The San Jose City Council on Sept. 17 approved a resolution setting out six City-Wide Privacy Principles. Dolan Beckel, director of the city's Office of Innovation and Digital Strategy, said in a memorandum these were the “north star” guiding the development of a “centralized privacy policy” to safeguard public trust in city use of tech that might identify and/or retain personally identifiable information (PII). Among the takeaways:
• The principles affirm that the city values privacy as “an inherent human right” and that it commits to “fully evaluating risks to your privacy” before collecting, using or sharing residents’ information. The city will “collect only what we need” to deliver and improve services and comply with the law. It will be “open and transparent” about the information it collects, why it collects that information and how it is used. It will “give you control over your data,” providing residents with the information necessary to make informed decisions about data sharing; and visibility into data the city has already collected. It will “share only what we need,” and anonymize most information before sharing it outside the city. Business partners and vendors who receive or collect PII from the city or on its behalf will be held to privacy agreements. San Jose will also “design for privacy and security,” integrating privacy and security into its designs, systems and processes — and committing to updating its tech and processes to safeguard information.
• The initiative comes out of the city’s broadband and digital inclusion strategy, which recommended adoption of a citywide privacy policy per direction from Mayor Sam Liccardo. Following approval of that strategy in November 2017, the city engaged the Harvard Cyberlaw Clinic, pro bono, to help guide the effort — which revealed San Jose would be one of a very few cities nationally to stand up such a policy. Beckel said Seattle may be the only other municipality with a true citywide privacy policy. Officials also held three public forums in English, Spanish and Vietnamese; convened quarterly meetings of its eight-member Privacy Taskforce Group of experts; then brought the year's worth of input to its internal Privacy Working Group, which helped create the principles.
City Hall’s timeline calls for filling one position to work on the policy, then drafting the policy over roughly three to six months — potentially seeking City Council approval in late summer or early fall 2020. Once the policy is in place, Beckel told Techwire the city will “start iterating through our privacy impact assessments” to better understand its effects on city processes and technology.
• Privacy impact assessments will be publicly available, the innovation director said, to drive public understanding about what data is collected and how it’s used; but also to ensure city departments understand “the limits and requirements for their implementation.” An example of a city technology that could be assessed for compliance with the privacy policy is San Jose’s exploration of using license plate readers in parks to discourage illegal dumping.
“It’s important to maintain people’s trust in the city and so we have to implement privacy in our people, process and systems the right way; and that will come from the privacy impact assessment and then it will require a real effort and change within the city,” Beckel said.
• In a job posting that opened Aug. 13 and will remain open until filled, San Jose seeks to hire a Senior Privacy Policy Analyst to guide “privacy policy development process through community engagement, centralized governance review, and creating use cases for a privacy policy that safeguards the public trust.” The post is “an overstrength position with the City Manager’s Office through June 30, 2020.” It’s budgeted as a two-year position, but positions are often considered annually “from a hiring perspective” and renewed depending on performance, Beckel said via email.
“This position will employ the Privacy Principles to test use cases to scale privacy policy across real-world technologies and business uses,” according to the listing. It will require the successful candidate to develop the “strategic point-of-view” needed to write the policy — but maintain “strong working relationships” with internal and external stakeholder groups. Other responsibilities include doing community outreach; researching technology policy in areas including blockchain, cryptocurrency, digital privacy and security; and participating in industry forums. Salary range is $84,991 to $129,836.
“There are a lot of other people in the city who will be working on the policy and collaborating on it, like our attorneys, like all of our IT departments,” Beckel said. “But this is that person’s sole dedicated role, is to work and develop the privacy policy.”
