CITY OF OAKLAND POLICY FOR PRIVACY AND DATA RETENTION FOR THE PORT DOMAIN AWARENESS CENTER (DAC) I. BACKGROUND AND OVERVIEW Port Domain Awareness Center (interchangeably referred to in this document as Port Domain Awareness Center”, “Domain Awareness Center,” or “DAC”) was first proposed to the City Council’s Public Safety Committee on June 18, 2009, in an information report regarding the City of Oakland partnering with the Port of Oakland to apply for Port Security Grant funding under the American Recovery and Reinvestment Act, 2009. Under this grant program, funding was available for Maritime Domain Awareness (MDA) projects relative to “maritime” or “waterside” uses. The Port and City were encouraged to consider the development of a joint City-Port Domain Awareness Center. The joint DAC could create a center that would bring together the technology, systems and processes that would provide for an effective understanding of anything associated with the City of Oakland boundaries as well as the Oakland maritime operations that could impact the security, safety, economy or environment. However, the City Council action on March 4th, 2014 limited the scope of the DAC to the Port. Therefore, the DAC and the entirety of this policy are exclusive to Port areas within Oakland. Any effort to expand the DAC beyond the Port would require a public hearing and action by the City Council. “Port Domain Awareness” is defined as the effective understanding of anything associated with all areas and things of on, under, relating to, adjacent to, or bordering the sea, ocean, or other navigable waterways, including all first responder and maritime related activities, infrastructure, people, cargo, and vessels and other conveyances that could impact the security, safety, economy, or environment. The DAC would be used as a tool or system to accomplish this effective understanding as it relates to the security, safety, economy or environment of the Port of Oakland. The DAC is a joint project between the Port and the City of Oakland. The DAC is physically located within the Emergency Operations Center (EOC) and it can collect and monitor live streams of video, audio, and/or data, watching for time-critical events that require an immediate response. Additionally, the DAC is the part of the EOC that stays alert between emergencies and refers Port-adjacent incidents to the EOC staff for the EOC activation decision. While the rest of the EOC activates, the DAC can share relevant information to incident participants until the EOC infrastructure takes over. II. MISSION OF THE DOMAIN AWARENESS CENTER The mission of the DAC is to have situational awareness needed for time-critical decision making in order to prevent, prepare for, respond to, and recover from emergencies and crime at the Port. 1530151 Page 1 of 12 January 15, 2014 Draft III. POLICY PURPOSE This policy’s purpose is to protect the Right to Privacy, civil liberties, and freedom of speech of the general public as protected by the California and Federal Constitutions, and erect safeguards around any data captured and retained by the DAC, and to protect against its improper use, distribution and/or breach and in how it is used for law enforcement investigations. This policy shall be referred to as the DAC Privacy and Data Retention Policy (“Policy”). More specifically, the principal intent of this Policy is to ensure the DAC adheres to constitutionality, especially the 1st and 4th amendments of the U.S. Constitution and the California Constitution. Also, this Policy is designed to see that the DAC processes are transparent, presume people’s innocence, and protects all people’s privacy and civil liberties. Privacy includes our right to keep a domain around us, which includes all those things that are part of us, such as our body, home, property, thoughts, feelings, associations, secrets and identity. The right to privacy gives us the ability to choose which parts in this domain can be accessed by others, and to control the extent, manner and timing of the use of those parts we choose to disclose. The importance of privacy can be illustrated by dividing privacy into three equally significant parts: 1) Secrecy - our ability to keep our opinions known only to those we intend to receive them, without secrecy, people may not discuss affairs with whom they choose, excluding those with whom they do not wish to converse. 2) Anonymity - Secrecy about who is sending and receiving an opinion or message, and 3) Autonomy - Ability to make our own life decision free from any force that has violated our secrecy or anonymity. This Policy is designed to promote a “presumption of privacy” which simply means that individuals do not relinquish their right to privacy when they leave private spaces and that as a general rule people do not expect or desire for law enforcement to monitor, record, and/or aggregate their activities as a consequence of participating in modern society. IV. UPDATES TO THE POLICY AND TO DAC A. City Council shall establish a permanent Privacy Policy Advisory Committee for the DAC. The permanent Privacy Policy Advisory Committee shall have jurisdiction as determined by the City Council, including but not limited to reviewing and advising on any proposed changes to this Policy or to the DAC. B. No changes to this Policy shall occur without City Council approval. This Policy is developed as a working document, and will be periodically updated to ensure the relevance of the Policy with the ever changing field of technology. All changes proposed to the Policy or to the DAC must be submitted to and reviewed and evaluated by the Privacy Policy Advisory Committee for recommendation for submission to the City Council, and include an opportunity for public meetings, a public comment period of no less than 30 days, and written agency response to these comments. City Council approval shall not occur until after the 30 day public comment period and written agency response period has completed. C. For any proposed changes for the Policy that occur prior to the City Council establishing the permanent Privacy Policy Advisory Committee, such changes shall be in the purview of the City Council. D. The City Council, through passed resolution 84869 on March 4th, 2014, which provides in relevant part the following limitations on the Domain Awareness Center: 1530151 Page 2 of 12 January 15, 2014 Draft That the Domain Awareness center will be implemented in a port-only approach and shall hereafter be referred to as the “Port Domain Awareness Center (DAC); and . . . That the following items will be removed from the DAC Phase I integration: (a) Shot Spotter in immediate areas outside of the Port Area, and (b) 40 City Traffic Cameras identified on pages 9 and 10 of the City Administrator’s Supplemental Agenda Report, dated February 27, 2014, and . . . That the following items will be removed from DAC Phase II integration: (a) Police and Fire Records Management Systems (RMS), and (b) any news feeds and alerts except those expressly listed in the City Administrator’s Supplemental Agenda Report, dated February 27, 2014, and . . . That staff shall: (1) develop a clear definition of the Police and Fire Computer Aided Dispatch (CAD) that will be integrated into the DAC, and (2) develop a protocol for the use of such CAD data by the DAC, and . . . That operation of any DAC program beyond the Port area may only move forward upon explicit approval of the Council, and . . . That City, as opposed to Port, Shot Spotter is specifically excluded from the Port-only Domain Awareness Center program and may only be included in the future upon approval by the Council, and . . . That there will be no data or information sharing with any local, state, or federal agency/entity without a written Memorandum of Understanding that has been approved by Council, and . . . That no new system capabilities can be added to the DAC without express City Council approval, including, but not limited to technological functionalities such as facial recognition, other forms of analytics (like “gait analysis”, in which someone can be identified based on the way they walk) or other capabilities that haven’t yet been invented but are soon to come . . . V. DEFINITIONS As used in this Policy, the following terms are defined below: “Allowable Use” means the list of uses in Section VIII A. of this Policy for which the DAC can be used. “Analytics” means the discovery and understanding of meaningful patterns and trends in data for well-informed decisions. Especially valuable in areas rich with recorded information, analytics relies on the simultaneous application of statistics, computer programming and operations research to quantify performance. 1530151 Page 3 of 12 January 15, 2014 Draft “Bookmark” means a feature of video management systems that allows DAC Staff to quickly mark and annotate a moment for later review; the time stamped record is the bookmark. “Compliance Officer” means the City Auditor or their designee who is responsible for reviewing the quarterly reports prepared by the Internal Privacy Officer and conducts random audits to ensure the DAC Staff is abiding by this Policy. “DAC Data” means any data or information fed into, stored, or collected or captured by the DAC System, or derived therefrom. “DAC Operations Group” means the various personnel who support and maintain the DAC IT systems. “DAC Staff” means the City of Oakland employees who will be responsible for monitoring the equipment within the DAC on a day-to-day basis, including supervisors, and that have completed appropriate training prior to interaction with the DAC. “DAC System” means access and use of the following combined feeds and systems in one application or framework: Port Security Cameras (Phase 1), Port Intrusion Detection System (IDS) (Phase 1), Port GIS (Phase 2), Port Vessel Tracking (Phase 2), Port Truck Management (Phase 2), Police and Fire CAD (Phase 2), WebEOC Notifications (Phase 2), Tsunami Alerts (Phase 2), Police and Fire Automatic Vehicle Location (Phase 2), NOAA Weather Alerts (Phase 2), USGS Earthquake Information (Phase 2), City of Oakland Shot Spotter Audio Sensor System (only those sensors that provide coverage to Port areas), and the physical security information system, server, attached storage, and mobile devices. “DAC System” does not refer to the use of any of these systems or feeds outside the DAC application or framework. “EOC” means: Oakland's Emergency Operations Center, a facility and service of the Oakland Fire Department's Emergency Management Services Division (EMSD). The EMSD ensures "that the City of Oakland and community are at the highest level of readiness and able to prevent, mitigate against, prepare for, respond to and recover from the effects of natural and human-caused emergencies that threaten lives, property and the environment." "EMSD also supports the coordination of the response efforts of Oakland's Police, Fire and other first responders in the City's state-of-the-art Emergency Operations Center to ensure maximum results for responders, the ability to provide up-to-date public information and the ability to provide the best resource management during a crisis. Additionally, EMSD coordinates with the Operational Area and other partner agencies to guarantee the seamless integration of federal, state and private resources into local response and recovery operations. The EOC is a secure facility with access limited to City employees with a need for access, contractors, and security-cleared members of partner organizations. The EOC facility hosts the Port DAC systems, data, and staff.” “Internal Privacy Officer” means the person who oversees the day-to-day operations of the DAC and who is charged with ensuring the DAC Staff are abiding by this Policy on a day-to1530151 Page 4 of 12 January 15, 2014 Draft day basis. They check the logs, file reports, and make immediate decisions that arise that do not allow time for a further review. "ITD" means the City of Oakland's Information Technology Department. “Major Emergency” means the existence of conditions of disaster or extreme peril to the safety of persons and property within the territorial limits of the Port of Oakland or having a significant adverse impact within the territorial limits of the Port of Oakland, caused by such conditions as air pollution, fire, flood, storm, epidemic, drought, sudden and severe energy shortage, plant or animal infestation or disease, the state Governor’s warning of an earthquake or volcanic prediction, or an earthquake, or other conditions, which are likely to be beyond the control of the services, personnel, equipment, and facilities of the City of Oakland and require the combined forces of other political subdivisions to combat, or with respect to regulated energy utilities, a sudden and severe energy shortage requires extraordinary measures beyond the authority vested in the California Public Utilities Commission. “Need To Know” means even if one has all the necessary official approvals (such as a security clearance) to access the DAC System, one shall not be given access to the system or DAC Data unless one has a specific need to access the system or data in order to conduct one's official duties in connection with one of the Allowable Uses in Section VIII A. of this Policy. Furthermore, the “need” shall be established prior to access being granted by the designated City official or their designee and shall be recorded in accordance with Internal Record Keeping and Auditing requirements under Section IX. “Personally Identifiable Information” (called PII) means any data or information that alone or together with other information can be tied to an individual with reasonable certainty. This includes, but is not limited to one’s , name, social security number, physical description, home address, telephone number, other telephone identifiers, education, financial matters, medical history, employment history, photographs of faces, whereabouts, distinguishing marks, license plates, cellphone meta-data, internet connection meta-data. “Protected Activity” means all rights including without limitation: speech, associations, conduct, and privacy rights including but not limited to expression, advocacy, association, or participation in expressive conduct to further any political or social opinion or religious belief as protected by the United States Constitution and/or the California Constitution and/or applicable statutes and regulations. The First Amendment does not permit government “to forbid or proscribe advocacy of the use of force or of law violation except where such advocacy is directed to inciting or producing imminent lawless action and is likely to incite or produce such action.” White v. Lee (9th Cir. 2000) 227 F.3d 1214, 1227; Brandenburg v. Ohio (1969) 395 U.S. 444, 447. Example of speech not protected by 1st Amendment: People v. Rubin (1979) 96 C.A.3d 968. Defendant Rubin, a national director of the Jewish Defense League, held a press conference in California to protest a planned demonstration by the American Nazi Party to take place in Illinois in five weeks. During his remarks, Rubin stated: “We are offering five hundred dollars . . . to any member of the community . . . who kills, mains, 1530151 Page 5 of 12 January 15, 2014 Draft or seriously injures a member of the American Nazi Party. . . . This is not said in jest, we are deadly serious.” Rubin was charged with solicitation for murder. The appeals court upheld the charge, reasoning that Rubin’s words were sufficiently imminent and likely to produce action on the part of those who heard him. Id. at 978-979. Example of speech protected by 1st Amendment: Watts v. U.S. (1969) 394 U.S. 705. The defendant, Watts, stated that he would refuse induction into armed forces and “if they ever make me carry a rifle the first man I want in my sights is L.B.J.”. and was federally charged with “knowingly and willfully threatening the president.” The Court, reasoned that Watts did not make a “true ‘threat’” but instead was merely engaging in a type of political hyperbole. Id., at 708. “Reasonable Suspicion” means specific and articulable facts which, taken together with rational inferences from those facts, evince more than an inchoate and unparticularized suspicion or hunch that an individual or organization is involved in a definable criminal activity or enterprise. Reasonable Suspicion shall not be based on Protected Activity. Furthermore, a suspect’s actual or perceived race, national origin, color, creed, age, alienage or citizenship status, gender, sexual orientation, disability, or housing status, shall not be considered as a factor that creates suspicion, and may only be used as identifying information in the description of a criminal suspect. The “Right to Privacy” is recognized by the California Constitution as follows: All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy. Cal. Const. Art. 1, Section 1. VI. ACCESS TO THE DAC SYSTEM / EQUIPMENT Day to Day Operations The DAC computer and network equipment is maintained by the City’s DAC Operations Group. Only DAC Staff will be used to monitor DAC Data. All employees who are assigned to monitor the DAC Data will be required to undergo security background checks at the local level as well as security clearances at state and/or federal levels and will be required to sign binding Non-Disclosure Agreements to ensure data and information security. Training Training by the Internal Privacy Officer is required prior to interaction with the DAC System. All DAC Staff who are assigned to monitor the DAC Data will be required to participate in specific training around constitutional rights, protections, and appropriate uses of the DAC System and consequences for violating this Policy. 1530151 Page 6 of 12 January 15, 2014 Draft Critical incidents/emergencies/EOC activations During an Allowable Use as enumerated in Section VIII A. with EOC activation, notwithstanding the requirements in Section VII, City of Oakland Agency Directors and/or their designees in the Emergency Operations Center (EOC) and outside governmental agencies and non-governmental agencies’ staff assisting with the Allowable Use (such as the Red Cross) that would report to EOC may have limited access to the live data produced by the DAC System only on a Need To Know basis and if there was a direct correlation between the Allowable Use and DAC operations. Support and Repairs ITD staff and vendors that installed the systems as well as other maintenance providers will have access to the system components but will be prohibited from access to DAC data. Various manufacturers and vendors are hired to provide additional support services. Any system and network level access by these vendors require both a background check and ITD employee presence. The system level access is maintained by ITD staff, however the Applications level access, as far as end-users are concerned, is maintained by the DAC Staff. Funding Auditing Purposes Federal, State, or Local funding auditors may have access to only equipment, hardware, and software solely for audit purposes and must abide by the requirements of this Policy. VII. ACCESS TO INFORMATION AND DATA OBTAINED THROUGH DAC A. Access: Access to DAC Data shall be limited exclusively to City and Port employees with a Need To Know. Other than DAC Staff, any sworn or non-sworn personnel without a direct role in investigating or responding to an incident will not be permitted access to DAC Data. B. Data Sharing: If the DAC Data that is being requested is from an outside feeder source, the law enforcement agency seeking such information must go to the original source of the information to request the data, video or information. In order for DAC Staff to provide DAC Data to non-City of Oakland agencies there must be a warrant based upon probable cause, court order, or a written Memorandum of Understanding (MOU) or Contract approved by the City Council after enactment of this Policy. Any legislation authorizing such MOU or Contract must clearly state whether the MOU or Contract will allow for DAC Data to be shared with another agency. Furthermore, any such MOU or Contract must provide in the title of such document that it authorizes the sharing of DAC Data with another agency. C. Retention: The DAC shall not record any data except bookmarks of Allowable Uses as defined in Section VIII. 1530151 Page 7 of 12 January 15, 2014 Draft VIII. ALLOWABLE USE A. Uses: The following situations at the Port are the only ones in which the use of the DAC is allowable and may be activated in response to: Active Shooter Aircraft Accident or Fire Barricaded Subject Bomb/Explosion Bomb Threat Burglary Cargo Train Derailment Chemical or Biological Incident Container Theft Earthquake Electrical Substation Intruder Alarm Fire Flooding-Water Main Break HAZMAT Incident Hostage Situation Major Emergency Marine Terminal Fence Line Intruder Alarm Mass Casualty Incident Major Acts of Violence (likely to cause great bodily injury) Medical Emergency Missing or Abducted Person Pandemic Disease Passenger Train Derailment Person Overboard Port Terminal/Warehouse Intruder Power Outage Radiation/Nuclear Event Detected Severe Storm Ship Accident or Fire Ship Intruder/Breach Supply Chain Disruption Street Racing/Side Show Takeover of a vehicle or vessel (transit jack) Telecommunications/Radio Failure TWIC Access Control Violation Tsunami Warning Technical Rescue Unauthorized Person in Secure Zone Unmanned Aerial Vehicle in Port airspace Vehicle Accident requiring emergency medical attention Wildfire -3 Alarm or greater B. The DAC shall not be used to infringe, monitor, or intrude upon Protected Activity except where all of the following conditions are met: 1) There is a Reasonable Suspicion of criminal wrongdoing; and 2) DAC Staff articulates the facts and circumstances surrounding the use and basis for Reasonable Suspicion in a written statement filed with the Internal Privacy Officer no later than 8 hours after activation of the DAC System. IX. AUDITS AND REPORTING METRICS Because surveillance technology invites abuse by persons with access to its tools and data, the DAC shall be periodically audited for compliance with this Policy. Internal Recordkeeping, Auditing, and Internal Privacy Officer 1530151 Page 8 of 12 January 15, 2014 Draft It is recommended that a City official or designee serve as an Internal Privacy Officer. Such an official shall oversee the day-to-day operations of the DAC and will be charged with ensuring the DAC staff is abiding by this policy on a day-to-day basis. Further, such official shall check the logs, file reports, and make immediate decisions that arise that do not allow time for a further review and shall be responsible for preparing the Internal Recordkeeping and Audits and ensuring DAC Staff compliance with this Policy. The results of Internal Auditing shall be provided to the Compliance Officer, City Administrator, the City Council, and be made publicly available to the extent the release of such information is not prohibited by law. DAC Staff shall keep the enumerated records in this section for a period of two years to support compliance with this Policy and allow for independent third party auditors to readily search and understand the DAC System and DAC Data. The records shall include the following: 1. A written list of methods for storing bookmarks and DAC Data, including how the data is to be secured, segregated, labeled or indexed; 
 2. A written list of who may access the DAC System and DAC Data and persons responsible for authorizing such access; and 3. Auditing mechanisms that track and record how the DAC System and DAC Data are viewed, accessed, shared, analyzed, modified, bookmarked, deleted, or retained. For each such action, the logs shall include timestamps, the person who performed such action, and a justification for it (e.g., specific authorized use). External Audits/Public Safety Effectiveness Quarterly and as needed audits of the DAC System will be conducted and made publicly available to the extent the release of such information is not prohibited by law, by the Compliance Officer to ensure compliance with this Policy. The audit shall include the following information and describe any corrective action taken or needed: 1. Purpose Specification: General statistical breakdown of how the DAC System was used including: a. Listing and number of incident records by incident category b. Average time to close an incident record c. Number of incidents actionable by DAC Staff vs. number of incidents non-actionable and/or false alarms. 2. Public Safety Effectiveness: Summary and general information and evaluations about whether the DAC has accomplished its stated purpose, including: a. Crime statistics for geographic areas where the DAC was used; b. The number of times the DAC was used to bookmark or retain data for potential criminal investigations; c. The number of times DAC Data was shared for potential criminal investigations; d. Lives saved; e. Persons assisted; f. Property saved or preserved; g. Wildlife/Natural Habitat saved or assisted. 1530151 Page 9 of 12 January 15, 2014 Draft 3. Data Sharing: How many times DAC Data was shared with non-City entities and: a. The type of data disclosed; b. Justification for disclosure (e.g., warrant, memoranda of understanding, etc.) c. The recipient of the data; d. Date and time of disclosure; and e. Obligations imposed on the recipient of shared information. 4. Data Minimization: Describe whether and how the DAC System was used in a manner not allowed under Section VIIIA of this Policy. Describe whether and how the DAC Data was accessed in violation of this Policy and what were the consequences of such misuse? 5. Protected Activity Exception: The number of times DAC Staff certified use of the Protected Activity Exception as provided in Section VIII B, and copies of each written certification. 6. Dispute Resolution: A summary and description of the number and nature of complaints filed by citizens or whistleblowers and the resolution of each. 7. Requests for Change: A summary of all requests made to the City Council for approval of the acquisition of additional equipment, software, data, or personnel services including whether the City approved or rejected the proposal and/or required changes to this Policy before approval. 8. Data Retention: Describe whether data was retained in violation of this Policy. 9. System Access Rights Audit: Verification that individual user assigned access rights match access rights policy for user’s designated staff role. 10. Public Access: Statistics and information about public records requests received, including response rates. 11. Cost: Total annual cost of the surveillance technology, including ongoing costs, maintenance costs, and personnel costs. Independent Audits The City Council shall provide for annual independent third party audits of DAC performance and security. The auditor shall have full access to Internal Recordkeeping, the DAC System, and the DAC Data. The results of the independent audit shall be made publicly available online to the extent the release of such information is not prohibited by law. Annual Report The Compliance Officer shall prepare and present an Annual Report that summarizes and includes the results of Internal Recordkeeping and Auditing, External Audits, and Independent Audits to the extent the release of such information is not prohibited by law, and present it to the City Council at a public meeting in January of each year, or at the next closest regularly scheduled council meeting. The City Council should use the Report and the information it’s based on to publically reassess whether the DAC benefits outweigh the fiscal and civil liberties costs. X. RECORDS MANAGEMENT 1530151 Page 10 of 12 January 15, 2014 Draft The DAC Staff will be the custodian of records; responsible for retention (as noted in Section VII), access to information, and responding to requests for information under California’s Public Records Act. DAC Staff must follow all relevant and applicable policies, procedures, regulations and laws. XI. REDRESS AND PUBLIC INFORMATION REQUESTS To the extent the release of such information is not prohibited by law, all protocols, public records, including but not limited to use logs, audits, DAC Data, and any sharing agreement, shall be available to the public upon request. XII. SANCTIONS AND ENFORCEMENT REMEDIES Contingent on the City Council passing legislation providing for a criminal penalty and/or private right of action as a consequence of a violation of this policy, the following provisions may apply. These provisions are noted by asterisks to indicate that they require further Council action to take effect Criminal Penalty* Any Person found guilty of knowingly or willfully violating any section or provision of this Policy shall be guilty of a misdemeanor and punishable upon conviction by a fine of not more than $1,000 or by imprisonment not to exceed six months, or both fine and imprisonment. This Policy defines any violation of this Policy as an injury to any person affected by such violation. Private Right of Action* There is a strong, definitive relationship between PII and the individual in that PII belongs to the individual (is considered their property) and is his/hers to disclose or to keep private to himself. Any Person who knowingly or willfully violates any section or provision of this Policy, including without limitation the dissemination of PII, shall be subject to a private right of action for damages or equitable relief, to be brought by any other person claiming that a violation has injured his or her business, person, or reputation including mental pain and suffering they have endured. A person so injured shall be entitled to actual and punitive damages, a reasonable attorney's fee and other costs of litigation, in addition to any other relief allowed under California law. This Policy defines any violation of this Policy as an injury to any person affected by such violation. Violations of this Policy shall result in consequences that may include retraining, suspension, termination, criminal fines and penalties, or individual civil liability and attorney’s fees and/or damages as provided by California or Oakland law, depending on the severity of the violation. 1530151 Page 11 of 12 January 15, 2014 Draft XIII. SEVERABILITY. If any section, subsection, sentence, clause or phrase of this policy is for any reason held to be invalid or unconstitutional by decision of any court of competent jurisdiction, such decision shall not affect the validity of the remaining portions of the policy. The City Council hereby declares that it would have adopted this policy and each section, subsection, clause or phrase thereof irrespective of the fact that one or more other sections, subsections, clauses or phrases may be declared invalid or unconstitutional. 1530151 Page 12 of 12 January 15, 2014 Draft