Data Systems, Mobile Computing Devices and systems other than City Provided Data Systems, such as Public Cloud solution. 6. Systems and network Data Systems and network Data, generated through systems or network administration, logs or other system recording activities, cannot be used, or captured, gathered, analyzed or disseminated, without the advance permission of the Chief Information Officer. 7. Value of Data In all cases where Data are to be processed through a Public Cloud, the following assessment must be d one: The value of the Data must be determined in some tangible way. Signature approval from the Data Steward’s division vice president or ap propriate party with the ability to authorize activity at the level of the value of the Data must be obtained. 8. Sanctions Failure to follow the guidelines contained in this document will be considered inappropriate use of a City information technology resource and therefore a violation of the City policy(to be written). 9. Data Security Breach Review Panel A Data Security Breach Review Panel (Panel) comprised of the following members will be established: o Chief Information Officer o Chief of Police o City Attorney o Chief Privacy Officer 10. Data Loss Prevention Software Define granular access rights for removable devices and peripheral ports and establish policies for users, computers and groups, maintaining productivity while enforcing device security 11. Audits All City owned equipment is subject to audit for unauthorized storage of regulated data. Devices authorized to store regulated data are subject to audits as deemed necessary by the CIO. Reasonable prior notification of an audit will be provided. Audit results are handled confidentially by Information Security staff and are reported to the CIO in aggregate. 12. Mobile Devices City owned mobile equipment will be exclusively allowed on the City’s primary network and use two factor authentication. All personal devices must use “guest” access if provided. Comments summary on <Public Comment - Stucky - 2022-08-29.pdf> Created on 8/29/2022 at 17:25:2 Page 20 Notes 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 43 of 59 1 Jeremy Ogul From:John Richeson < > Sent:Saturday, August 27, 2022 12:13 PM To:Adrianna Hernandez Cc:Privacy Task Force Subject:Re: Share your thoughts on privacy guidelines for the City of Chula Vista The foundational recommendation that "The City should create written Use Policies that govern the use of each privacy-impacting technology and the data generated by those technologies" is so general and vague (with should meaning compliance is voluntary) as to be meaningless. The duties of the Chief Privacy Officer should be: 1. Prepare and maintain an inventory of data systems within the City that collect, retain, and/or exchange citizen information with outside entities including, but not limited to: the DMV, County Assessor, State and Federal Government agencies, SDG&E, Republic Services, Community Power, telecommunication providers, credit agencies, law enforcement, and the courts. 2. Periodically assess, or have to be assessed, the justification for collecting, retaining and/or sharing of citizen information, and the vulnerabilities of departmental data systems to the release of citizen information without their consent to third parties. 3. Require data system owners and administrators to develop and enforce citizen data security using the latest available encryption and network protection technologies, together with administrative procedures to minimize human error. 4. Annually report to the City Council on the status of data systems within the City. Respectfully, John Richeson "If it is worth doing, it is worth doing right" On 08/25/2022 5:34 PM PDT Adrianna Hernandez <adhernandez@chulavistaca.gov> wrote: Greetings, After many meetings and many hours of work, the Chula Vista Technology and Privacy Advisory Task Force<https://www.chulavistaca.gov/businesses/smart-city/projects/privacytaskforce> has developed a draft set of policy recommendations for the City Manager. Now it's your turn. The task force is looking for feedback from the public. A full draft of the policy recommendations<https://www.chulavistaca.gov/home/showpublisheddocument/25071> has been posted online, and community members are encouraged to provide comments in writing to privacytaskforce@chulavistaca.gov<mailto:privacytaskforce@chulavistaca.gov>. Please send in your thoughts no later than Tuesday, Sept. 6 so they can be compiled and shared with task force members before their next meeting. Additionally, you are welcome to attend and speak during the public comment session at the upcoming task force meeting on Monday, Sept. 12 or Monday, Sept. 26. Public comment is open from 6 to 6:20 Warning: External Email 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 44 of 59 2 p.m. and at the end of each meeting. There will be further opportunities to comment when a final report and policies are presented to the City Council in November. Please feel free to share this information with anyone who may be interested. Thank you! Sincerely, Adrianna Hernandez Special Projects Manager | Office of the City Manager City of Chula Vista | 276 Fourth Avenue, Chula Vista, CA 91910 619-691-5254 | ADHernandez@chulavistaca.gov<mailto:ADHernandez@chulavistaca.gov> 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 45 of 59 1 Jeremy Ogul From:Robert Johnson < > Sent:Thursday, August 25, 2022 6:19 PM To:privacytaskforce@chulavistaca.gov Subject:Fwd: Some of my concerns. Sent from my T-Mobile 5G Device Get Outlook for Android From: Robert Johnson < > Sent: Thursday, August 25, 2022 6:18:50 PM To: adhernandez@chulavistaca.gov <adhernandez@chulavistaca.gov> Subject: Some of my concerns. Some of the paper I've been looking at is call for service. In the data case numbers and many thing are identifiers and can be cross referenced with identifying data in call for service fire department. If they are public records that's the thing it's more detailed on the fire department. I think a standardized version should be ready available to both like the police already have. It's in power bi updates automatically and is very easy to get to. If privacy is a concern sending out city votes for another city to count let alone in machines not made in America. The dod has many hundreds of documents assessments of how nation security risks and what systems are a threat to have a secure election yet mail in ballots remain high risk and you embrace it. If privacy is a concern why are you all talking about noncitzen privacy. And not our privacy. I see a lack of knowledge and leadership thinking they know what makes America safe. Bet you can even fix ur own cell phone.. If u want threat assessment maybe go to the foia web search and read on past elections. We could hold 1000person in person ballots one day and everyone could feel safer about voting. He let's have voter ID so non citizens can't vote. Sent from my T-Mobile 5G Device Get Outlook for Android Warning: External Email 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 46 of 59 1 Jeremy Ogul From:Seth Hall Sent:Tuesday, September 6, 2022 4:23 PM To:privacytaskforce@chulavistaca.gov Subject:Suggestions for Draft Recommendations Attachments:2209 Tech Lead SD - Suggestions RE Draft Recommendations.pdf Task Force members, Please find attached a review of the draft recommendations and additional items for your consideration. Please confirm your receipt and distribution. Thank you! -Seth Hall, Tech Lead San Diego 520-991-3962 Warning: External Email 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 47 of 59 September 6, 2022 Dear distinguished task force members, Congratulations on reaching an important milestone in your work. The Task Force’s proposed draft of recommendations contains many important improvements, which will benefit the residents and visitors of Chula Vista. My below review expresses suggestions for 11 potential improvements to your draft recommendations. Among those 11 suggestions, I believe suggestions that are related to 4 items in particular would have the most significant impact on your recommendations. 1. The Task Force’s draft recommendations do not include a requirement that any specific approvals be required, prior to acquiring or using surveillance technology. My below Recommendation 2 strongly suggests adding that as a Task Force recommendation. 2. The Task Force is not currently recommending the use of impact reports as a tool to discover and mitigate potential harms caused by surveillance technology. My below Recommendation 3 suggests adding that as a Task Force recommendation. 3. The Task Force is not currently recommending any educational meetings with the public be held prior to acquisition or use of surveillance technology. My below Recommendation 6 suggests adding that as a Task Force recommendation. 4. The Task Force is not currently recommending the use of annual surveillance reports as a primary tool to achieve meaningful, ongoing oversight. My below Recommendation 11 suggests adding that as a Task Force recommendation. I suggest adding that as a Task Force recommendation. In addition, I suggest the Task Force create a Guiding Principles document to make clear the principles that the Task Force suggests be followed after the Task Force has finished its work, and the City attempts to translate Task Force recommendations into actions or law. Thank you for your continued work on this important topic. Seth Hall Tech Lead San Diego (member of the TRUST SD Coalition) seth@s3th.com 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 48 of 59 2 Suggestions for the Chula Vista Privacy Task Force Recommendation 1: Statement of Guiding Principles The Task force should consider adding a statement of principles that can guide City staff on the Task Force’s intentions once the Task Force has completed its work. • Currently, the Task Force’s recommendations are highly detailed. Any City staff that attempts to translate Task Force items into municipal code may be forced to make assumptions about the values and principles that guided the Task Force’s recommendations. • For example, the Task Force could state that all its recommendations are based in principles of public awareness, public benefit and public consent, and urge that any subsequent City efforts should strictly align to such principles. • Any such statement would help ensure that the Task Force’s detailed recommendations are not misconstrued to justify outcomes that the Task Force did not intend. Recommendation 2: Approval for Acquisition and Use of Surveillance Technology The Task Force should consider recommending that the City’s proposed use policies be required to undergo advisory board review, and subsequent City Council approval, prior to acquiring or using surveillance technology. This requirement should be encountered at the earliest stages of surveillance technology acquisition or use. • Currently, the Task Force recommendations do not require City Council approval prior to acquiring or using surveillance technology. The suggested requirements are only that contracts be presented and use policies be created and reviewed. No time frame or sequence for these presentations, creations and reviews is currently specified. No mechanism for rejection of a problematic technology is proposed by the Task Force. • Without further requiring the City to achieve explicit City Council approval, City departments may continue to acquire and use technology without the knowledge of the public and City Council. All acquisitions and uses could be documented after-the-fact, after an undefined period of time, under the Task Force’s current recommendations. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 49 of 59 3 Additionally, unrecognized or obfuscated surveillance features of non-surveillance products could operate indefinitely without review, without consequences. • This requirement for approval would ideally be encountered by the City prior to the phase of City staff seeking any funding for the acquisition or use. Recommendation 3: Requirement of Impact Reports The Task Force should consider recommending that the city be required to provide an impact report alongside any proposed use policy. • Currently, the Task Force recommendations only require a Use Policy to be created for each surveillance technology. No impact reports are recommended. • An impact report is a document that indicates the City has diligently investigated the impact its acquisition and use of technology will have on the public. The results discovered through the process of creating the impact report should heavily inform the City department’s proposed use policy. • Without requiring an impact report, City departments could draft a use policy without considering whether that use policy successfully reduces the threat of harm to the community, or whether the use policy successfully mitigates other risks created by the introduction of the surveillance technology. • Impact reports are included as a definition in the Task Force’s document, but they are not recommended. Recommendation 4: Advisory Board’s Conclusive Recommendation The Task Force should consider recommending that the advisory board conclude its advisory work in each case by advising council members to approve, reject, or modify the proposed use policy. • Currently, the Task Force recommendations only cover the advisory board reviewing and suggesting changes to use policies brought by the City. Rejection of use policies is not mentioned. • For the advisory board to have maximum usefulness to council members, the advisory board should be required to make clear a recommendation that the proposal be accepted, modified, or rejected. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 50 of 59 4 • In the case of the advisory board evaluating contracts with privacy implications, the Recommendation 5: Advisory Board Evaluations The Task Force should consider changing its draft recommendation to instead reflect that the advisory board drafts its own evaluation, independent of City staff. • Currently, the Task Force recommendations state that any evaluations of contracts be written by a combination of City staff and the advisory board. Procurement: 24. • Under the Task Force’s current recommendation, council members would be unable to determine if evaluations were the product of employed City staff, or if they were the product of independent community experts. • The advisory board should author its own evaluations so that council members can benefit from knowing the evaluations originate from a board of independent community experts. Since City staff will be presenting final proposals to City Council, City staff already have ample opportunity to document and voice their own evaluations. Recommendation 6: Educational Community Meetings Prior to Surveillance The Task Force should consider recommending that the city hold public educational meetings prior to submitting the documents for review or approval. • Currently, the Task Force is not recommending the City hold any public meetings prior to drafting the technology’s use policy, or prior to acquiring or using surveillance technology. “Transparency and Oversight: 18(d)” • The City may benefit greatly from increased public trust, if it makes the effort to hold public meetings to present surveillance proposals prior to writing documents and acquiring or using technology. Recommendation 7: Inventory of Existing Surveillance The Task Force should consider recommending that all currently used surveillance technology be inventoried, and that list be provided to the advisory board as a public document as the first order of business for the advisor board. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 51 of 59 5 Recommendation 8: City Council Approval Guidelines The Task Force should consider recommending the conditions under which council members can determine a surveillance technology is eligible for City Council approval. • Currently, the Task Force does not recommend the City obtain City Council approval prior to acquisition or use of surveillance technology. If such a recommendation was added, the Task Force should provide guidance to council members on the minimum circumstances that should be present before City Council gives approval for a surveillance technology. • The Task Force should consider suggesting minimum, non-controversial preconditions for City Council’s approval, such as requiring that the City Council judge that the technology’s benefits outweigh its costs, or requiring City Council to judge that no better alternative exists. Recommendation 9: Public Records The Task force should consider recommending that any use policies (and impact reports, if the Task Force chooses to add a recommendation for them) created in this process be explicitly defined as public documents, regularly maintained and well-presented to the public. Recommendation 10: Annual Surveillance Reports The Task Force should recommend that annual reports be required for all surveillance technologies. The reports should review the ongoing cost, usefulness, and integrity of any approved surveillance technology. • Currently, the Task Force does not recommend annual reports. • Annual reports form the basis of ongoing oversight. They provide the advisory board and the City Council with opportunities to safeguard the rights of the public and to maximize budget efficiency, by identifying technologies that are not producing expected results. Annual reports also help the public understand how surveillance technology is benefiting public goals. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 52 of 59 6 • The definition for Annual Reports is already included in the Task Force’s recommendation, but the Task Force does not currently have a recommendation that aligns with the definition. Recommendation 11: Whistleblower Protections The Task Force should consider that any non-compliant use of surveillance technology will be observed first by City staff. Encouraging those staff to report the non-compliant use to their supervisors is the most efficient and most desirable way to handle any such issues. If the Task Force agrees, then it should consider recommending the City adopt specific whistleblower protections, to ensure City staff feels they can safely report non-compliant activity, without risk of retaliation. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 53 of 59 1 Jeremy Ogul From: Sent:Tuesday, September 6, 2022 2:09 PM To:privacytaskforce@chulavistaca.gov Subject:Community input Warning: External Email To whom it may concern, I am a Chula Vista resident, home owner in Otay Ranch community since 2008, a working RN, married with 3 children. Me and my husband both support the increased monitoring in our city/community. We are happy that our hard earned tax dollars were spent to provide the drone first responder service to our CVPD. In my opinion the more eyes we have on our community the better, the safer our city community our neighborhoods will be. I do not care if I have camera’s on my house, drones flying over my backyard ext. That makes me and my children feel safer. Our neighborhood so far has been a very safe and family welcoming neighborhood- with kids walking and riding bike independently, seniors walking there dogs, parks without issues of homelessness or petty crime, absence of graffiti ext. So I trust our CVPD to use the monitor technology at there will- whatever they have been doing so far has been working great. Keep up the good work for people like me and my family CVPD! Gina Velasco Zip 91913 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 54 of 59 1 Jeremy Ogul From:Steve Goldkrantz <goldkrantz@yahoo.com> Sent:Tuesday, September 6, 2022 12:50 PM To:Adrianna Hernandez Cc:Privacy Task Force Subject:Re: Share your thoughts on privacy guidelines for the City of Chula Vista Ms. Hernandez, Thank you for the opportunity to provide comment and feedback. The draft is very well organized and written. As for the formation of a new Board including non-Chula Vista residents, I defer to the current regulations on the books concerning such a matter. It seems that there are four overarching issues at hand: (1) Cybersecurity - how the City of CV information is secured once collected - be it City Hall offices, the library, the Police Department, etc. This involves technical systems security matters, user procedures, and insider threat detection/mitigation. (2) Information Sharing Externally - this always presents a cybersecurity challenge, and again covers information technology transmissions from the technical level to the user level. Essentially, how information can technically be shared externally - legally and appropriately - while remaining secure. (3) Privacy - what information is deemed Private and [Sensitive] Personally Identifying Information under various laws and rules such a as the Privacy Act, 28 CFR 23, etc. and what are the regulations/rules guiding both the technology and end user applications. (4) Enforcement Technologies - with the rapid expansion of the City of Chula Vista, the Public Security Sector is challenged in meeting the demand for increased patrols, call responses, crime prevention, victim handling, etc. Technology is a force multiplier for deterring crime, responding to crimes, enabling community assistance, investigations, prosecution. Technology is critical to the entire law enforcement cycle needed to protect the residents of the City and those who are non-residents but work, attend school, shop, or have businesses here. Enforcement technologies are a force multiplier for public protection and the officers and first responders working it. All the above needs to wrapped up with incident detection, response, mitigation, resolution. It might not be bad for a “Red Team” to challenge some of the existing processes as well as the gaps/concerns identified by the Privacy Task Force. Again, thank you for the opportunity to comment. The Mayor’s Office and the Privacy Task Force are more than welcome to reach back to me for any further questions, comments via this email or my phone: 619-823-3383. Thank you and have a great afternoon. Steve Goldkrantz Sent from Yahoo Mail for iPad Warning: External Email 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 55 of 59 1 Jeremy Ogul From:Jason Essex Sent:Friday, September 2, 2022 10:08 AM To:privacytaskforce@chulavistaca.gov Subject:New Chula Vista Privacy Policy Reply Greetings, I have had any number of issues for over ten years as it pertains to privacy. The root cause also always lead back to lawyers, attorneys, law firms, groups, organizations and company who do honor their oath, do do not state discovery, disclose why they are doing so as well as ignoring Caliofnria Consumer Protection Act. Each needs to be held accountable for not having a business listing it with the city and or state but a listing with the California State Bar. ANY *website* that ends in : .com is a business. In many cases they do not have a Privacy or Terms of Use page(s). I have to wonder how many data mining tools they use to capture your IP Address, Email information and the like. A Credential check needs to be run whenever a case is brought to the court as it pertains to these listings. If you can sight said legal entities ongoing failure to state Disclosure and Discovery they need to be penalized and this should count towards the opposing party. I also have to wonder why said entities that have my Social Security number have shared it with such legal sources and not been accountable. Monies have changed hands for the purpose of earning monies from said information. Does this not fall squarely under the California Consumer Protection Act as well as Disclosures and Discovery laws in addition to Business and Professional Ethics laws? To review these ongoing concerns please review my cases in the San Diego County Court House / Hall of Justice. * I have not been paid fro any of my Intellectual Properties dating back to 2014 as of today. The courts have repeatedly frozen my assets without ever stating who the asset manager(s) are. With of twenty (20) such items for sale under the author names of By Jason Douglas Essex, By Jason Essex as well as the bulk being under By Jason D. Essex the sales platforms have never provided me with earnings information. As such this is identity, time and wage theft that has caused endless forced labor and costs in addition to endless stress. Here is a direct link to some of my content: https://www.facebook.com/ByJasonDEssexLocalAuthor https://books.apple.com/us/book/red-tape/id1529009437 https://books.apple.com/us/book/a-valentines-day-event-for-you-to-enjoy-too/id1571539079 Warning: External Email 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 56 of 59 2 This appears to be the data mining and redirectional robot that is preventing me from having anisuch information or earnings on this sales platform: https://books.apple.com/us/book/living-the-dream/id437205980 Thank you for your time today. By Jason D. Essex 830 Kuhn Drive Post Office Box 210692 Chula Vista, CA 91914 (619) 548-4686 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 57 of 59 September 3, 2022 Adrianna Hernandez Special Projects Manager | Office of the City Manager City of Chula Vista | 276 Fourth Avenue, Chula Vista, CA 91910 619-691-5254 | ADHernandez@chulavistaca.gov Let me preface my remarks by thanking you for the opportunity to comment on the proposed Summary of Policy Recommendations. My comments are limited to the application of these recommendations as they impact law enforcement and more specifically the CVPD, Sheriff and National City. I speak from a background in law and law enforcement having been a sworn member of the CVPD and SDSO and a licensed attorney representing clients in the area of civil litigation. I served on the 2021-22 County Grand Jury where my Law and Justice committee examined and extensively studied the issue of privacy rights and the impact of surveillance and modern technology on the public. The 2021-2022 Grand Jury published our findings and recommendations which can be found at: http://www.sdcounty.ca.gov/grandjury. That being said, the recommendations being proposed are, I believe, incomplete and present potential serious issues concerning public welfare and safety. 2. “The Privacy Advisory Board should have nine members, at least two-thirds of whom are Chula Vista residents.” It is no surprise that the authors specifically left out inclusion of representatives from law enforcement and victim’s rights advocates The special interest groups, working under the guise of the San Diego TRUST coalition, drafted and presented the exact same recommendations for the City of San Diego. One only need look at the composition of that group to understand the real purpose behind their agenda. Best practices studies show that “city council decisions are more likely to be seen as fair and considerate if all people having a stake in the outcome” are involved. Asking nine people, none of whom have any experience in law enforcement, to make recommendations on what is acceptable use of a piece of modern technology is like asking a jury of nine to determine guilt or innocents after hearing testimony and seeing evidence from only one party to a case. At the August meeting of the Advisory group, a member of TRUST stated they were only interested in being sure that all members of the community were represented. It appears TRUST does not view law enforcement or victims of crime to be part of the Chula Vista community. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 58 of 59 Using that as background, the recommendations fail to address serious concerns unique to law enforcement. The CVPD works closely with the SDSO, which serves the unincorporated area of Bonita, and with the NCPD. The departments are often called upon to assist each other. This close symbiotic working relationship often requires sharing of information by each organization. That need for sharing must be recognized and incorporated in the guidelines the advisory board works and collaboration with outside agencies must be considered when recommending any rules on surveillance or use of equipment such as drones. Along the same lines, the use of surveillance technology as it specifically applies to law enforcement cannot be adequately explained by a non-law enforcement lay person. Hence, any recommendations concerning use of technology must include specific and articulable rationale from the CVPD (or other L.E. sources) as to the appropriateness of the board’s recommendation. If necessary, provisions should be included allowing such presentation to be made in a closed door session. In addition, the CVPD has officers assigned to various state and federal task forces. In their roles, secret and sensitive information must be shared. Any attempt to quash that sharing might jeopardize further participation by CVPD personnel and affect public safety. Clarification with regard to sharing of such data should be included. Once again, this will require input from high level members of the CVPD. Finally, I see no provision for discussion of sensitive material among the advisory board members. Secrecy should be addressed and violations should be subject to criminal and/or administrative sanctions. Once again, I thank you for providing the opportunity to address these issues. 2022-08-15 Technology & Privacy Advisory Task Force Agenda Page 59 of 59