July 21, 2014 Draft

City of Oakland
Framework for Discussion of a Policy for Privacy and Data Retention for the Joint
City-Port Domain Awareness Center


I. Background and Overview

The Joint City-Port Domain Awareness Center (interchangeably referred to in this document as
Joint City-Port Domain Awareness Center, Domain Awareness Center, or DAC) was
first proposed to the City Councils Public Safety Committee on June 18, 2009, in an
information report regarding the City of Oakland partnering with the Port of Oakland to apply
for Port Security Grant funding under the American Recovery and Reinvestment Act, 2009.

Under this grant program, funding was available for Maritime Domain Awareness (MDA)
projects relative to maritime or waterside. The Port and City were encouraged to consider
the development of a joint City Port Domain Awareness Center. The joint DAC would create a
center that would bring together the technology, systems and processes that would provide for
an effective understanding of anything associated with the City of Oakland boundaries as well
as the Oakland maritime operations that could impact the security, safety, economy or
environment.

The Joint City Port Domain Awareness Center goal is to improve readiness to prevent,
respond to and recover from major emergencies in the Oakland region and would ensure better
multi-agency coordination across the larger San Francisco Bay Area. This goal continues to be
the focus of the DAC project along with leveraging the systems capabilities to reduce crime
and enhance public safety and day-to-day first responder operations, as other cities have done
nationally.

The term Domain Awareness Center finds its origin in the Dictionary of Military and
Associated Terms with Maritime Domain Awareness. Maritime Domain Awareness (MDA)
is defined by the International Maritime Organization as the effective understanding of
anything associated with the maritime domain that could impact the security, safety, economy,
or environment.

Joint City-Port Domain Awareness can be defined as the effective understanding of anything
associated with all areas and things of on, under, relating to, adjacent to, or bordering the city
limits, the sea, ocean, or other navigable waterways, including all first responder and maritime
related activities, infrastructure, people, cargo, and vessels and other conveyances that could
impact the security, safety, economy, or environment.

The Joint City-Port Domain Awareness Center would be utilized as a tool or system to
accomplish this effective understanding as it relates to the security, safety, economy or
environment of the City of Oakland and the Port of Oakland.


Comment [CC1]: Matt/Linda: The whole policy
needs to be updated to reflect the current state of
the DAC and the Brooks Amendment (Hofer).

Staff: Circle areas.
Comment [CC2]: Nadia questions whether we
should keep this term in the document at all.

Keep throughout document?
Remove throughout document?


II. Mission of the Domain Awareness Center

The mission of the Domain Awareness Center (DAC) is to: (1) improve readiness to prevent,
respond to, and recover from major emergencies at the Port and in the greater Oakland region
and (2) ensure better multi-agency coordination in response to emergencies across the larger
San Francisco Bay Area.

III. Policy Purpose

This policys purpose is to protect the privacy, civil liberties, and freedom of speech of the
general public and erect safeguards around any data captured and retained by the DAC, against
improper use and/or distribution.

IV. Policy Updates

This Privacy and Data Retention Policy Framework is developed as a working document, and
will be periodically updated to ensure the relevance of policy with the ever changing field of
technology. At no time will this policy be changed without returning to the City Council for
approval.


V. Definitions

As used in this policy framework, the following terms are defined below:

Analytics means the discovery and understanding of meaningful patterns and trends in data
for well-informed decisions. Especially valuable in areas rich with recorded information,
analytics relies on the simultaneous application of statistics, computer programming and
operations research to quantify performance.

DAC Staff means the individuals who will be responsible for monitoring the equipment
within the DAC on a day-to-day basis, including supervisors.

DAC System means the integration of various hardware, software, and network components
to provide the situation awareness of any incident to the users.

DAC Data means any information fed and stored into the DAC System either from Port
Cameras, City Cameras, or any other source that is at the facility including but not limited to:
City GIS (Phase 1), Port Security Cameras (Phase 1), Intrusion Detection System (IDS) (Phase
1), Port GIS (Phase 2), Port Vessel Tracking (Phase 2), Port Truck Management (Phase 2),
Police and Fire CAD (Phase 2), WebEOC Notifications (Phase 2), Tsunami Alerts (Phase 2),
Fire Automatic Vehicle Location (Phase 2), and NOAA Weather Alerts (Phase 2)Shot Spotter,
GIS Mapping, Port Vessel Tracking Systems, and Port Truck Management Systems.

Major Emergency means the existence of conditions of disaster or extreme peril to the safety
of persons and property within the territorial limits of the City of Oakland or having a
significant adverse impact within the territorial limits of the City of Oakland, caused by such
Comment [CC3]: Nadia proposes erasing and
replacing with:

against misuse, sharing, or breach of safeguards
around any data captured and retained by the DAC,
against improper use and/or distribution.

Also of note: this change could possible call for
Sections II and III to be combined in some way.
Comment [CC4]: Nadia: definition needs to be
further fleshed out.

Hofer: With the Brooks Amendment, specify what
the hardware, software, and components allowed
comprise of: number of cameras, etc.
Comment [CC5]: Hofer: this definition should
refer to emergencies only at the Port.

conditions as air pollution, fire, flood, storm, epidemic, riot, drought, sudden and severe energy
shortage, plant or animal infestation or disease, the state Governors warning of an earthquake
or volcanic prediction, or an earthquake, or other conditions, which are likely to be beyond the
control of the services, personnel, equipment, and facilities of the City of Oakland and require
the combined forces of other political subdivisions to combat, or with respect to regulated
energy utilities, a sudden and severe energy shortage requires extraordinary measures beyond
the authority vested in the California Public Utilities Commission.

Incident means an occurrence or event, natural or human caused, that requires an emergency
response.

Tracking means the use of surveillance cameras linked to the DAC to track movement in the
cameras field of view or across networked cameras.

Video Analytics Capability means

Need to know means

Right to know means

Restricted information means

Major emergencies means

VI. Technological Capabilities of DAC System/Equipment

Additional technology integrated into DAC requires council approval

The Oakland City Council has placed limits on current and future technology for the DAC.
Specifically, Oakland City Council Resolution 84593 provides in relevant part, the following:

The City/Port Joint Domain Awareness Center (DAC) Phases 1 and 2 includes data and
video feeds from the following, surveillance, security sensor and video analytics sources
only: Port Video and Intrusion Detection Cameras, Port of Oakland Vessel Tracking
System, City of Oakland traffic cameras, City of Oakland-owned cameras operated by the
City in non-residential areas, City of Oakland Shot Spotter Audio Sensor System, and
License Plate Recognition systems, and that the addition of any new surveillance,
security sensor or video analytics capability, feed or data sources shall require approval
of the Council, including confirmation of compliance by the DAC and all City and Port
data sources with the Citys Privacy and Data Retention Policy to the extent allowed by
law.

Analytics, including facial and gait recognition software

1. There is no facial or gait recognition software installed and/or planned for Phase 2.
2. Some Port security cameras have video analytics capability and these cameras are used as
motion sensors for intrusion detection purposes.
3. No analytics are planned that would use biometric data to identify individuals.
Comment [CC6]: Gray and Bulls wants to delete
this clause. Hofer disagrees.
Comment [CC7]: Nadia recommended that we
define terms such as the following.
Comment [CC8]: Matt/Linda/Nadia: update this
language to reflect the current status of what is
integrated to show that it is very limited.
Comment [CC9]: Nadia wants to make it clear
that facial and gait recognition software are
prohibited.

Hofer recommends deleting the entire section due
to the fact that this isnt planned or current. For
Port analytics, if we explain full tech specs, then do
the same for VidSys, PSIM, Shot Spotter, etc.

4. Some Port security cameras have video analytics capability and these cameras are used as
motion sensors for intrusion detection purposes. Specifically, analytics are in use to
identify significant security events at the Port of Oakland such as:
a. Crossing of fence lines from public areas into secured areas
b. Unusual activity within secured areas
c. Object sensors that identify vehicles traveling far above the speed limit, which are
used to alert for drag racing at the Port.
5. Future uses of analytics at the Port of Oakland could include further alerts to enhance
public safety such as:
I. Large container ships traveling at high speeds toward bridge supports.
II. Large trucks parked in unauthorized areas
6. Before any future analytic capabilities are integrated, staff will return to Council for
permission to integrate such capabilities. If Council approves use of such integration, this
policy will be updated prior to implementation to address the use of such analytic
capabilities.

License Plate Readers

The City has equipped some police fleet vehicles with the automatic License Plate Recognition
(LPR) system. LPR is used to identify vehicles by their license plates to detect stolen cars,
felons with warrants, and to raise alerts of license plates on the hot list. The LPR equipped
police cars are used to detect stolen cars and felons with warrants.

LPR technology is not integrated into the DAC System

License Plate Readers (LPRs) are used to raise alerts of license plates that are on a hot list.
The DAC does not receive or database LPR data directly, but will receive alerts from systems
that process LPR data. The LPR technology is neither currently linked to DAC nor planned for
Phase 2.

Before any future integration of LPR technology into the DAC System, staff will return to
Council for approval of integration of LPR technology. If Council approves such integration is
approved by Council, the DAC Privacy and Data Retention Policy will be updated to address
LPR use prior to implementation.

Shot Spotter

The DAC receives Shot Spotter alerts from the system provider identifying geo-location and
coordinates on a Geographic Information System (GIS) Map. The DAC does not receive audio
data from Shot Spotter sensors. Alerts that match pre-determined criteria are stored in the DAC
system as events.

Before any future integration of Shot Spotter technology into the DAC System, staff will return
to Council for approval. If Council approves such integration of Shot Spotter technology is
approved by Council, the DAC Privacy and Data Retention Policy will be updated prior to
implementation to address the use of Shot Spotter at the DAC.

Comment [CC10]: Hofer: proposes to erase this
section since this isnt a proposal but instead a
guiding document.
Formatted: Underline
Comment [CC11]: Nadia wants to simplify this
language to plainly say that LPRs are not included in
the DAC. Staff made rough edits here to address
this.

Hofer/Matt/Linda proposes deleting the section
from the policy. Matt/Linda proposes to replace the
LPR, Shot Spotter and Social Media Sections with:

Before any future of other informational input is
added to the DAC Data, an updated policy shall be
publically available and subject to City Council
approval.

Staff would recommend the following amended
version of the Matt/Linda language:

Before any future integration of other
informational input is added to the DAC Data, staff
will return to Council for approval. If Council
approves such integration, the DAC Privacy and Data
Retention Policy will be updated to address use
prior to implementation.
Comment [CC12]: Nadia wants to clarify the
language to shield shot spotter data from the DAC.
Staff made rough edits here to address this. Hofer
wants this info updated to match the Brooks
Amendment.
Comment [CC13]: Hofer: If kept, flesh out. He
understands that manual bookmarks caused events
to be stored and that nothing is automatic.

Social Media

The DAC does not currently have privileged access agreements with any social media
provider. Privacy of social media data is controlled by each individual social media provider.
Social media could be accessed by the DAC via the same methods available to the public.
Individual operators of the DAC could also potentially access social media using their own
means according to that individuals employment agreement, Human Resources policy or other
applicable policy.

No Social Media feed is either currently linked to DAC or planned for Phase 2. Before any
future integration between Social Media feeds and the DAC System, staff will return to
Council for approval. If Council approves such integration of Social Media feed is approved by
Council, the DAC Privacy and Data Retention Policy will be updated prior to implementation.


VII. Access to the DAC system / equipment

Day to Day Operations

The DAC computer and network equipment is maintained by the Citys Department of
Information and Technology (DIT) staff.

Only City of Oakland and Port of Oakland Employees will be used to monitor any data
systems or camera feeds that will come into the DAC. No private contractors will serve such a
role. All employees who are assigned to monitor the data systems and camera feeds coming
into the DAC will be required to undergo security background checks at the local level as well
as security clearances at state and/or federal levels to ensure data and information security.

Training

Training is required for interaction with the DAC. All City of Oakland and Port Employees
who are assigned to monitor the data systems and camera feeds coming into the DAC will be
required to participate in specific training around constitutional rights, protections, and
appropriate uses of the data systems and the camera surveillance systems.

Critical incidents/emergencies/EOC activations

During a major emergency, City of Oakland Agency Directors and/or their designees in the
Emergency Operations Center (EOC) and outside governmental agencies and non-
governmental agencies staff assisting with the major emergency or disaster (such as the Red
Cross) that would report to EOC may have access to the DAC computers and displays. Such
access will only be provided on a need to know, right to know basis and if there was a direct
correlation between the major emergency or disaster and DAC operations.

Support and Repairs

DIT staff and vendors that installed the systems as well as other maintenance providers will
have access to the system components but will be restricted from access to actual stored data.
Various manufacturers and vendors are hired to provide additional support services. Any
Comment [CC14]: Nadia wants to make it clear
that no social media info will be used for the DAC.
Comment [CC15]: Hofer: and sign NDA, other
security agreements, etc.
Comment [CC16]: Matt/Linda: Desires
additional fleshing out of the training language.
Comment [CC17]: Staffs attempt at addressing
Matt/Lindas point about training required.
Comment [CC18]: Nadia would like more
clarification here.
The members present on 7-10-14 would like more
context from Nadia on her request.
Comment [CC19]: Matt/Linda: Need to identify
the agencies that would get access in an emergency.

Hofer: need to clarify what triggers or escalates an
emergency.
Comment [CC20]: Needs defining.

system and network level access by these vendors require either background check or City/DIT
employee presence. The system level access is maintained by DIT staff, however the
Applications level access, as far as end-users are concerned, is maintained by the DAC
operations group.

Auditing Purposes

Third Party Auditors, Federal, State, or Local grantor auditors or the City Auditor may have
access to any stored data solely for audit purposes.

VIII. Access to information and data obtained through DAC

Only City employees with a need to know or right to know will have access to the data
gathered by the DAC. Other than staff at the DAC, any sworn or non-sworn personnel without
a direct role in investigating an incident will not be permitted access to DAC data.

IX. Use Restrictions

General restrictions

Under no circumstances shall the DAC be used for the purpose of infringing upon First
Amendment rights. Operators of the DAC shall not target or observe individuals solely based
on their race, gender, sexual orientation, disability or other classifications protected by law.
The City (and any of its employees) shall not track the movement of an individual(s) by
using the DAC system unless there is a reasonable suspicion of criminal wrongdoing.

Surveillance Video Camera Use

The City shall not use audio in conjunction with closed circuit television cameras unless
appropriate court orders are obtained.
Operators shall abide by the restrictions set forth in this policy regardless of the sources
of the closed circuit television video feeds.
Closed circuit television systems shall only be used to observe locations that are in public
view and where there is no reasonable expectation of privacy.
The City will only add additional cameras to feed into the DAC upon the approval of the
City Council.
Operators shall not focus on hand bills, fliers, etc., being distributed or carried pursuant to
First Amendment rights.

DAC system/equipment Data storage for Port and City cameras

Pursuant to Government Code Section 34090 the City will retain any recorded data for two
years. The exception to this rule is when an incident or emergency is recorded by DAC
monitoring staff that will be used for evidentiary purposes as part of a criminal investigation at
which point the data retention policies of the agency that has conducted the monitoring will
apply (OPD, OFD, or Port).

DAC system/equipment data for storage of outside systems

Comment [CC21]: 7.10.14 committee
discussion: Provide more information here which
explains the audits related to equipment for
functionality versus data auditing in the equipment.

Nadia comment: These audit provisions are minimal
and unclear.

Hofer: See Brooks Amendment #4. Feds, States,
other local agencies would have access absent a
warrant
Comment [CC22]: Nadia comment: this section
needs more work. Use the DGO 8.10 and Seattle
Intelligence ordinance as examples of more
complete use restrictions (they are not 1-1 with the
DAC but can be a good start).

Group comment from 7.10.14-Say what it can do
and why it is allowed. Use 1-2 paragraphs for
standards.

Matt/Linda: Set forth the mission here and purpose
of the DAC then a list of specific goals that the DAC
will help meet along with the permissible uses of
the DAC equipment and data.

Hofer: State how well ensure that lawful activities
will not be watched absent a strong showing. State
the showing needed to meet this standard.
Comment [CC23]: Matt/Linda: Be more specific
about what this means. Will it include protests,
political gatherings, marches, etc?
Comment [CC24]: Hofer: pursuant to a
warrant. Also clarify that no tech capability can be
added including camera audio without Council
approval (per the Brooks Amendment).
Comment [CC25]: Matt/Linda: Check Supreme
Court ruling in the US v. Jones case suggest that in
some circumstances persons expect a reasonable
expectation of privacy in public spaces. Maybe
useful: US 347, 351
Comment [CC26]: Matt/Linda: This could be
addressed in the inputs section. It should go
through a public City Council process.
Hofer: This process should apply to everything.
Comment [CC27]: Matt/Linda: This section
should remain blank until the Ad Hoc Committee
decides, with City staff, on a retention policy.

What are data retention policies of other agencies?
Other retention policies for the City?

Hofer: Use this as a placeholder for the committee
for now.

Pursuant to Oakland City Council Resolution 84593 (excerpted above in Section VI.), the
addition of any new surveillance, security sensor or video analytics capability, feed or data
sources shall require approval of the Council, including confirmation of compliance by the
DAC and all City and Port data sources with the Citys Privacy and Data Retention Policy to
the extent allowed by law.

In the event that Council approves outside camera systems, the DAC will not store (record)
data received from outside camera systems except when those systems have no recording
capability.

Nor will the City attempt to require outside systems to modify their data storage and retention
policies.

If a private system is connected to the DAC, its data will only be stored at the DAC if an
incident that is captured by that feeder system is recorded by DAC staff.

If the City provides funding for the purchase and installation of any private or quasi-public
video surveillance system that is connected to the DAC, the only data storage requirement that
the city will impose is that the owner/operator provide access to the footage for the city when
there is a recorded incident or major crime in the area. If the private system wishes to retain
data for any length of time, the data will not be subject to the Citys policies.

Before any future private video feeds are considered for integration to the DAC system, staff
will return to Council for approval. If integration of such outside camera system(s) is approved
by Council, the DAC Privacy and Data Retention Policy will be updated prior to
implementation.

Information sharing

In order for the DAC staff to provide any stored data to other agencies there must be a warrant
or subpoena for records from the requesting agency. Additionally, if the information, data or
video that is being requested is from a third party or outside feeder source, the law enforcement
agency seeking such information must go to the original source of the information to request
the data, video or information.

Outside of those scenarios mentioned, the City of Oakland DAC staff must have a written
Memorandum of Understanding (MOU) with any outside agencies for information sharing
which must be approved by the Oakland City Council pursuant to Oakland City Charter section
504(l).

X. Locations of City Cameras

City of Oakland Traffic Cameras are shown in the attached city map and on the Citys website.
Before any future Cameras are added to the DAC system, staff will return to Council. If
integration of additional cameras is approved by Council, the DAC Privacy and Data Retention
Policy will be updated prior to implementation.

Comment [CC28]: Hofer: Match with Brooks,
specifically #5 which has a narrower scope.
Comment [CC29]: Hofer: This section is
confusing. The retention policy should not change
because of the camera feeds in order not to put the
data at risk.
Comment [CC30]: Nadia comment: private
systems should not be connected to the DAC.

Matt/Linda: If private systems are to be included,
the public City Council approval process must occur.

If kept in the policy, it should be centralized because
it is listed in many places as of right now.
Comment [CC31]: Hofer: Strike any future
language. This policy is governing our city systems, it
is not a proposal.
Comment [CC32]: Matt/Linda: Other agencies
needs to be further defined here or in the
definitions section.
Comment [CC33]: Matt/Linda: the warrant
requirement could be stronger.
Comment [CC34]: Nadia comment: Needs more
clarification especially since Oakland participates in
JTTF and suspicious reporting activity.
Comment [CC35]: Matt/Linda: This section
conditions approval of contracts negotiated by the
City Manager on a Council vote. What about
contracts between the police and another entity
where the City Manager is not involved?

Staff: On average, all contracts are signed by the
City Manager/administrator as a standard practice.
Comment [CC36]: Nadia comment: delete this
section.

Committee 7.10.14 decision: keep this section but
use general info about the areas that are covered.
Do not list the specific camera locations to reduce
changes of camera damage.

Hofer: with the Brooks Amendment prohibiting any
sharing agreement without Council approval,
sections like this could be deleted.
Comment [CC37]: Ditto to previous comment.

XI. Audits

a. Program Manager
Quarterly audits of the surveillance monitoring will be conducted by the program
manager to ensure compliance with this policy. Periodic audits of any and all surveillance
monitoring will be conducted by the program manager to ensure compliance with this
policy. The audit would include the following:

i. Description of how the surveillance technology was used
ii. How many times data was shared with non-City entities, the type of data
disclosed, justification for disclosure.
iii. Crime statistics for the area where the DAC monitored, the number of times DAC
data was used to bring criminal charges, the types of charges brought, and the
results of the charges.
iv. Community complaints/concerns about the technology.
v. Statistics/information about public records requests, including response rate.
vi. Total annual cost of the surveillance technology, including ongoing costs,
maintenance costs, and personnel costs.

The result of these audits should be periodically presented to the City Council and made
available to the public. The City Council should use this information to publically
reassess whether the DAC benefits outweigh the fiscal and civil liberties costs.

b. City Auditor
Annual performance audits will be conducted by the City Auditors Office or an outside
auditor to ensure compliance with this policy. These audits shall be provided to the
Mayor, City Administrator, and City Council annually.

XII. Records Management

If this policy is approved by the City Council, the DAC Staff will be the custodian of records;
responsible for retention (as noted in Section IX, DAC System Data Storage), access to
information, and responding to requests for information under Californias Public Records Act.
DAC staff must follow all relevant and applicable policies, procedures, Regulations and laws.

XIII. Redress and Public Information Requests

a. DAC staff shall assign a public records request liaison, alternate liaison and supervisor
with access to DAC material for public records requests in the processing, proper
response (which may include review and subsequent redaction of information) and
tracking in RecordTrac (or any other public records tracking system adopted by City of
Oakland).

b. The Publics Access to Video Recordings:
For recorded images fed into the DAC, individuals may request a copy of such records by
contacting the DAC staff (see Public Records Liaison List) and submitting a Public
Records Act request. Such requests are subject to be entered into RecordTrac, and viewed
by the public.
Comment [CC38]: Matt/Linda suggested
additions.


c. Individuals who request a copy of recorded images of themselves must provide details to
allow the City to identify them as the subjects recorded in the images. Such a request
should include the location, time, and date of recorded images.

XIV. Sanctions and Enforcement Remedies

See Administrative Instruction 140 (AI140) attached defining the City of Oaklands Electronic
Media Policy.

XV. Ad hoc Advisory Committee

An Ad hoc Advisory Committee appointed by the Mayor, City Administrator and City Council
that includes community members, privacy experts, legal experts and staff to ensure
transparency and inclusiveness relative to the Privacy and Data Policy will be created. This
committee will review any development as the DAC Center evolves and/or expands to include
additional enhancements or functionality. This committee will also oversee the DAC program
development and implementation. The Committee will report its findings to the City
Administrator and City Council Public safety Committee on an ongoing basis.



Nadia recommends adding the following to the policy:

1. What are the established policies for public engagement and feedback? What type of
engagement is needed?
2. What are the clear restrictions on data sharing? (Keep in mind bodies like the Oakland
JTF and staffing agreements with NCRIC).
3. Clarify the technology included in the DAC because things have changed since it was
drafted and this would need to be very carefully addressed.





Comment [CC39]: Hofer: proposes to delete
because this does not keep with Committee
principles nor compliant with PRA.

7.10.14 Committee Discussion: This item is tabled
for now because some members want to identify
the requestor and others do not. Try to balance the
need for transparency with the need to prevent
abuse/misuse.
Comment [CC40]: Nadia: action for violations of
the remedy is missing. See the Seattle Intelligence
Ordinance (SMC 14.12.350 Civil liability.

Hofer: Create private right of action, criminal
penalties (see NDA and other security agreements
for language), statutory damages.
Comment [CC41]: Hofer: This needs to match
the Brooks Amendment.

Staff: Make sure text here aligns with the Charter
about the appointment process.