Data Usage Protocol for Road Safety Detection Pilot (Dec 2023, updated April 2024)

City of San José

Data Usage Protocol for Road Safety Detection Pilot

Owning department(s): Information Technology (IT), Department of Transportation (DOT), Parks, Recreation, and Neighborhood Services (PRNS)

Department owner: Chief Information Officer / IT Director

Contact method: digitalprivacy@sanjoseca.gov

1) Purpose

The City of San José is exploring the use of a road safety detection solution (“Solution”) that is capable of visually detecting various objects along the roads around the City, enabling the City to detect issues concerning abandoned vehicles, parking enforcement, potholes, obstructions to lanes, and trash, among other initiatives.

The City is inviting vendors to pilot detection solutions and evaluate them based on their accuracy, privacy protections, practicality, integrations, project delivery, auditability, adaptability, bias, quality assurance and future capabilities.

2) Authorized Uses

Data generated by each detection solution shall only be used to take pictures or videos that inform service delivery and infrastructure design in the public right-of-way, including:

1. Parking violations and abandoned vehicles;
2. Street cracks and potholes;
3. Biowaste and large items on streets or sidewalks;
4. Graffiti

The vendor can only use the data for purposes authorized by the City.

3) Prohibited Uses

Uses of identifying data not explicitly authorized in the “Authorized Uses” section are prohibited. In addition, the City will not use this data to:

1. Identify an individual;
2. Investigate immigration status;
3. Monitor people engaging in legal activity;
4. Actively monitor for law enforcement purposes. Law enforcement may request access to previously stored footage. Law enforcement is not actively monitoring any data collected by the object detection solutions.

4) Data Collection

Data collection occurs through cameras attached to City vehicles. If any of the vendors provide the City with their own cameras, they will be installed on existing City vehicles and object identification will take place as City vehicles are in motion. Alternatively, the City may use existing cameras to upload footage to its open data portal for the vendors to build identification algorithms.

 5) Notice

Signage and notice will comply with relevant state and federal law. Signage will include a decal on the side of the vehicle that states a City vehicle is present.

Additional notice is being provided to residents along the route of the vehicles and online through this protocol.

The initial pilot will be in Council District 10. The City will publish maps of the pilot locations as they are established.

6) Retention and Minimization

Data will be retained in accordance with local, state, and federal law. Data will be “de-identified” or deleted within one month of collection. The de-identification process includes blurring faces, blurring addresses, and blurring license plates.

All video footage and images will be purged following the completion of the pilot unless otherwise required by law.

The data collected and generated from this initiative is subject to relevant local, state, and federal law. Data will not be available for public access unless required pursuant to city, state, or federal law, or a court order. Some personal information may be redacted prior to public disclosure if the City determines disclosure of that information is protected by law.

Aggregated data may be reported to the public for purposes of transparency and accountability. The vendors may be granted access to the raw data for only purposes authorized by the City. Any other such accessing of the data by the vendor is prohibited.

The City will evaluate the accuracy of the services provided by each participating vendor.

8) Accountability

Unless guided under a sharing agreement with external parties, only City staff and participating vendors can access the data. The City reserves the power to review who has access to the data. For example, if the City provides data access to a vendor, the City may review who has accessed the data.

9) Sharing

Raw or identifiable data will only be shared with partner government agencies when required by law or following the approval of an agreement which specifically outlines what data may be shared and under what circumstances. Authorized vendors acting on behalf of the City may also access raw or identifiable information only as authorized by the City.

10) Equity and community engagement

The Solution will be initially subject to a trial period. The City will conduct community engagement before and after piloting to gather residents’ feedback about the use of detection in their neighborhoods.

Members of the public may submit any concerns via the public comment feature at sanjoseca.gov/digitalprivacy. Comments may also be submitted by emailing the Digital Privacy Office at digitalprivacy@sanjoseca.gov  or mailing the Digital Privacy Officer at 200 E Santa Clara Street, 11^th floor, San Jose, CA 95113.

11) Storage and Security

Data will be stored in a method approved by the City’s Cybersecurity Office. In the event that any personal information is stored or managed by a vendor, the City’s Cybersecurity Office must approve of the vendor’s data storage and data security.

In the event of a confirmed data breach where personal information such as photographs or video have been accessed by an unauthorized party, the City and vendors will follow the City of San José’s Incident Response Plan (found in the City of San José Information Security Standards Handbook). This security protocol and further security details can be found in City Policy Manual 1.7.6 and are overseen by the City’s Cybersecurity Office.

12) Training

City staff responsible for the object detection solutions and vendor staff using them on behalf of the City are responsible for following this Data Usage Protocol. Each vendor in the initiative is responsible for training relevant Department staff (as determined by Department) to manage the system, including how to access the information managed in the system (e.g., the video footage and objects detected), tools available to de-identify the data (e.g., blurring faces), and tools available to validate and correct the system.

13) Reporting requirements

The City will publish findings from the pilot following its conclusion in 2024. This will include details around what objects were identified well or poorly, lessons learned in the course of the pilot, privacy risks that are not already accounted for above, and additional information as requested by the City Manager.

Data Usage Protocol (DUP) for Gunshot Detection Technology
UPDATED as of February 10, 2023

City of San José

Data Usage Protocol (DUP) for Gunshot Detection Technology

Owning department(s): San José Police Department (SJPD)
Department owner: Deputy Chief, Executive Officer

1) Purpose

Police officers may utilize gunshot detection systems to enhance their ability to rapidly respond to potential firearm crimes. Gunshot detection systems recognize the typical audio signature of a gunshot and alert Police of the sound. When used with Automated License Plate Readers (ALPR) to capture photos of passing vehicles, gunshot detection systems can identify the time, location, and associated vehicles surrounding a firearm incident. The integrated use of gunshot detection systems and ALPR can increase police officers’ capacity to respond to incidents of gun violence.

The City of San José (City) and the San José Police Department (SJPD) will use gunshot detection in conjunction with an ALPR camera. Automated License Plate Readers (ALPRs) use high speed cameras to photograph vehicle license plates. Additional information on Automated License Plate Readers can be found in the Data Usage Protocol for ALPR technology.¹

This Data Usage Protocol (DUP) defines for the City of San José’s (hereafter referred to as “City”) Police Department (hereafter referred to as “Department”):

1. Authorized usage of gunshot detection technology that complies with all applicable federal, state, and local laws;
2. Annual reporting requirements on gunshot detection usage; and
3. An ongoing avenue for public feedback on gunshot detection.

2) Authorized Uses:

Gunshot detection shall only be used for the official law enforcement purposes outlined below. Any other usage by the Department or by a gunshot detection vendor (Vendors) is prohibited. Vendors may only use the data if authorized by the City to act on behalf of the City. The Department and authorized vendors may utilize gunshot detection and any data generated to do the following:

1. Record audio clips of around three (3) seconds that match the audio signature of a gunshot;
2. Use for official law enforcement purposes to respond to an alert triggered by the gunshot detection system not prohibited under the “Prohibited Uses” section; and
3. Use in conjunction with any patrol or investigative function not prohibited under the “Prohibited Uses” section. 

3) Prohibited Uses:

Gunshot detection will not be used for the following purposes:

1. Monitor or record audio beyond brief clips as detailed in the “Authorized Uses” section;
2. Integrate with voice recognition technology;
3. Monitor individual or group activities legally allowed in the State of California and/or protected by the First Amendment to the United States Constitution;
4. Share with federal immigration authorities or use in the investigation of any matter related to immigration status of an individual;
5. Engage in automated citations or other automated enforcement without manual review from SJPD staff; and
6. Sale of gunshot detection and generated data to any entity.

4) Data Collection

Gunshot detection systems are designed to recognize the unique audio signature of a typical firearm discharge. Modern gunshot detection systems are integrated with existing ALPR units to enhance the City’s existing crime prevention infrastructure.

When a gunshot detection system recognizes the audio signature of a gunshot, an alert is sent to SJPD that contains the location of the incident. The ALPR camera captures images independently of the gunshot detection system.

Figure 1: Diagram of the ALPR camera and gunshot detection system mounted on a street pole. 

Figure 2: The gunshot detection system recognizes the audio signature of a gunshot and begins recording a 3-second audio clip. The system sends an alert to the Police Department that a gunshot was detected. The ALPR camera operates independently and is triggered if a vehicle passes through the intersection and captures a still image.

5) Notice

Gunshot detection systems can be deployed in an area as small as a ¼ square mile in both urban (city neighborhoods) and rural (parks) environments. Since the gunshot detection system will be used alongside ALPR cameras, notice is provided alongside notice for ALPR cameras.

Figure 3: Example of signage at a traffic intersection indicating that ALPR cameras are in use. (Source: ABC7 News)

The notice will include that recording technology is in use and will direct the reader to where they can get more information about the ALPR and gunshot detection programs and policies. Notice and additional detail, including this Data Usage Protocol, will be available on the City website.

6) Retention and Minimization

Data collected from gunshot detection systems will be retained as required by California retention law.² Once the retention period has expired, the record shall be purged entirely from all active and backup systems unless the data is related to an active investigation of a crime.

Data associated with a criminal investigation may be stored for longer in accordance with applicable state and federal evidentiary laws, to include retaining the data through the adjudication of a case in a recognized court of law, as well as allotment of time for an appeals process and statute of limitations.

7) Access and Accuracy

Raw gunshot detection data, including recorded audio, will not be available for public access unless required pursuant to city, state, or federal law, or a court order. Some personal information may be redacted prior to public disclosure if the City determines that releasing it may cause substantial harm to an individual.

Aggregated data on the gunshot detection, including performance metrics on the accuracy of the technology, will be made available annually in the Annual Data Usage Report. More details on the Annual Data Usage Report can be found in the “Annual Data Usage Report requirements” section below. The City may release more aggregated data periodically at its discretion.

8) Accountability

All Department members authorized to use or access gunshot detection data shall be accountable for knowledge of this protocol. See “Training” section for definition of “authorized”.

Periodic, random audits shall be conducted by a unit other than Crime Data Intelligence Center (CDIC) at the direction of the Deputy Chief, Executive Officer to ensure and evaluate compliance with system requirements and with the provisions of this protocol and applicable law. Audit trails shall be maintained by the Department for a minimum of two (2) years. Additional audits or reviews may be triggered at the direction of the City Council or Digital Privacy Officer (DPO), consistent with state law and authorized access to information.

The results of the audits are subject to the law and potential California Public Records Act requests. Some personal or confidential information may be redacted prior to public disclosure if the City determines that releasing it may cause substantial harm to an individual or individuals.

In the event of a trigger of the gunshot detection system, the following information shall be kept:

1. Date/Time the gunshot detection device was triggered;
2. Location of the device triggered;
3. The recorded audio data if retained; and
4. The corresponding incident or case number for this trigger.

9) Sharing

The City does not share gunshot detection data with any contracted, commercial, or private entity. The provision of data hosting shall not be considered the sale, sharing, or transferring of gunshot detection information.

Information gathered or collected, and records retained by the City will not be:

1. Sold, published, exchanged, or disclosed for commercial purposes;
2. Disclosed or published without authorization; or
3. Disseminated to persons not authorized to access or use the information.

The City shall not confirm the existence or nonexistence of information to any person or agency that would not be eligible to receive the information unless otherwise required by law. The City may agree to share access to its gunshot detection database by law enforcement agencies within the State of California on an agency-by-agency basis if an agreement is put into place.

The data will not be shared beyond the approved agencies. All agencies must request SJPD gunshot detection and ALPR data directly from SJPD (e.g., if SJPD shares gunshot detection data with Santa Clara PD, Sunnyvale PD must request SJPD data through SJPD rather than Santa Clara). The requesting agency may only access the data for an authorized purpose as noted in this protocol.

10) Equity and Community Engagement

The City will make a reasonable effort to identify and mitigate any inequity inherent in the gunshot detection technology and its implementation. Members of the public may submit any concerns via the public comment feature at sanjoseca.gov/digitalprivacy. Comments may also be submitted by emailing digitalprivacy@sanjoseca.gov or mailing the Digital Privacy Officer at 200 E Santa Clara St. San Jose CA 95113, 11^th Floor. Gunshot detection system implementations can impact certain populations more than others. The City of San Jose is cognizant of that concern and will field potential complaints when submitted by emailing: digitalprivacy@sanjoseca.gov. After receiving a complaint, the City will perform an investigation and determine a corrective action plan, if necessary.

11) Storage and Security

Data collected by gunshot detection systems shall be stored in a secured police facility or secured third-party hosting environment. With the exception of audits, access to the raw data (audio recordings) shall be limited to law enforcement staff with a legitimate need and right to access the information.³ The Department will utilize reasonable physical, technological, administrative, procedural, and personnel security measures to prevent unauthorized access to gunshot detection data. Authorized sworn personnel or authorized civilian personnel (such as a crime analyst) shall have general user access to the SJPD gunshot detection database, as appropriate, to query information. See “Training” section for definition of “authorized personnel”. Entities authorized to audit the gunshot detection system (see “Accountability” section for who can authorize) do not need to be a part of the Department to access the database.  

Sworn personnel or authorized civilian personnel as approved by the Deputy Chief, Executive Officer, or his/her designee shall have administrative user access to the SJPD gunshot detection database, as appropriate, to control:

1. The information to which a particular group or class of users can have access based on the group or class;
2. The information a class of users can access, and/or data being utilized in specific investigations;
3. Sharing capabilities with other law enforcement agencies; and
4. Any administrative or functional access required to maintain, control, administer, audit, or otherwise manage the data or equipment.

The Criminal Data Intelligence Center (CDIC) shall ensure compliance with this protocol. The custodian of gunshot detection data for purposes of this protocol shall be the Deputy Chief, Executive Officer or his/her designee.

In the event of a confirmed data breach where information has been accessed by an unauthorized party, the Department will follow the City of San José’s Incident Response Plan. This security protocol and further security details are overseen by the City’s Cybersecurity Office.⁴

12) Training

Except for audits, only authorized personnel, meaning Department personnel trained in the use of ALPR technology, including its privacy and civil liberties protections, shall be allowed access to ALPR data. Training shall consist of:

1. Legal authorities related to the use of ALPR data and technology;
2. Current Department Data Usage Protocol regarding authorized use of ALPR technology;
3. Technical, physical, administrative, and procedural measures to protect the security of ALPR data against unauthorized access or use; and
4. Practical exercises in the use of ALPR technology.

13) Annual Data Usage Report requirements

To provide the City and the public with ongoing reporting on the usage and accuracy of the gunshot detection technology, the following information will be required in an Annual Data Usage Report submitted every year to the Digital Privacy Officer (DPO) no later than March 1^st and covers the previous calendar year (January 1^st – December 31^st). In the year this Data Usage Protocol goes into effect, the Department is only required to report on the period from the date the Data Usage Protocol goes into effect until the end of the calendar year.⁵ The Digital Privacy Officer will release the report to the public once private, confidential, and otherwise sensitive information is removed. The DPO shall release the report within 90 days of receiving it from the department, unless additional time is required to remove private, confidential, and sensitive information. If the DPO needs additional time, they shall provide a notice of extension to the public via the Digital Privacy webpage.⁶

1. Summary of the project and updates since the prior year, including detail on value to the department
2. Plans for future years, including any planned expansion of project or shift in data usage
3. Reporting metrics on gunshot detection usage and accuracy including:

1. # of false positives (instances in which the gunshot detection system incorrectly identifies a non-gunshot audio signature as a gunshot audio signature)
   1. Reported by location
2. # of false negatives (instances in which the gunshot detection system fails to report a gunshot that was reported by a 911 call)
   1. Reported by location
3. # of true positives (instances in which the gunshot correctly identifies a gunshot audio signature)
   1. Reported by location
4. # of duplicative positives (instances in which the gunshot detection system reports a gunshot that was also reported by a 911 call)
   1. Reported by location

SJPD may directly report this information to the Digital Privacy Officer (DPO), or provide the Digital Privacy Officer with raw gunshot detection report data, including the latitude and longitude of each relevant incident, from which the DPO can report by location as needed.

¹See San José Police Department Duty Manual Section L4207.

²As of last update to this document, that is two years. Refer to California Government Code 34090 for retention guidance: https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=GOV&division=1.&title=4.&part=&chapter=1.&article=4.

³See SJPD Duty Manual section C2003.1 “Authorized Receivers of Sensitive Controlled Information” - https://www.sjpd.org/home/showpublisheddocument/314

⁴An overview of Information Technology’s Incident Response plan can be found in the City’s Information Security Standards Handbook Section 8.7, “Incident Response”: https://www.sanjoseca.gov/home/showdocument?id=85853#page=32

⁵If this Data Usage Protocol is passed after September 30^th, the first Annual Data Usage Report will not be required until the following year, which will cover usage from the date the Data Usage Protocol goes into effect to December 31^st of the following year

^6Link to the digital privacy webpage: https://www.sanjoseca.gov/your-government/departments-offices/information-technology/digital-privacy

Annual Usage Report for Gunshot Detection (May 2024)

PDF version of Annual Usage Report here

City of San José

Annual Usage Report for Gunshot Detection

February – December 2023

Owning department(s): San José Police Department (SJPD)

Department owner: Deputy Chief, Executive Officer

Context for Annual Usage Reports

The City annually reports on the usage and accuracy of its priority technologies that collect personal information. This document is prepared in coordination with the owning department and the Digital Privacy Officer, and satisfies the required reporting detailed in the relevant Data Usage Protocol.

Program Summary

Police officers may utilize gunshot detection systems to enhance their ability to rapidly respond to potential firearm crimes. Gunshot detection systems recognize the typical audio signature of a gunshot and alert Police of the sound. When used with Automated License Plate Readers (ALPR) to capture photos of passing vehicles, gunshot detection systems can identify the time, location, and associated vehicles surrounding a firearm incident. The integrated use of gunshot detection systems and ALPR can increase police officers’ capacity to respond to incidents of gun violence.  

The City of San José (City) and the San José Police Department will use gunshot detection in conjunction with an ALPR camera. Automated License Plate Readers (ALPRs) use high speed cameras to photograph vehicle license plates. Additional information on Automated License Plate Readers can be found in the Data Usage Protocol for ALPR technology.

Updates to Data Usage Protocols and Plans for Future Years

No updates to the Data Usage Protocol were made during the reporting period.  

At the time of this report, the Police Department did not have plans to add more Gunshot detection devices or renew the lease of existing ones. 

The graph below visualizes the number of gunshots detected for each zip code, if a gunshot was detected by the system in that zip code. Most gunshots were detected in the 95110, 95116, and 95122 zip codes.  

Data Usage Protocol for Red Light Cameras (April 2023)

City of San José

Data Usage Protocol for Red Light Running (RLR) Cameras

Owning department(s): Department of Transportation (DOT)

Department owner: Signal System Management and Ops – RLR system manager and system implementer

Contact method: ho.nguyen@sanjoseca.gov

1) Purpose

The Department of Transportation uses Red Light Running (RLR) Cameras to support traffic safety measures. RLR Cameras and the associated systems may collect the following data, collectively referred to as “data”:

1. Images or a few seconds of video (without sound) of a vehicle potentially running a red light;
2. License plate of the vehicle;
3. Department of Motor Vehicles (DMV) information on the contact information of the vehicle owner to issue the citation; and
4. Metadata on the time and location of the red light violation.

The RLR cameras send data of the vehicle potentially running a red light to a human for review. If the data is properly validated, the City may issue a traffic citation. The data may also support compliance with other relevant local, state, and federal laws. The data will not be used to investigate any matters related to a person’s immigration status. The purpose of this Data Usage Protocol is to ensure compliance with relevant local, state, and federal laws.

2) Authorized Uses

RLR Cameras and the data generated by RLR cameras shall only be used for the purposes outlined below:

1. Take pictures or a brief video of vehicles running a red light;
2. Gather evidence for traffic violations, such as red light violations;
3. Automatically trigger traffic violation report, which will then be reviewed by a human before issuing a citation; and
4. Support criminal investigations as requested by law enforcement.

 The City may contract with a vendor to review and access data to perform services on behalf of the City, such as verify if a violation occurred and determine the owner of the vehicle. If approved by the City, a vendor may also handle clerical tasks such as mailing citation notices on behalf of the City. The vendor can only use the data for purposes authorized by the City.

3) Prohibited Uses

Uses of identifying data not explicitly authorized in the “Authorized Uses” section are prohibited. In addition, the City will not use RLR Cameras and any data generated to:

1. Investigate immigration status;
2. Monitor people engaging in legal activity;
3. Actively monitor for law enforcement purposes. While law enforcement may request access to previously stored footage, law enforcement is not actively monitoring the red light running cameras.

4) Data Collection

An RLR system typically requires at least two cameras, a front-facing camera and a back-facing camera, and a sensor that determines if an object (such as a vehicle) is passing an intersection when the light is red. The sensor, often radar technology, is used to identify the trajectory of a vehicle and predict if it will run the red light. If the sensor determines a vehicle is running a red light, it will trigger the cameras to take pictures or record a few seconds of video.

The front-facing camera is angled to capture the front of the car and the driver. The back-facing camera is angled to capture the back of the car and the license plate. This data will be used to identify the vehicle and driver, and will serve as evidence to determine if the driver did run the red light.

Figure 1: Diagram of an example data collection process for RLR Cameras. Not every RLR system works exactly like this diagram shows. For example, this diagram shows the rear camera taking two pictures to show the car before and after it enters the intersection. However, some systems may use the front camera to provide this evidence instead.

5) Notice

Signage and notice will comply with relevant state and federal law. As of April 4, 2023, this included CA Vehicle Code 21455.5. Signs must be placed at 200 feet of approach and at least 30 days prior to the commencement of the enforcement program. Notice and additional detail, including this Data Usage Policy, will be available on the City website.

6) Retention and Minimization

The RLR Cameras only capture data if they are triggered by the radar system. The radar system itself does not collect any personal information.

Data will be retained in accordance with local, state, and federal law. As of April 4, 2023, CA requires all personal identifiable information associated with the RLR camera (e.g., photo of the driver and license plate) be destroyed 6 months after collection or until final disposition of any citations, whichever is later (CA Vehicle Code § 21455.5).[1]

The data collected and generated from this system is subject to relevant local, state, and federal law including, potential California Public Records Act (PRA) requests. Data will not be available for public access unless required pursuant to city, state, or federal law, or a court order. Some personal information may be redacted prior to public disclosure if the City determines disclosure of that information is protected by law.

Aggregated data may be reported to the public for purposes of transparency and accountability.

The vendor has access to the raw data for only purposes authorized by the City (i.e., review images in support of issuing a red-light-running citation). Any other such accessing of the data by the vendor is prohibited.

To promote accuracy in the issuance of traffic citations, a human must review the license plate and vehicle before citation action may be taken.

8) Accountability

Unless guided under a sharing agreement with external parties, only City staff can access the data. The City reserves the power to review who has access to the data. For example, if the City provides data access to a vendor, the City may review who has accessed the data.

If the City enters into an agreement with an authorized vendor to perform certain tasks on behalf of the City in enforcing RLR violations, the vendor will provide monthly audit logs of overall usage of RLR cameras including:

1. Number of violations detected;
2. Number of violations for which the City issued Citations;
3. Of the violations detected but not issued, the vendor shall report the reason for non-issuance on an approved form; and

Any malfunctions, days not in service due to malfunction, and days not in service due to other reasons.

9) Sharing

Raw or identifiable data will only be shared with partner government and law enforcement agencies when required by law or following the approval of a data sharing agreement which specifically outlines what data may be shared and under what circumstances. Authorized vendors acting on behalf of the City may also access raw or identifiable information only as authorized by the City.

Aggregated data or data scrubbed of identifying information may be provided to external City partners for the sake of improving City services such as traffic flows and safety.

10) Equity and community engagement

The RLR Cameras will be initially subject to a trial period of one year once they are installed. The City will conduct community engagement before and after installation to gather residents’ feedback about the use of RLR cameras in their neighborhoods. Through the annual reporting requirements, the City will monitor the impact of the RLR cameras across different neighborhoods to identify and mitigate any inequity inherent in the system.

Members of the public may submit any concerns via the public comment feature at sanjoseca.gov/digitalprivacy. Comments may also be submitted by emailing the Digital Privacy Office at digitalprivacy@sanjoseca.gov  or mailing the Digital Privacy Officer at 200 E Santa Clara Street, 11^th floor, San Jose, CA 95113.

11) Storage and Security

Data will be stored in a method approved by the City’s Cybersecurity Office. In the event that any personal information is stored or managed by a vendor, the City’s Cybersecurity Office must approve of the vendor’s data storage and data security.

In the event of a confirmed data breach where personal information such as photographs or video have been accessed by an unauthorized party, DOT will follow the City of San José’s Incident Response Plan (found in the City of San José Information Security Standards Handbook). This security protocol and further security details can be found in City Policy Manual 1.7.6 and are overseen by the City’s Cybersecurity Office.

12) Training

City staff responsible for the RLR system and vendor staff using RLR system on behalf of the City are responsible for following this Protocol. If RLR system solution is provided by a vendor, the vendor is responsible for training relevant Department staff (as determined by Department) to manage the system. Training will cover:

1. Logging into the system and accessing information;
2. Process to validate before issuing a citation;
3. Exporting data from vendor platform into the City’s data center (if applicable);
4. Transparency tools to audit all vendor processes and data used in the process of providing the RLR system services to the City;
5. Managing data retention and storage; and
6. Privacy considerations when using the system.

13) Annual Data Usage Report requirements

To provide the City and the public with ongoing reporting on the usage, effectiveness, and accuracy of RLR Cameras, the following information will be required in an Annual Data Usage Report submitted every year to the Digital Privacy Office no later than March 1^st and covers the previous calendar year (January 1^st – December 31^st)1. In the year this Data Usage Policy goes into effect, the Department is only required to report on the period from the date the Data Usage Policy goes into effect until the end of the calendar year.

1. Accuracy
   1. Number of alleged violations captured by RLR Cameras, by location;
   2. Number and percentage of citations that are dismissed by the court; and
   3. Number of citations issued by a law enforcement agency based on information collected by the RLR Cameras, by location.
2. Analytics
   1. The number of red light running violations that involved traveling straight through the intersection, turning right, turning left, and making a U-turn.
3. Impact on number of violations over time, by location
   1. The number of traffic collisions at each intersection that occurred prior to, and after the installation of, the RLR Cameras. Collisions should be reported as:
      • Total collisions
      • Collisions where red light running was an identified factor

¹If this Data Usage Policy is passed after September 30^th, the first Annual Data Usage Report will not be required until the following year, which will cover usage from the date the Data Usage Policy goes into effect to December 31^st of the following year

See PDF version 

Data Usage Protocol (DUP) for Automated License Plate Reader (ALPR) Technology
UPDATED as of August 22, 2022

City of San José

Data Usage Protocol (DUP) for Automated License Plate Reader (ALPR) Technology

Owning department(s): San José Police Department (SJPD)
Department owner: Deputy Chief, Executive Officer

1) Purpose

Automated License Plate Readers (ALPRs) use high speed cameras to photograph vehicle license plates. The purpose of ALPR cameras is to improve criminal investigations¹ and deter crime in the surrounding area.² This Data Usage Protocol (DUP) defines for the City of San José’s (hereafter referred to as “City”) Police Department (“hereafter referred to as “Department”):

1. Authorized usage of ALPR technology that complies with State and local laws;
2. Annual reporting requirements on ALPR usage; and
3. An ongoing avenue for public feedback on ALPR usage.

This DUP is also meant to ensure that San Jose Police Department’s use of Automated License Plate Recognition (ALPR) technology complies with all applicable federal, state, and local laws. For the purposes of California law, this document serves as the “usage and privacy policy” as required by California Civil Code Sections 1798.29 and 1798.82.

2) Authorized Uses:

The Department shall use ALPR technology with the goal of reducing serious crime and traffic incidents in the long term. ALPR is meant to act as a deterrent for crime and dangerous driving in a neighborhood, and to support police in criminal investigations. ALPR vendors may only use the data if authorized by the City to act on behalf of the City. The Department and authorized vendors may utilize ALPR technology and any data generated only to do the following:

1. Use in conjunction with any patrol or investigative function in response to the investigation of felony or misdemeanor crimes;
2. Locate at-risk missing persons (including responding to Amber and Silver Alerts);
3. Support local and State safety departments in the identification of vehicles associated with criminal investigations. Further detail on permissible sharing and coordination with safety departments is detailed in the “Data Sharing” section below; and
4. Automatically initiate investigation for traffic intersection infractions through a device (e.g., red-light violations) if SJPD follows the requirements outlined in California Vehicle Code 21455.5,³ including providing notice of automated enforcement within 200 feet of the intersection.

3) Prohibited Uses:

ALPR technology will not be used for the following purposes:

1. Collect data that is not within the public view. This includes any data not readily visible from a public area or public property;
2. Monitor individual or group activities legally allowed in the State of California and/or protected by the First Amendment to the United States Constitution;
3. Share with immigration authorities or use in the investigation of any matter related to immigration status of an individual;
4. Engage in automated citations or other automated enforcement without manual review from SJPD staff; and
5. Sell any data generated by ALPR to any entity.

4) Operational Procedures

The ALPR system(s) and their associated database(s) shall only be used for official law enforcement purposes listed in the “Authorized Uses” section. Additionally:

1. No member of the Department shall operate, utilize and/or search ALPR systems and their associated equipment/database(s) without first completing Department-approved training and only if the operation, utilization, or searching complies with SJPD’s need to know/right to know protocols defined in SJPD Duty Manual section C2000 on criminal records and information;⁴
2. Once an alert is received, the officer will make every effort to visually confirm that the captured license plate from the ALPR system matches the license plate of the observed vehicle;
3. In all instances, before any action is taken based solely upon an ALPR alert, the officer will make every effort to verify the alert is still valid through the California Law Enforcement Telecommunications System (CLETS). Officers will not take any action that restricts the freedom of any individual based solely upon an ALPR alert until an attempt at verification has been made;
4. If the reason for an ALPR alert pertains to a wanted person associated with a vehicle, officers should attempt to visually inspect the occupant(s) of the vehicle to determine if he/she matches the description of the wanted individual. Absent this verification, officers must have a separate legal justification to conduct a vehicle stop;
5. Designation of vehicles into “hot lists”⁵ shall be the sole responsibility of the assigned investigating officer or his/her designee. Vehicle’s cannot be entered into “hot lists” without a lieutenant’s approval. It will be the arresting/investigating officer’s responsibility to ensure timely entry/removal of license plates into/out of the designated “hot lists”.
6. To the best of the system administrator or his/her designee’s ability, hot lists managed by an external source (e.g., the Stolen Vehicle System) will be synchronized with the external hot list at all times. In the event of a loss of connection to external hot lists, the ALPR system administrator or his/her designee shall synchronize with external hot-lists upon reconnection;
7. Protocols shall be established to ensure timely notification is made to the system administrator to indicate and record when a “hot list” ALPR license plate capture is made and the ultimate disposition of the specific enforcement action;⁶ and
8. All vehicles entered into a departmental “hot list” will contain the following information:
   1. Name, badge number and assignment of department member entering the information (e.g., Officer Smith #1234, Robbery Unit)
   2. Associated case number(s)
   3. Short synopsis describing the reason for the vehicle/occupant database entry. This should include the presumed crime or crimes relevant to this investigation. If no crime is relevant, state the other purpose (e.g., Amber alert)

5) Data Collection

ALPR utilizes high speed cameras angled to capture digital images of vehicle license plates on public roads and private property visible from a public road (e.g., a driveway). The cameras are trained on the license plate of a vehicle and rarely capture the image of a person. The cameras do not identify an individual or group based on physical characteristics such as skin-tone, body shape, or facial features.

An example image captured from an ALPR camera is provided in Figure 1. While the ALPR camera is angled to capture license plate information, it may collect additional information visible in the image, including car make/model, and other distinguishing characteristics of the vehicle (e.g., bumper sticker(s), after market wheels, etc.).

ALPR cameras may be placed in a fixed location, such as on a street light pole, or in a roaming location, such as on a police vehicle. The technology will record the date and time the image was captured as well as the location of the camera. The exact location of a vehicle is not tracked, but can be inferred based on the location of the camera at the time of the photograph.

Figure 1: Police vehicle with an Automated License Plate Reader mounted on its roof, and an example picture from the ALPR camera (top-left). This ALPR picture identifies 1) the license plate, 2) the time and location of the car, and 3) other information captured in the photograph, including vehicle color, make, and model. Source: Pasadena, CA Police Department. https://www.pasadenanow.com/main/city-council-to-consider-purchasing-more-automatic-license-plate-readers 

6) Notice

Notice that the City of San José is using ALPR technology will be posted as signage at major vehicle entrances into the city and exits from the city, and at “designated intersections” within the city to notify residents that ALPR cameras may be present in their area.

“Designated intersections” refers to locations near where ALPR technology is being utilized. The signs will contain notice that ALPR technology is in use and will direct the reader to where they can get more information about the ALPR program and policies. Notice and additional detail, including this Data Usage Protocol, will be available on the City website.

7) Retention and Minimization

Data collected from ALPR technology will be retained for one year. Once the retention period has expired, the record shall be purged entirely from all active and backup systems unless the data is related to an active investigation of a crime not listed in the “Prohibited Uses” section.

Data associated with a criminal investigation may be stored for longer on an electronic storage device or printed and retained in accordance with applicable state and federal evidentiary laws, to include retaining the data through the adjudication of a case in a recognized court of law, as well as allotment of time for an appeals process and statute of limitations.

8) Access and Accuracy

Raw ALPR data, including photographs, license plates, location, and associated hot list data will not be available for public access unless required pursuant to city, state, or federal law, or a court order. Aggregated data on the ALPR technology, including performance metrics on the accuracy of the technology, will be made available annually in the Annual Data Usage Report. More details on the Annual Data Usage Report can be found in the “Annual Data Usage Report requirements” section below. The City may release more aggregated data periodically at its discretion.

9) Accountability

All Department members authorized to use or access ALPR technology or data shall be accountable for knowledge of this protocol. See “Training” section for definition of authorized personnel.

All access to the system shall be logged, and the Department will maintain an audit trail of requested and accessed information, including the purpose of the query. Periodic, random audits shall be conducted by a unit other than Crime Data Intelligence Center (CDIC) at the direction of the Deputy Chief, Executive Officer to ensure and evaluate compliance with system requirements and with the provisions of this protocol and applicable law. Audit trails shall be maintained by the Department for a minimum of two (2) years. Additional audits or reviews may be triggered at the direction of the City Council or Digital Privacy Officer (DPO), consistent with state law and authorized access to information.

If a Department member accesses or provides access to ALPR information, the Department member shall do the following:

1. Maintain a record of the access that includes the following information:
   1. Date/Time the Information was accessed
   2. The license plate number or other data elements used to query the ALPR system
   3. The name and department of the person who accessed the information
   4. The purpose for accessing the information, including the presumed crime or crimes relevant to this investigation. If no crime is relevant, state the other purpose (e.g., Amber alert)
2. ALPR information may only be used for authorized purposes as specified in this protocol in accordance with California Civil Code section 1798.90.51(b).

10) Sharing

The City does not share ALPR data with any contracted, commercial, or private entity. The provision of data hosting or towing services shall not be considered the sale, sharing, or transferring of ALPR information (see CA Civil Code 1798.90.55.(b)).
Information gathered or collected, and records retained by the City will not be:

1. Sold, published, exchanged, or disclosed for commercial purposes;
2. Disclosed or published without authorization; or
3. Disseminated to persons not authorized to access or use the information.

The City shall not confirm the existence or nonexistence of information to any person or agency that would not be eligible to receive the information unless otherwise required by law. The City may agree to share access to its ALPR database by law enforcement agencies within the State of California on an agency-by-agency basis if an agreement is put into place.

The data will not be shared beyond the approved agencies. All agencies must request SJPD ALPR data directly from SJPD (e.g., if SJPD shares ALPR data with Santa Clara PD, Sunnyvale PD must request SJPD data through SJPD rather than Santa Clara). The requesting agency may only access the data for an authorized purpose as noted in this protocol.

Logs will be generated every time an approved law enforcement agency accesses data from SJPD’s ALPR system, which will include:

1. Date/Time the Information was accessed
2. The license plate number or other data elements used to query the ALPR system
3. The name and law enforcement agency of the person who accessed the information
4. The purpose for accessing the information

11) Equity and Community Engagement

The City will make a reasonable effort to identify and mitigate any inequity inherent in the ALPR technology and its implementation. Members of the public may submit any concerns via the public comment feature at sanjoseca.gov/digitalprivacy. Comments may also be submitted by emailing digitalprivacy@sanjoseca.gov or mailing the Digital Privacy Officer at 200 E Santa Clara St. San Jose CA 95113, 11th Floor. ALPR implementations can impact certain populations more than others. The City of San Jose is cognizant of that concern and will field potential complaints when submitted by emailing: digitalprivacy@sanjoseca.gov. After receiving a complaint, the City will perform an investigation and determine a corrective action plan, if necessary.

12) Storage and Security

Data collected by ALPR technology shall be stored in a secured police facility or secured third-party hosting environment. With the exception of audits, access to the raw data (images of vehicles and license plates) shall be limited to law enforcement staff with a legitimate need and right to access the information. The Department will utilize reasonable physical, technological, administrative, procedural, and personnel security measures to prevent unauthorized access to ALPR data. Authorized sworn personnel or authorized civilian personnel (such as a crime analyst) shall have general user access to the SJPD ALPR database, as appropriate, to query information. See “Training” section for definition of “authorized personnel”. Entities authorized to audit the ALPR system (see “Accountability” section for who can authorize) do not need to be a part of the Department to access the database.

Sworn personnel or authorized civilian personnel as approved by the Deputy Chief, Executive Officer, or his/her designee shall have administrative user access to the SJPD ALPR database, as appropriate, to control:

1. The information to which a particular group or class of users can have access based on the group or class;
2. The information a class of users can access, and/or data being utilized in specific investigations;
3. Sharing capabilities with other law enforcement agencies; and
4. Any administrative or functional access required to maintain, control, administer, audit, or otherwise manage the data or equipment.

The Bureau of Technical Services Systems Development Unit may provide ALPR technical support for the Criminal Data Intelligence Center (CDIC). The CDIC shall ensure compliance with this protocol. The custodian of ALPR data for purposes of this protocol shall be the Deputy Chief, Executive Officer or his/her designee.

In the event of a confirmed data breach where personal information such as license plate numbers or photographs have been accessed by an unauthorized party, the Department will follow the City of San José’s Incident Response Plan. This security protocol and further security details are overseen by the City’s Cybersecurity Office.

13) Training

Except for audits, only authorized personnel, meaning Department personnel trained in the use of ALPR technology, including its privacy and civil liberties protections, shall be allowed access to ALPR data. Training shall consist of:

1. Legal authorities related to the use of ALPR data and technology;
2. Current Department Data Usage Protocol regarding authorized use of ALPR technology;
3. Technical, physical, administrative, and procedural measures to protect the security of ALPR data against unauthorized access or use; and
4. Practical exercises in the use of ALPR technology.

14) Annual Data Usage Report requirements

To provide the City and the public with ongoing reporting on the usage and accuracy of the ALPR technology, the following information will be required in an Annual Data Usage Report submitted every year to the Digital Privacy Officer (DPO) no later than March 1st and covers the previous calendar year (January 1st – December 31st). In the year this Data Usage Protocol goes into effect, the Department is only required to report on the period from the date the Data Usage Protocol goes into effect until the end of the calendar year.⁷ The Digital Privacy Officer will release the report to the public once private, confidential, and otherwise sensitive information is removed. The DPO shall release the report within 90 days of receiving it from the department, unless additional time is required to remove private, confidential, and sensitive information. If the DPO needs additional time, they shall provide a notice of extension to the public via the
Digital Privacy webpage.

1. Summary of the project and updates since the prior year, including detail on value to the department
2. Plans for future years, including any planned expansion of project or shift in data usage
3. Reporting metrics on ALPR usage and accuracy including:
   1. # of reads by location – the Department will either:
      1. Report directly the number of reads by location; or
      2. Provide the Digital Privacy Officer (DPO) with access to the ALPR reads
         database, including the latitude and longitude of each read, from which the DPO can report by location as needed.
   2. # of hits by location – Similar to the # of reads by location, the Department will either:
      1. Report directly the number of hits by location; or
      2. Provide the DPO with access to the ALPR reads database, including the
         latitude and longitude of each read and if the read was a hit, from which
         the DPO can report by location as needed.
   3. Records accessed by SJPD – the Department will report on the number of
      records accessed in accordance with the Accountability section of this Protocol.
   4. Accuracy of accessed records – the Department will report on the accuracy of the implemented ALPR technology as requested by Council and the DPO

¹Koper, Christopher S., and Cynthia Lum. "The impacts of large-scale license plate reader deployment on criminal investigations." Police Quarterly 22.3 (2019): 305-329 – https://journals.sagepub.com/doi/abs/10.1177/1098611119828039

²Koper, Christopher S., Bruce G. Taylor, and Daniel J. Woods. "A randomized test of initial and residual deterrence from directed patrols and use of license plate readers at crime hot spots." Journal of Experimental Criminology 9.2 (2013): 213-244 – https://link.springer.com/article/10.1007/s11292-012-9170-z

³California Vehicle Code “Offenses Relating to Traffic Devices” - https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=21455.5.&nodeTreePath=15.2.3&lawCode=VEH

⁴See SJPD Duty Manual - https://www.sjpd.org/home/showpublisheddocument/314

⁵License plate(s) associated with vehicles of interest from an associated database, including, but not limited to: California Law Enforcement Telecommunications System (CLETS), National Crime Information Center (NCIC), Be on the Lookout notices (BOLOs), and Department databases

⁶An example notification would be: “Hot list 211A vehicle alerted at Curtner/Monterey, observed at Curtner/Malone. Vehicle stopped, driver arrested for 211”

⁷If this Data Usage Protocol is passed after September 30th, the first Annual Data Usage Report will not be required until the following year, which will cover usage from the date the Data Usage Protocol goes into effect to December 31st of the following year.

City officials hosted a public webinar on August 24, 2022 to share information and answer residents' questions about the use of ALPR cameras in the City. 

You can find recordings of the sessions in English, Vietnamese, and Spanish below. 

Traffic Safety Cameras in San José – Zoom Webinar (English)

Máy Quay Hình An Toàn Giao Thông ở San José - Hội Thảo Zoom Trên Mạng (Tiếng Việt)

Annual Usage Report for Automated License Plate Cameras (May 2024)

PDF version of Annual Usage Report here.

City of San José

Annual Usage Report for Automated License Plate Cameras (ALPR)

January – December 2023 

Owning department(s): San José Police Department (SJPD)

Department owner: Deputy Chief, Executive Officer        

Context for Annual Usage Reports

The City annually reports on the usage and accuracy of its priority technologies that collect personal information. This document is prepared in coordination with the owning department and the Digital Privacy Officer, and satisfies the required reporting detailed in the relevant Data Usage Protocol.

Program Summary

Automated License Plate Readers (ALPRs) use high speed cameras to photograph vehicle license plates, which are used to identify if the vehicle is stolen or part of an ongoing investigation. The purpose of ALPR cameras is to improve criminal investigations and deter crime in the surrounding area.  

Updates to Data Usage Protocol for Future Years

No updates to the Data Usage Protocol were made during the reporting period. As of the end of December 2023, 149 ALPR cameras were installed across the City. Next year, the estimated number of ALPR cameras intends to increase to over 400. Continued use of the cameras is dependent on pending funding.  

Reporting Metrics on Usage and Accuracy

Reads by Location

This metric shows the number of plates read (i.e., number of photographs taken) by location by the ALPR system. Overall, 263,771,079 total reads occurred during 2023. 

Hits by Location

This metric shows the number of “hits” by location. A “hit” is when the San José Police Department (SJPD) is alerted that a vehicle involved in an active investigation (i.e., on a “hotlist”) has been identified by an ALPR camera. Overall, 167,014 total hits occurred during 2023.  

Records Accessed by SJPD

SJPD accessed 93,291 records (e.g., photos) during 2023. This includes records from partner agencies, which are other law enforcement agencies in California.

Accuracy of System

A study conducted by the Digital Privacy Office identified an accuracy rate of at least 80% under any weather conditions. The table below details accuracy of the system as of the study date on March 1, 2024. These accuracy levels are comparable to other research. An 80-90% accuracy rate is a reasonable level when combined with human verification, which is required for ALPR usage. The accuracy rate was lower at night and in unclear conditions (rainy or cloudy) when compared to the accuracy during the day in clear conditions. Increasing ALPR’s accuracy rate at night is an area for future improvement. 

Compliance Reporting

Conclusion

The ALPR system has been used in compliance with the Data Usage Protocol. The access controls and audit logs provide the City with comprehensive controls over who, how, and when people can access the data.  

Recommendation

SJPD should continue education for officers on accurate data reporting when accessing the ALPR system. Additionally, the Digital Privacy Officer recommends future research into the potential preventative effects of the ALPR system. In other words, study if areas with ALPR systems show a decrease in reported incidents relative to similar areas with no ALPR system. SJPD should also make efforts to increase ALPR’s accuracy rate at night, and provide further education for officers to ensure they enter the relevant incident number when accessing the database. 

Annual Usage Report for Automated License Plate Cameras (May 2023)

PDF version of Annual Usage Report here.

City of San José

Annual Usage Report for Automated License Plate Cameras (ALPR)

August – December 2022 

Owning department(s): San José Police Department (SJPD)

Department owner: Deputy Chief, Executive Officer        

Context for Annual Usage Reports

The City annually reports on the usage and accuracy of its priority technologies that collect personal information. This document is prepared in coordination with the owning department and the Digital Privacy Officer, and satisfies the required reporting detailed in the relevant Data Usage Protocol.

Program Summary

Automated License Plate Readers (ALPRs) use high speed cameras to photograph vehicle license plates, which are used to identify if the vehicle is stolen or part of an ongoing investigation. The purpose of ALPR cameras is to improve criminal investigations and deter crime in the surrounding area. Full detail on the data usage of the ALPR program can be found here.

To date, SJPD has provided 31 narratives of notable cases in which ALPR supported solving a criminal investigation. These investigations were felony cases and ranged from robberies, stolen vehicles, hit-and-runs, homicides, and shootings.

** This is the number of unique recorded “events” (typically a case code or police incident number) that had a reported ALPR access associated with them. This includes events such as regular maintenance, testing, and set-up. To recalculate this number, select all accesses from August 1, 2022 to December 31, 2022 and count the number of unique text entries in the “reason” column.

Updates to Data Usage Protocol for Future Years

No updates to the Data Usage Protocol were made during the reporting period. SJPD installed 72 additional stationary ALPR cameras in December of 2022 for a one-year program. Continued use of the cameras in the one-year program is dependent on pending funding.

Reporting Metrics on Usage and Accuracy

Notice: Due to a miscommunication in retention requirements, only data from the second half of December 2022 is available for reads and hits. Going forward, the Department will manually export and store data every 30 days to comply with the annual reporting requirements. While hits and reads data is limited, all access data has been collected for the reporting period.

Reads by Location

This metric shows the number of plates read (i.e., number of photographs taken) by location by the ALPR system. Overall, 15,959,085 reads occurred between 12/14/22 and 12/31/22.

Hits by Location

This metric shows the number of “hits” by location. A “hit” is when SJPD is alerted that a vehicle involved in an active investigation (i.e., on a “hotlist”) had been identified by an ALPR camera. Overall, 13 hits occurred from December 14, 2022 to December 31, 2022.

Records Accessed by SJPD

SJPD accessed 2,721 records (e.g., photos) from December 14, 2022 to December 31, 2022. From August through December of 2022, SJPD accessed 15,085 records. This includes records from partner agencies, which are other law enforcement agencies in California.

Accuracy of System

A study conducted by the Digital Privacy Officer identified an accuracy rate of at least 89% under any weather conditions. The table below details accuracy of the system as of the study date on March 1, 2023. These accuracy levels are comparable to other research.* A ~90% accuracy rate is a reasonable level when combined with human verification, which is required for ALPR usage.

* While the space is limited in research, European agencies and companies have conducted some ALPR accuracy tests: https://www.nedapidentification.com/insights/the-wide-range-of-anpr-solutions-calls-for-guidance-in-making-the-right-choice/, and https://www.researchgate.net/publication/261503938_Accuracy_of_automatic_number_plate_recognition_ANPR_and_real_world_UK_number_plate_problems

Compliance Reporting

After reviewing all access logs, system accuracy, and summary of the program, the Digital Privacy Officer finds SJPD in compliance with its Data Usage Protocol. The DPO was particularly concerned about which entities have accessed San José’s cameras to ensure that only approved CA agencies accessed the data. In reviewing the audit logs of SJPD, the Digital Privacy Officer confirmed that all active users that accessed SJPD ALPR data were California law enforcement agencies.*

Access logs also include a justification for each access. While most access logs included a case number, some instead provided a descriptive justification for access, such as “Stolen Vehicle”. We recommend further education for officers to ensure they enter the relevant incident number when accessing the database.

Conclusion

The ALPR system has demonstrated a value for SJPD in dozens of cases. The access controls and audit logs provide the City with comprehensive controls over who, how, and when people can access the data.

Moving forward, SJPD will ensure hit and read data is collected for the entire year. SJPD should continue education for officers on accurate data reporting when accessing the ALPR system. Additionally, the Digital Privacy Officer recommends future research into the potential preventative effects of the ALPR system. In other words, have areas with ALPR systems shown a decrease in reported incidents relative to similar areas with no ALPR system?

In short, SJPD has exercised responsible and transparent usage of a technology that has a demonstrated value in solving crime.  

Appendix

San José Police Department Summary of ALPR Program

Automated License Plate Reader (ALPR) technology, also known as License Plate Recognition (LPR), allows for the automated detection of license plates along with the vehicle make, model, color, and unique identifiers through the San Jose Police Department’s (Department’s) APLR system and the vendor's vehicle identification technology. The technology is used by the Department to convert data associated with vehicle license plates and vehicle descriptions for official law enforcement purposes, including, in part, identifying stolen or wanted vehicles, wanted persons, missing persons or persons involved in crime.

The Curtner Avenue/Monterey Road Pedestrian Safety Automated License Plate Reader Pilot was brought to the San Jose City Council by Councilmember Esparza in September of 2021. The pilot was introduced by CM Esparza in response to multiple vehicular fatalities and hit-and-run collisions at the named intersection. ALPR cameras were purchased via non-competitive bid (under $10K) from Flock Safety. Flock Safety was chosen based upon multiple factors, including but not limited to, strong testimonials from neighboring police agencies, lease model, reputation, and the ability to share hotlist alerts with most police departments in the area who are currently utilizing the Flock ALPR system. In May of 2022, four (4) Flock ALPR cameras were installed at the intersection of Curtner Avenue and Monterey Road. The Department commenced department-wide training in June of 2022 and the Flock system is currently operational. Properly trained sworn and professional staff can access the Flock System via their mobile devices, desktop computers, laptops, or from the Mobile Data Computers in patrol cars.

In 2020, the San Jose Police Department requested and received anti-terrorism funding from the Urban Areas Security Initiative (US Department of Homeland Security Office for Domestic Preparedness, UASI) in the amount of $230,000 for a gunshot detection (GSD)/ALPR System. In April of 2022, brand name/sole source documents were approved by San Jose City purchasing and the San Jose city Digital Privacy Officer for Flock Safety (Raven GSD/Falcon ALPR.) Funding allows for coverage of seven (7) neighborhoods with gunshot detection devices and corresponding ALPR cameras. In June of 2022, the Department project team met to discuss potential neighborhood placement. As part of that process, the project team reviewed a five (5) year gun violence data report and met with Divisional Captains and select police lieutenants for anecdotal input. In December 2022, The Department launched the GSD/ALPR pilot in seven violent crime-impacted neighborhoods and Flock installed 72 Falcon ALPR cameras and 110 Raven gunshot detection devices.

The Department recognizes the importance of employing technology in law enforcement. By utilizing rapidly deployable, innovative GSDs that integrate ALPR, patrol officers benefit from the early detection of gun violence. Police officers cannot be in all places at all times, however, by utilizing ALPR and advanced acoustic hardware sensors they can dramatically increase their ability to detain and arrest violent offenders.

As anticipated, the Flock ALPR System has proven to be immediately invaluable. Flock has become an indispensable and widely used tool by Special Operations, the Bureau of Investigations, the Bureau of Field Operations, and the Air Support Unit. By employing ALPR technology, Department detectives and officers have solved multiple violent crimes, including robbery, assault with a firearm, home invasion, sexual assault, and attempted murder of a police officer. Specific to the Monterey and Curtner Pilot, investigators have received alerts and evidence related to the possession of stolen vehicles, possession of stolen property, and strong-arm robbery. The Monterey and Curtner cameras are directly responsible for the safe recovery of multiple stolen vehicles and the subsequent arrest of the offenders. Additionally, the Monterey and Curtner pilot was the catalyst for the sharing of cameras with/from neighboring jurisdictions, the ability to receive real-time alert relative to cars associated to violent crimes, and part of a larger network that allows our officers to be more efficient and innovative. Since the installation of the system at Monterey and Curtner, there has not been a vehicle related fatality or major injury accident. Pursuant to City requirements, there is signage at the intersection informing the community that ALPR is being utilized. Although it is difficult to measure any deterrent effect related to these signs, and/or the community outreach that proceeded their installation, it is logical to assume that the education of the community, coupled with “drive safe” warnings, have had a positive impact.

The Department uses ALPR technology with the goal of reducing serious crime and traffic incidents in the long term. Police detectives utilize the Flock retroactive search function for investigations and the hotlist tool for real-time alerting of suspect vehicles. Hotlist alerts are required to be officer verified prior to any enforcement action. Flock data is strictly for law enforcement purposes, and it is prohibited to be accessed, or used for any immigration enforcement, traffic enforcement, harassment, intimidation, or usage based solely on a protected class. All Department members authorized to use or access ALPR technology or data shall are accountable for knowledge of the City’s Digital Use protocol (DUP) and are trained in the use of ALPR technology.  All access to the system is logged, and the Department maintains an audit trail of requested and accessed information, including the purpose of the query.

The default data retention period for Flock is 30 days, however, based upon City retention requirements, the Department has contracted with Flock for 366 days of data retention. Due to an unexpected miscommunication of what data is retained by Flock Safety, the data included in this annual report is incomplete. Regarding the number of plates read and hotlist hits during calendar year 2022, only data from the second half of December 2022 was available. Going forward, the Department will manually export data from Flock every 30 days to appropriately comply with the audit requirements.

San José 311 (https://311.sanjoseca.gov/) is in the process of integrating an ALPR system to make reporting easier in their app. This will allow residents to take a picture of a vehicle and the app will automatically include details on the vehicle's make, model, color and license plate number. 

This usage will comply with the Data Usage Protocol (DUP). Among other items, this means that any vendor that provides this ALPR service to the City will only use the data as directed by the City and will be required under contract not to share the information with any other party unless given express consent by the City. 

The ALPR for SJ311 will only be used to make it easier for peopleto input information they were already reporting to the City via the SJ311 application.

This usage of ALPR will include the following annual reporting metrics: 

1. Usage by census tract (# of reads)
2. Overall usage of the ALPR feature vs not using it, and manually inputting the license plate number and vehicle details
3. Number of times staff modified license plate information based on the LPN photo included in the request

Data Usage Protocol (DUP) for People Counter Cameras at Parks, Trails, and Community Centers (June 2022)

City of San José

Data Usage Protocol (DUP) for People Counter Cameras at Parks, Trails, and Community Centers

Owning Department(s): Parks, Recreation and Neighborhood Services (PRNS)

Department contact: PRNS Public Information Officer

For questions contact: digitalprivacy@sanjoseca.gov

1) Purpose

The Parks, Recreation and Neighborhood Services Department (PRNS) build healthy communities through people, parks, and programs. PRNS provides a diverse variety of programs that impact the lives of children, youth, adults, seniors, and people with disabilities throughout the City. Data is used to better understand pedestrian traffic at PRNS parks, trails, and community centers (collectively “facilities”) to support the educational, health and life outcomes of San José youth and their families, and potentially support incident prevention. The collected data will provide increased knowledge of our facility use and trends to understand visitors' attendance/traffic and enhance their experience.

2) Authorized Uses

Data collected by PRNS shall only be used for the purposes outlined below. Any other usage by the City or by a third party is prohibited:

1. Collect daily attendance and traffic patterns and flow to:
   1. Provide an accurate representation of the community’s facility usage;
   2. Measure visitor entry and exit flow within the facility; and
   3. Plan staffing, programs, and hours of operation;
2. Create service plans that provide and support educational, health, and leisure programs; and
3. Attendance information, such as the number of people entering the park at a specific time, may be provided to law enforcement if requested for help in an ongoing investigation. Data may also be provided if required by law or otherwise in a court order.

Aggregated information may be used by the City to report program progress and effectiveness to city, state, and other authorities and partners for budget and funding purposes.

3) Prohibited Uses

Uses not explicitly authorized in the “Authorized Uses” section are prohibited. 

4) Data Collection

Type of information collected can include

1. Traffic data, including but not limited to pedestrian, bicycle, and vehicle;
2. The number people in open spaces, counted without identifying any individual;
3. The number of people using a facility in real-time;
4. Visitor flow, entry, and exit within the facility;
5. Comparisons and trends in attendance by half hours, hours, days, weeks, and months;
6. Building usage and number of customers by volume and time.

5) Notice

Signage will be posted around the premises of the facility, trail, or park that is using the people counting technology. The signage will direct residents to more information about the project and data collection online.

Additional detail, including this Data Usage Protocol, will be available on the City website online at sanjoseca.gov/digitalprivacy. A printed copy of this Data Usage Protocol will be provided upon request. 

6) Retention and Minimization

No personal information will be stored through the people-counting project. Attendance information will be stored for up to 5 years in accordance with Department retention policy.¹ Select pieces of information may be stored for longer if required by law or court order.  

7) Access and Accuracy

No personal information is being stored, so there will be no data for individuals to request. The data collected will be subject to California Public Records Act requests. 

8) Accountability

In the event of a confirmed data breach where information has been accessed by an unauthorized party, PRNS will work with the City’s Cybersecurity Office to take steps to respond in accordance with the City’s incident response plan. 

To ensure data usage is consistent with this protocol, inspections or reviews of the data practices may be triggered at the direction of the City Council or Digital Privacy Officer (DPO). 

9) Sharing

Data collected will only be made available to partner service providers with a documented sharing agreement that requires all parties to follow the authorized and prohibited uses listed in this document. PRNS may share information with other City staff so long as staff follows the requirements in this document. Additionally, information will be shared if required under a court order. 

10) Equity and community engagement

Members of the public may submit any concerns via the public comment feature at sanjoseca.gov/digitalprivacy. Comments may also be submitted by emailing the Digital Privacy Office at digitalprivacy@sanjoseca.gov or mailing the Digital Privacy Officer at 200 E Santa Clara Street, 11th floor, San Jose, CA 95113. 

11) Storage and Security

Data is stored on City infrastructure or a secure cloud environment that can only be accessed by City staff. PRNS department follows security protocol as recommended by the City’s Cybersecurity Office.

12) Training

Training for accessing and analyzing the data is provided to PRNS staff as needed.

13) Annual Data Usage Report requirements

Given no personal information is processed, no annual reporting is required. If the Department intends to expand the usage of the data collected or generated through the people counting system, it must file an updated Data Usage Protocol with the Digital Privacy Officer. 

¹City Retention Schedule item Series # 929 “USAGE STATISTICS & REPORTED” - https://www.sanjoseca.gov/home/showdocument?id=41127 

PDF of Data Usage Protocol

Data Usage Protocol for Vision Based Traffic Data Collection and Safety Analytics Device using Artificial Intelligence (August 2022)

City of San José

Data Usage Protocol for a Vision Based Traffic Data Collection and Safety Analytics Device using Artificial Intelligence

Initial pilot vendor: Currux Vision

Owning department(s): Transportation

Department owner: Ho Nguyen, ITS Manager

Contact method: ho.nguyen@sanjoseca.gov, 408-975-3279

1) Purpose

The vision based, Artificial Intelligence (AI) enabled Intelligent Transportation System (ITS) from Currux Vision is an edge computing device that can detect and analyze traffic using IP based cameras, and provide notifications and enable automation to enhance traffic operations. The system can assess safety metrics related to traffic flow, such as:

• Red-light running, speeding, near misses, wrong way, jaywalking, stopped traffic, stop sign violation, and crosswalk, bike, or bus lane encroachment

The system supports advanced data collection of essential road traffic information used in operation, such as:

• Vehicle turning movement counts, vehicle classification, pedestrian counts, bike counts, delay, occupancy, headway, queue length, stop counts, and Level of Service¹ or congestion

The system is currently used to support the Citywide Collision Review process, which identifies the top intersections with the most collisions or highest crash rate. By collecting this data, the system allows City engineers to assess safety metrics and conditions before and after safety counter measures are implemented.

Initial pilot cameras will be placed at four intersections: Senter & Parrott, Bascom & Curtner, Curtner & Monterey, and Tully & Alvin. Following the pilot, additional devices may be installed at the same or other intersections.

2) Authorized Uses

The system shall only be used for the purposes outlined below. It is a tool used primarily by traffic engineers and planners to make informed decisions about traffic operations, traffic safety and transportation planning.

Specifically, the system shall only be used by engineers to assess the collected metrics to:

• Inform traffic safety decisions;
• Adjust signal timing strategies and operations;
• Support transportation planning activities; and
• Guide installation of new traffic-related equipment, safety countermeasures, etc.

At the request of City law enforcement, video clips may be sent to the City Police Department in support of ongoing criminal investigations. Video clips may also be shared to City departments such as the City Attorney’s office if needed for litigation, and if required for an audit.

3) Prohibited Uses

Uses not explicitly authorized in the “Authorized Uses” section are prohibited. In addition, the Currux device and any data generated shall:

• Not be released to the public without a Public Information Request
• Not be used to enforce speeding tickets, red-light running, or other traffic infractions
• Not be proactively monitored for criminal surveillance
• Not be used to initiate a criminal investigation
• Not be used for any investigations regarding one’s immigration status

4) Data Collection

The system derives its data and information using AI and streaming video from traffic surveillance or detection cameras. Data can be categorized into two main uses: safety incident analytics and traffic operations.

• Safety incident analytics: red-light running, speeding, near misses, wrong way driving, slow and stopped traffic, jaywalking, stop sign violation, and double line, crosswalk, bike or bus lane encroachment
• Traffic operations: vehicle turning movement counts, vehicle classification, pedestrian counts, bike counts, delay, occupancy, headway, queue length, stop counts, 85th percentile speed, average speed, arrivals on green, and Level of Service

Audio is not collected. The majority of the video footage is not stored, and is reported as graphs, tables, and can be exported to comma-separated values (csv) files. Figure 1 shows an example of the video footage (not stored) and the table produced from the counting of vehicles.

Figure 1: Example photo from the traffic video system, image not taken in San José. The system records the relevant data into a table, like the one shown in the bottom of the image, and deletes the image unless a safety incident was recorded.

In the event of safety incidents (e.g., speeding or near misses) the system can record images and video clips not to exceed 10 seconds to provide visual confirmation of the captured events and ensure accurate data collection. Figure 2 shows examples of safety incidences recorded by the cameras.

Figure 2: Images of safety incidents (e.g., speeding, near misses) can be stored. This shows examples of images collected from safety incidents in San José’s pilot. Identifying information such as faces and license plates have been obscured.

Figure 3: Additional image of safety incidents (e.g., speeding, near misses) can be stored. This shows examples of images collected from safety incidents in San José’s pilot. Identifying information such as faces and license plates have been obscured.

5) Notice

Appropriate signage will be posted upon each approach to the intersection, alerting road users of the technology in use. Notice and additional detail, including this Data Usage Protocol, will be available on the City website.

6) Retention and Minimization

Video and images will be stored for one year, and all anonymized traffic metrics must be stored for a minimum of two years. For practical applications, the City’s Department of Transportation (DOT) intends to store select anonymized data, such as turning movement counts and vehicle classification, for as long as useful, 5-10 years.

Data may be stored for longer if required by law or court order.

7) Access and Accuracy

The data collected and generated from this system is subject to the law and potential California Public Records Act (PRA) requests.

Video and images will not be available for public access unless required pursuant to city, state, or federal law, or a court order. Some personal information may be redacted prior to public disclosure if the City determines that releasing it may cause substantial harm to an individual.

DOT will monitor accuracy of the AI recognition through manual checks and system validation over the course of using the equipment, particularly during the initial pilot period that covers the 4 pilot locations which include Senter & Parrott, Bascom & Curtner, Curtner & Monterey, and Tully & Alvin.

Initial validation study on some of the traffic operations metrics such as speed and vehicle counts appear to result in an accuracy rate of 95%+. Accuracy as it pertains to the various metrics involving pedestrian and bicyclists requires high resolution cameras that are currently not in use in DOT. Therefore, the vendor still considers pedestrian and bicyclist detection an on-going development effort that may require many more iterations to achieve the desired accuracy and reliability threshold.

8) Accountability

Unless guided under a sharing agreement with external parties, only City staff can access the images and video. In this pilot, the system does not yet support the logging of user sign-on information. However, this feature will be added through a system enhancement. Once added, the system will store the username and the time the user logs on and logs off. Sign-on information will be stored for two years in accordance with California Government Code 34090.

The system will support role-based access, which gives individuals different levels of system access privileges based on the level the system administrator has assigned. This limits read (the ability to download information) and write (the ability to upload information) privileges to specific users.

9) Sharing

Non-personal information (e.g., # of vehicles that passed an intersection during a day) may be shared with other government entities, such as other city DOT’s, metropolitan planning organizations (MPO’s), academic institutions, or transit agencies. Formal sharing logistics and mechanisms will be managed by an agreement that requires respective parties to handle data in the same care as San José. Only processed, aggregated data providing traffic operation and safety metrics will be shared through any agreement. Images and videos will not be shared unless required by law.

10) Equity and community engagement

The system does not detect and read license plates nor perform facial recognition; the platform detects and analyzes traffic patterns and movements from all road users, including vehicles, bicyclists, and pedestrians.

The Data Usage Protocol will be made available for public comment before device installation and during usage. Members of the public may submit any concerns via the public comment feature at sanjoseca.gov/digitalprivacy. Comments may also be submitted by emailing the Digital Privacy Office at digitalprivacy@sanjoseca.gov.

11) Storage and Security

Currently, all data, including video clips and images, are stored at the edge—in vendor provided processing units located at the intersections—inside locked traffic signal cabinets. Communications to these units is provided using DOT-owned hardwire infrastructure, such as fiber, copper, or wireless broadband radios. Device logon is controlled by assigned access-level specific sign-on credentials.

When the system scales beyond 10 units, the front-end application and primary data storage will be moved to a secure on-prem server located in the City’s Network Operations Center (NOC). Access to the NOC is secured by card access. The on-prem server specifications will be determined based on performance needs and expected data growth.

In the event of a confirmed data breach where personal information such as photographs or video have been accessed by an unauthorized party, DOT will follow the City of San José’s Incident Response Plan. This security protocol and further security details are overseen by the City’s Cybersecurity Office.

12) Training

The device vendor has provided hands-on support thus far during the device’s bench testing and limited field installations. As the installation scales, the ITS group, in coordination with the device manufacturer, will provide standard staff training for all relevant support staff, as is performed for all other field technology hardware.

13) Annual Data Usage Report requirements

To provide the City and the public with ongoing reporting on the usage, effectiveness, and accuracy of the vision and AI-based traffic analytics system, the following information will be required in an Annual Data Usage Report submitted every year to the Digital Privacy Office no later than March 1st and covers the previous calendar year (January 1st – December 31st).² In the year this Data Usage Policy goes into effect, the Department is only required to report on the period from the date the Data Usage Protocol goes into effect until the end of the calendar year.

1. Accuracy metric (# of flags that the Department saw as inaccurate vs # viewed)
2. Usage metric – how often the system is being used

¹Level of Service refers to the level of congestion at an intersection, from free flow to bumper-to-bump traffic.

²If this Data Usage Policy is passed after September 30th, the first Annual Data Usage Report will not be required until the following year, which will cover usage from the date the Data Usage Policy goes into effect to December 31st of the following year

Annual Usage Report for Vision Based Traffic Data Collection and Safety Analytics Device using Artificial Intelligence (May 2024)

PDF version of Annual Usage Report here.

City of San José

Annual Usage Report for Vision Based Traffic Data Collection and Safety Analytics Device using Artificial Intelligence

January – December 31, 2023 

Owning department(s): Department of Transportation

Department owner: ITS Manager

Context for Annual Usage Reports

The City annually reports on the usage and accuracy of its priority technologies that collect personal information. This document is prepared in coordination with the owning department and the Digital Privacy Officer, and satisfies the required reporting detailed in the applicable Data Usage Protocol.

Program Summary

The Artificial Intelligence (AI) based traffic analytics system from Currux Vision is used to detect and analyze traffic to improve traffic operations. The system provides safety metrics such as near misses, speeding, wrong direction, red-light running, and crosswalk violations. The initial pilot cameras were placed at four intersections: Senter & Parrot, Monterey & Curtner, Tully & Alvin, and Bascom & Curtner. All four intersections have been installed and are working as intended. Two additional units have been installed at Cottle & Santa Teresa and Alexian & Julian in 2023. These units replaced the previously failed detection systems. Full detail on the data usage of the AI-based traffic analytics program can be found on the City website.

Updates to Data Usage Protocols and Plans for Future Years

No updates to the Data Usage Protocol were made during the reporting period.  

For the upcoming year (2024), installation is planned at Taylor & 7th. At this intersection, the Currux system will be paired with an Axis fisheye camera that will be installed to replace the existing loops.

While red light running accuracy remains low during 2023 at 29%, vehicle count accuracy and pedestrian count accuracy rates are reasonably high, at 95% and 82% respectively.  

Given the high cost required to evaluate the system, data for each metric has been provided for only 1 out of the 6 units, Monterey/Curtner. This intersection was selected because it poses the highest risk to pedestrians. 

The tables below illustrate vehicle count, red light running, and pedestrian count accuracy more in depth. Data on speeding and near-misses is not included because it continues to be highly inaccurate. The Department of Transportation is currently making efforts to increase their accuracy for the upcoming year.   

Vehicle Count Accuracy

This metric measures how often the system is used by the Department.

During 2023, an estimated 12 million observations were collected. This includes events such as a pedestrian crossing the intersection, a vehicle potentially speeding, a near-miss accident, and other basic traffic metrics. The total counts were estimated by extrapolating a week’s worth of data across the Senter and Parrot, Monterey and Curtner, Tully and Lanai, and Bascom and Curtner intersections. Data from the two newest installed units is not yet available, since they are still being properly calibrated. 

After reviewing all access logs, system accuracy, and summary of the program, the Digital Privacy Officer finds the Department of Transportation in compliance with its Data Usage Protocol. The audit logs provided include the IP address of the accessing user, the date and time of access, and the programming command used to access the system. The Digital Privacy Officer reviewed the two IP addresses used to access the system which point to the automated system check and the Department’s admin user, as expected.  

The AI-based traffic analytics system continues to provide a value to the Department of Transportation in improving traffic operations.  

Because the system’s accuracy varies across metrics, the Department of Transportation should note this as they use the data to inform policy decisions. Specifically, the red light running metric has a low accuracy rate. However, the metric is useful because its narrows down thousands of hours of traffic footage to specific flagged cases.  

• Require a human review of detected red light running, speeding, and near misses to validate the data if it will be used for traffic planning purposes. Conversely, the pedestrian count and vehicle count metrics were very accurate. 
• Moving forward, the Department of Transportation should work to improve the accuracy of the system across all metrics, but particularly for near misses, speeding, and red light running.

The Department of Transportation is commended for testing the pilot installations and gathering accuracy data. This practice should continue in the future as use of the system expands.  

 In summary, the AI-based analytics system has shown to be a useful tool for the Department of Transportation’s traffic safety efforts. The Department should continue to monitor accuracy rates by metric and provide human validation before using low accuracy metrics to inform decision-making. 

Annual Usage Report for Vision Based Traffic Data Collection and Safety Analytics Device using Artificial Intelligence (May 2023)

PDF version of Annual Usage Report here.

City of San José

Annual Usage Report for Vision Based Traffic Data Collection and Safety Analytics Device using Artificial Intelligence

September 20 – December 31, 2022 

Owning department(s): Department of Transportation

Department owner: Ho Nguyen, ITS Manager

The City annually reports on the usage and accuracy of its priority technologies that collect personal information. This document is prepared in coordination with the owning department and the Digital Privacy Officer, and satisfies the required reporting detailed in the relevant Data Usage Protocol.

 Program Summary

The artificial intelligence (AI) based traffic analytics system is used to detect and analyze traffic movements to improve traffic operations. The system provides safety metric notifications such as near misses, speeding, wrong direction, red-light running, and crosswalk violations. Full detail on the data usage of the AI-based traffic analytics program can be found here.

The initial pilot installation at Monterey/Curtner was extended to Tully/Alvin in late 2022 as part of the Department of Transportation’s Vision Zero efforts to install safety counter measures. The AI-based traffic analytics system’s safety metrics are currently being evaluated at both Monterey/Curtner and Tully/Alvin. These metrics will assist the Department in developing strategies to improve traffic safety and optimize operations such as installing new traffic-related equipment or adjusting signal timing to enhance traffic flow.

Updates to Data Usage Protocols and Plans for Future Years

Data Usage Protocol for Foot Traffic Data (January 2023)

City of San José

Data Usage Protocol for Foot Traffic Data

Initial Pilot: CityData.ai 

Owning department(s):Parks, Recreation and Neighborhood Services (PRNS)

Department owner: PRNS Public Information Officer

Contact method: digitalprivacy@sanjoseca.gov

1) Purpose

The Parks, Recreation and Neighborhood Services Department (the Department) envisions healthy communities that inspire belonging by connecting people through parks, recreation, and neighborhood services for an active San Jose. Measuring how our community uses facilities is important for the equitable delivery and maintenance of parks, public spaces, and recreational areas. Anonymized foot traffic, which uses geolocation information (like GPS) devoid of any personal information such as names, emails, phone numbers, dates of birth, credit card information, transactions, or national identifiers, is a data-driven strategy for understanding movement patterns – where and when people access recreational amenities. We know that this access is uneven across many of our neighborhoods. Systemic and institutionalized racial exclusion and disinvestment create and perpetuate disproportional access to quality parks. The anonymized foot traffic data will be another tool in the toolkit to help demonstrate where there is a greater need for new, improved, and safer facilities for equitable resource allocation.

2) Authorized Uses

The aggregated data collected by CityData.ai (the vendor) and provided to the Department shall only be used for the purposes outlined below. Any other usage by the City or on behalf of the City is prohibited:

1. Collect clean, accurate, and up-to-date anonymized foot traffic data to observe people visit trends and patterns at public facilities and special event locations including, but not limited to, parks, trails, facilities, and community centers;
2. Measure and analyze anonymous visits and patterns to understand where and when people arrive and congregate (For example, how many people travel from a specific neighborhood or census tract to a park? How long do they spend at that park? What time and day of the week do they visit? What hidden barriers or trends might emerge?);
3. Inform capital project, operational, and maintenance planning;
4. Inform budget and fiscal planning; and
5. Inform funding strategies (grants, other). 

3) Prohibited Uses

Uses not explicitly authorized in the “Authorized Uses” section are prohibited. In addition, the City cannot and will not use the data provided, and any data generated, to monitor an individual’s location or movement patterns.

4) Data Collection

The vendor collects information about the resident’s or other users' devices (e.g., a cell phone) through applications that integrate the vendor’s products or otherwise share device data with the vendor.¹ For example, illustrated in Figure 1, a phone app may collect the device’s location and share that information with the vendor. Identifying information such as email address, name, phone number, national identifier, date of birth or home address is not intentionally collected by the vendor. If this identifying information is identified in the vendor’s dataset, it is removed. The vendor then aggregates the data so no individual can be identified and provides this aggregated dataset to the City. The City only receives the anonymized and aggregated data and does not see or have access to any other information that might be collected by the vendor.

Figure 1: Diagram that explains how data is collected, anonymized, and aggregated by the vendor and shared with the City. 

Device data collected by the vendor may include the following:

• Location data of users' devices, such as latitude-longitude coordinates obtained through GPS tools, WiFi data, Bluetooth beacons, cell tower triangulation or other techniques;
• The associated device identifier of users' devices, such as the Identifier for Advertisers or IDFA for iOS devices and Advertiser ID for Android/Google devices;
• Other information about users' devices, such as: device type (e.g., tablet, smartphone), hardware model, operation system and version, mobile browser type (e.g., Chrome, Firefox, Safari), mobile network information, and mobile sensor information including speed, bearing, orientation, time zone, timestamp, and altitude;
• Usage data about how users use the vendor’s products and services, such as: access time, access location, activity, and internet protocol address;
• Predicted or inferred data about users, such as census block group, characteristics, or interests; and/or
• Any other information users voluntarily provide to the vendor.

Additionally, the vendor may merge the data they collect with external information (such as locations of local businesses, places and/or times of events, performances, historic landmarks, and restaurants), non-identifying information provided by the City (e.g., aggregated San José 311 data, public building and engineering permits data), and aggregated data from the US Census or surveys (e.g., age range, income range, gender, and education level). By merging data, the vendor can provide the City with more information to understand the needs, behaviors, and facility usage of residents in aggregate. An example is given in Figure 2 below.

Figure 2: Example screenshot of the data viewed by the City. Example provided by CityDash.ai. It shows, by census block group (effectively a neighborhood), the number of people visiting that area over the course of a day and a week.

5) Notice

Notice and additional detail, including this Data Usage Policy, will be available on the City website.

Notice is provided by the vendor when data is collected, and residents and other users can opt-in or opt-out of their information being collected, as summarized below:

Opt-in

Before the vendor collects device data from a user's device, the user must first opt-in to share the device's location data. A user is opted-in when they download an app that includes the vendor’s GeoSDK and give the vendor permission to collect device data.² 

Opt-out

Users can choose to opt-out of sharing device data with the vendor by disabling location sharing or ad tracking on their devices.³ Users can also disable location sharing with specific apps by reviewing the settings for each app, or by choosing to not share location when prompted after first downloading the app, or by uninstalling the app. If a user opts-out of location sharing or ad tracking, the vendor does not collect device data from the user's device.

6) Retention and Minimization

The data obtained from the vendor will be kept in accordance with local, state, and federal law. The data will only be retained so long as it continues to be useful in helping the Department better understand how to improve the quality of City services. No identifying information is retained by the City.

7) Access and Accuracy

City departments will have access to the data. The City will produce public-facing reports that may utilize or reference the aggregated data.

Where feasible, the City will cross-reference the foot traffic data that is purchased with foot-traffic data it directly collects. Random spot-checks will be used to understand the accuracy of the data.

8) Accountability

All City staff with access to the data shall be accountable for knowledge of this protocol.

In the event of a confirmed data breach, where information has been accessed by an unauthorized party, the Department will work with the City’s Cybersecurity Office to take steps to respond in accordance with the City’s incident response plan.

To ensure data usage is consistent with this protocol, inspections or reviews of the data practices may be initiated at the direction of the City Council or Digital Privacy Officer (DPO).

9) Sharing

The City will share the data with partner organizations to improve the provision of community services, including but not limited to the maintenance of public facilities. Partner organizations will not be provided any personal information and may only utilize the data as allowed by the City (See “Authorized Uses”).

10) Equity and community engagement

The City will make a reasonable effort to identify and mitigate any inequity inherent in the aggregated data and its implementation. Members of the public may submit concerns via the public comment feature at sanjoseca.gov/digitalprivacy. Comments may also be submitted by emailing the Digital Privacy Office at digitalprivacy@sanjoseca.gov.

11) Storage and Security

The data collected by the vendor is stored in the vendor’s cloud indefinitely. Copies of the data will be downloaded into the City environment and non-confidential data may be shared with partners and the public.

The vendor and City use reasonable physical, managerial, and technical safeguards to preserve the integrity and security of the device data and information collected. The vendor minimizes collection of identifiable information, and utilizes industry-standard end-to-end encryption for the transmission of information.

12) Training

The vendor or City provides staff training to access, understand, and use the anonymized foot traffic data. Training can include:

1. How to access, view, and interpret the data from the vendor;
2. How to download data from the vendor’s cloud into the City environment; and
3. The process for reviewing and publishing portions of the data from the vendor to the City’s public data portal or other public space.

13) Annual Data Usage Report requirements

To provide the City and the public with ongoing reporting on the usage, effectiveness, and accuracy of aggregated foot traffic data, the following information will be required in an Annual Data Usage Report submitted every year to the Digital Privacy Office no later than March 1^st and covers the previous calendar year (January 1^st – December 31^st).³ In the year this Data Usage Policy goes into effect, the Department is only required to report on the period from the date the Data Usage Policy goes into effect until the end of the calendar year.

Updates will include any updates to the data usage or planned updates.

¹Link to initial vendor’s (CityData) privacy policy: CITYDATA.ai

²Apps on Apple devices, like iPhones, and Android/Google devices, like Samsung Galaxy, ask for permission to collect data in different ways. Older Android phones running older Android operating systems require a user to accept any permissions that the app asks for before the user can install the app. Thus, if the app has been downloaded, the user is opted-in. Newer Android phones allow users to opt-in after downloading the app. Apple apps also allow users to download the app without first opting in, however, device data is collected only after users opt-in.

³For iOS, ad tracking can be disabled by navigating to Settings > Select Privacy > Select Advertising > Enable the "Limit Ad Tracking" setting. For Android, navigate to Google Settings app > Select Ads > Enable "Opt out of interest-based advertising." You can learn more about how to opt-out your mobile device by visiting the NAI web site.

⁴If this Data Usage Policy is passed after September 30^th, the first Annual Data Usage Report will not be required until the following year, which will cover usage from the date the Data Usage Policy goes into effect to December 31^st of the following year.

Data Usage Protocol (DUP) for Public Security Cameras (February 2023)

City of San José

Owning department(s): San José Police Department (SJPD)

Department owner: Intelligence Unit Commander  

Purpose

Public security cameras are used by the Police Department to record video in public spaces where there is a known risk of criminal activity (e.g., public parks with recent vandalism, vacant public land with reports of violent activity, etc.). Since placing investigative personnel on site at all times is not practical, public security cameras are installed to both deter inappropriate use of the area as well as to document any criminal activity. This Data Usage Protocol (DUP) defines for the City of San José’s (hereafter referred to as “City”) Police Department (“hereafter referred to as “Department”):

1. Authorized usage of public security camera technology that complies with State and local laws;
2. Annual reporting requirements on public security camera usage; and
3. An ongoing avenue for public feedback on public security camera usage.

Authorized Uses

Public security cameras shall only be used for the purposes outlined below. Any other usage by the Department or by a third party is prohibited. Third parties may only use the data if authorized by the City to act on behalf of the City. The Department and authorized third parties may utilize public security cameras and any data generated to do the following:

1. Deter criminal activity;
2. Review public security camera footage following an incident or during the course of an investigation;
3. Monitoring the safety and security of City facilities and City vehicles; or
4. Protect infrastructure installed by the City and other critical infrastructure as defined by California Office of Emergency Services (Cal OES).¹

Prohibited Uses

Public security cameras will not be used for the following purposes:

1. Actively monitor or review security camera footage without relevance to a specific incident or investigation;
2. Collect data that is not within the public view. This includes any data not readily visible from a public area or public property;
3. Identify individuals or groups engaging in activities legally allowed in the State of California and/or protected by the First Amendment to the United States Constitution absent an incident or investigation;
4. Share with federal immigration authorities or use in the investigation of any matter related to immigration status of an individual; or
5. Sale of camera-generated data to any entity.

Data Collection

Public security cameras record video of public spaces of interest. The cameras may capture video of individuals and their physical likeness. Public security cameras may also record audio.

Public security cameras are placed in a fixed location, such as on a street light pole. Data collected also includes the date, time, and location of the video recording.

Notice

Notice that the City of San José is using public security cameras will be posted on the City website in a press release. The press release will detail the camera’s location, when the camera is installed, and, if applicable, when it will be taken down (e.g., after completion of the investigation). Readers will also be directed to this Data Usage Protocol which will be available on the City website.

Retention and Minimization

Data collected from public security cameras will be retained for a time period consistent with the City’s retention policies.² Once the retention period has expired, the record shall be purged entirely from all active and backup systems unless the data is related to a criminal investigation.

Data associated with a criminal investigation may be stored for longer in accordance with applicable state and federal evidentiary laws, to include retaining the data through the adjudication of a case in a recognized court of law, as well as allotment of time for an appeals process and statute of limitations.

Access and Accuracy

Except for audits, only authorized personnel, meaning Department personnel with a legitimate need and right to access the information, shall be allowed access to public security camera data.

Raw security camera data, including video, location, and timestamp will not be available for public access unless required pursuant to city, state, or federal law, or a court order. Some information may be redacted prior to public disclosure pursuant to state and federal regulations.

Aggregated data on the public security camera program will be made available annually in the Annual Data Usage Report. More details on the Annual Data Usage Report can be found in the “Annual Data Usage Report requirements” section below. The City may release more aggregated data periodically at its discretion.

 Accountability

All Department members who use or access information from public security cameras shall be accountable for knowledge of this protocol.

Periodic, random audits may be conducted at the direction of the Chief of Police or their designee to ensure and evaluate compliance with system requirements and with the provisions of this protocol and applicable law. Audit trails shall be maintained by the Department for the time period consistent with the City’s retention policy. Additional audits or reviews may be triggered at the direction of the Office of the City Manager or Digital Privacy Officer (DPO), consistent with state law and authorized access to information.

The results of the audits are subject to the law and potential California Public Records Act requests. Some information may be redacted prior to public disclosure pursuant to state and federal regulations.

Before a Department member accesses or provides access to a public security camera, the Department member shall create a record that includes the following information:

1. Date/Time the camera was provided or acquired;
2. The event number or relevant case number of the investigation; and
3. The name, department, and badge or employee number of the person who acquired or returned the camera

Sharing

The City does not share public security camera data with any contracted, commercial, or private entity. The provision of data hosting shall not be considered the sale, sharing, or transferring of public security camera information.

Information gathered or collected, and records retained by the City will not be:

1. Sold, published, exchanged, or disclosed for commercial purposes;
2. Disclosed or published by an entity outside of the Department without Department approval; or
3. Disseminated to persons not authorized to access or use the information.

The City shall not confirm the existence or nonexistence of information to any person or agency that would not be eligible to receive the information unless otherwise required by law. The City may agree to share access to its public security camera database by law enforcement agencies within the State of California on an agency-by-agency basis. Law enforcement agencies provided data from the Department will not share with federal immigration authorities or use in the investigation of any matter related to immigration status of an individual.

The data will not be shared beyond the approved agencies. All agencies must request SJPD public security camera data directly from SJPD (e.g., if SJPD shares public security camera data with Santa Clara PD, Sunnyvale PD must request SJPD data through SJPD rather than Santa Clara). The requesting agency may only access the data for an authorized purpose as noted in this protocol.

A log will be generated every time an outside agency is provided access to data from SJPD’s public security camera system, which will include:

1. Date/Time the information was requested;
2. The event number or case number of the investigation, if no case number is available, then the purpose of requesting the data; and
3. The name and agency of the person who requested the information

Equity and Community Engagement

The City will make a reasonable effort to identify and mitigate any inequity inherent in public security cameras and its implementation. Members of the public may submit any concerns via the public comment feature at sanjoseca.gov/digitalprivacy. Comments may also be submitted by emailing digitalprivacy@sanjoseca.gov or mailing the Digital Privacy Officer at 200 E Santa Clara St. San Jose CA 95113, 11^th Floor. Public security camera implementations can impact certain populations more than others. The City of San Jose is cognizant of that concern and will field potential complaints when submitted by emailing: digitalprivacy@sanjoseca.gov. After receiving a complaint, the City will perform an investigation and determine a corrective action plan, if necessary.

Storage and Security

Data collected by public security cameras shall be stored securely by police or through a third-party hosting environment. With the exception of audits, access to the raw data (video and audio recording) shall be limited to law enforcement staff with a legitimate need and right to access the information. The Department will utilize reasonable physical, technological, administrative, procedural, and personnel security measures to prevent unauthorized access to public security camera data. Authorized sworn personnel or authorized civilian personnel (such as a crime analyst) shall have general user access to the SJPD public security camera database, as appropriate, to query information. Entities authorized to audit the public security camera system (see “Accountability” section for who can authorize) do not need to be a part of the Department to access the database.  

In the event of a confirmed data breach where personal information such as video recordings of identifiable individuals have been accessed by an unauthorized party, the Department will follow the City of San José’s Information Technology Incident Response Plan.³ This security protocol and further security details are overseen by the City’s Cybersecurity Office.

Training

Department members who use public security cameras will be trained in how to:

1. Install a camera with the appropriate notice (if they are responsible for any part of the installation);
2. Securely access the information collected;
3. Document access to the information for the sake of maintaining an auditable trail of access pursuant to the “Accountability” section of this document; and
4. Adhere to current Department Data Usage Protocol regarding authorized use of public security camera technology.

Annual Data Usage Report Requirements

To provide the City and the public with ongoing reporting on the usage and accuracy of the public security cameras, the following information will be required in an Annual Data Usage Report submitted every year to the Digital Privacy Officer (DPO) no later than March 1^st and covers the previous calendar year (January 1^st – December 31^st). In the year this Data Usage Protocol goes into effect, the Department is only required to report on the period from the date the Data Usage Protocol goes into effect until the end of the calendar year.⁴ The Digital Privacy Officer will release the report to the public once private, confidential, and otherwise sensitive information is removed. The DPO shall release the report within 90 days of receiving it from the department, unless additional time is required to remove private, confidential, and sensitive information. If the DPO needs additional time, they shall provide a notice of extension to the public via the Digital Privacy webpage.⁵

•  Reporting metrics on public security camera usage and accuracy including:
  • # of cameras installed, by location and duration – the Department will report on the number of cameras installed at each location and for how long
  • # of records accessed by SJPD – the Department will report on the aggregate number of usages in accordance with the Accountability section of this Protocol.

[1] From California Office of Emergency Services: “Critical infrastructure is the assets, systems, and networks, whether physical or virtual, so vital to the California that their incapacitation or destruction would have a debilitating effect on security, economic security, public health or safety, or any combination of these.” Some examples of critical infrastructure include schools, hospitals, voting centers, community centers, and utility facilities vital to providing service (e.g., electricity, water).

Definition from Cal OES: https://www.caloes.ca.gov/office-of-the-director/operations/homeland-security/state-threat-assessment-center/critical-infrastructure-protection/

Non-exhaustive list of critical infrastructure: https://www.pacificpower.net/outages-safety/wildfire-safety/critical-facilities-infrastructure.html

[2] As of last update to this document, that is one year. Refer to the City retention schedule for up-to-date information: https://www.sanjoseca.gov/your-government/departments-offices/office-of-the-city-manager/official-city-records/records-retention-schedule

[3] An overview of Information Technology’s Incident Response plan can be found in the City’s Information Security Standards Handbook Section 8.7, “Incident Response”: https://www.sanjoseca.gov/home/showdocument?id=85853#page=32

[4] If this Data Usage Protocol is passed after September 30^th, the first Annual Data Usage Report will not be required until the following year, which will cover usage from the date the Data Usage Protocol goes into effect to December 31^st of the following year

[5] Link to the digital privacy webpage: https://www.sanjoseca.gov/your-government/departments-offices/information-technology/digital-privacy

Annual Usage Report for Public Security Cameras (May 2024)

PDF version of Annual Usage Report here.

City of San José

Annual Usage Report for Public Security Cameras

February – December 2023

Owning department(s): San José Police Department (SJPD)

Department owner: Deputy Chief, Executive Officer 

Context for Annual Usage Reports

The City annually reports on the usage and accuracy of its priority technologies that collect personal information. This document is prepared in coordination with the owning department and the Digital Privacy Officer, and satisfies the required reporting detailed in the relevant Data Usage Protocol.

Program Summary

Public security cameras are used by the Police Department to record video in public spaces where there is a known risk of criminal activity (e.g., public parks with recent vandalism, vacant public land with reports of violent activity, etc.). Since placing investigative personnel on site at all times is not practical, public security cameras are installed to both deter inappropriate use of the area as well as to document any criminal activity. 

Updates to Data Usage Protocols and Plans for Future Years

No updates to the Data Usage Protocol were made during the reporting period. At this time, the City does not have plans to expand the program.

Data Usage Protocol for Covert Security Cameras (February 2023)

City of San José

Owning department(s): San José Police Department (SJPD)

Department owner: Intelligence Unit Commander  

Purpose

Covert security cameras are used by the Police Department to covertly record video in public or private spaces where there is known or suspected criminal activity (e.g., investigate repeat violent shootings). Since placing investigative personnel on site at all times is not practical, covert security cameras are installed to document activity that would further establish criminal action or exonerate the allegation. This Data Usage Protocol (DUP) defines for the City of San José’s (hereafter referred to as “City”) Police Department (“hereafter referred to as “Department”):

1. Authorized usage of covert security camera technology that complies with state and local laws;
2. Annual reporting requirements on covert security camera usage; and
3. An ongoing avenue for public feedback on covert security camera usage.''

Authorized Uses

Covert security cameras shall only be used for the purposes outlined below. Any other usage by the Department or by a third party on behalf of the Department is prohibited. Third parties may only access the data from City cameras if authorized by the City to act on behalf of the City. The Department and authorized third parties may utilize covert security cameras and any data generated to do the following:

1. Support investigations on criminal activity and/or as a mechanism to follow-up on reported incidents;
2. Be positioned in an area open to the public, or be positioned in an area not open to the public only if accompanied by consent of the person or business in control of that area or through the issuance of a warrant; or
3. Protect infrastructure installed by the City and other critical infrastructure as defined by California Office of Emergency Services (Cal OES).¹

Prohibited Uses

Covert security cameras will not be used for the following purposes:

1. Share with federal immigration authorities for use in the investigation of any matter related to the immigration status of an individual; or
2. Sale of camera-generated data to any entity.

Data Collection

Covert security cameras record video and audio. They may be placed in fixed locations, such as a street light pole, or in a moving location, such as a vehicle or on a person. The cameras may capture video and conversations of individuals.

 Notice

There will not be notice that the City of San José is using covert security cameras.

Residents can find general information about covert security cameras and their governing policies, including this Data Usage Protocol, on the City website.

Retention and Minimization

Data collected from covert security cameras will be retained for a time period consistent with the City’s retention policies.² Once the retention period has expired, the record shall be purged entirely from all active and backup systems unless the data is related to an active investigation.

Data associated with a criminal investigation may be stored for longer on an electronic storage device or printed and retained in accordance with applicable state and federal evidentiary laws, to include retaining the data through the adjudication of a case in a recognized court of law, as well as allotment of time for an appeals process and statute of limitations.

Access and Accuracy

Except for audits, only authorized personnel, meaning Department personnel with a legitimate need and right to access the information, shall be allowed access to covert security camera data.

Raw camera data, including video, audio, location, and timestamp will not be available for public access unless required pursuant to city, state, or federal law, or a court order. Some information may be redacted prior to public disclosure pursuant to state and federal regulations.

Accountability

All Department members who use or access information from covert security cameras shall be accountable for knowledge of this protocol.

Periodic, random audits may be conducted at the direction of the Chief of Police or their designee to ensure and evaluate compliance with system requirements and with the provisions of this protocol and applicable law. Audit trails shall be maintained by the Department for the time period consistent with the City’s retention policy. Additional audits or reviews may be triggered at the direction of the Office of the City Manager or Digital Privacy Officer (DPO), consistent with state law and authorized access to information.

The results of the audits are subject to the law and potential California Public Records Act requests. Some information may be redacted prior to public disclosure pursuant to state and federal regulations.

Before a Department member accesses or provides access to a covert security camera, the Department member shall create a record that includes the following information:

1. Date/Time the camera was provided or acquired
2. The event or relevant case number of the investigation
3. The name, department, and badge or employee number of the person who acquired or returned the camera

Sharing

The City does not share covert security camera data with any contracted, commercial, or private entity. The provision of data hosting shall not be considered the sale, sharing, or transferring of public security camera information.

Information gathered or collected, and records retained by the City will not be:

1. Sold, published, exchanged, or disclosed for commercial purposes;
2. Disclosed or published without authorization; or
3. Disseminated to persons not authorized to access or use the information.

The City shall not confirm the existence or nonexistence of information to any person or agency that would not be eligible to receive the information unless otherwise required by law. The City may agree to share access to its covert security camera data by law enforcement agencies within the State of California on an agency-by-agency basis. Law enforcement agencies provided data from the Department will not share with federal immigration authorities or use in the investigation of any matter related to immigration status of an individual.

The data will not be shared beyond the approved agencies. All agencies must request SJPD covert security camera data directly from SJPD (e.g., if SJPD shares covert security camera data with Santa Clara PD, Sunnyvale PD must request SJPD data through SJPD rather than Santa Clara). The requesting agency may only access the data for an authorized purpose as noted in this protocol.

A log will be generated every time an outside agency is provided access to data from SJPD’s covert security camera system, which will include:

1. Date/Time the information was requested;
2. The event number or case number of the investigation, if no case number is available, then the purpose of requesting the data; and
3. The name and agency of the person who requested the information

Equity and Community Engagement

The City will make a reasonable effort to identify and mitigate any inequity inherent in covert security cameras and its implementation. Members of the public may submit any concerns via the public comment feature at sanjoseca.gov/digitalprivacy. Comments may also be submitted by emailing digitalprivacy@sanjoseca.gov or mailing the Digital Privacy Officer at 200 E Santa Clara St. San Jose CA 95113, 11^th Floor. Covert security camera implementations can impact certain populations more than others. The City of San Jose is cognizant of that concern and will field potential complaints when submitted by emailing: digitalprivacy@sanjoseca.gov. After receiving a complaint, the City will perform an investigation and determine a corrective action plan, if necessary.

Storage and Security

Data collected by covert security cameras shall be stored securely by police or through a third-party hosting environment. With the exception of audits, access to the raw data (video or audio recording of public space) shall be limited to law enforcement staff with a legitimate need and right to access the information. The Department will utilize reasonable physical, technological, administrative, procedural, and personnel security measures to prevent unauthorized access to covert security camera data. Authorized sworn personnel or authorized civilian personnel (such as a crime analyst) shall have general user access to the SJPD covert security camera data, as appropriate, to query information. Entities authorized to audit the covert security camera system (see “Accountability” section for who can authorize) do not need to be a part of the Department to access the data.  

In the event of a confirmed data breach where personal information such as video recordings of identifiable individuals have been accessed by an unauthorized party, the Department will follow the City of San José’s Information Technology Incident Response Plan. This security protocol and further security details are overseen by the City’s Cybersecurity Office.³

Training

Department members will be trained in how to:

1. Install a camera;
2. Securely access the information collected;
3. Document access to the information; and
4. Adhere to current Department Data Usage Protocol regarding authorized use of covert security camera technology.

Annual Data Usage Report Requirements

Covert security cameras rely on secrecy to collect evidence for criminal investigations. Publicly reporting where the cameras are used would substantially diminish the Department’s effectiveness in gathering evidence, and may put undercover operations at risk (e.g., in the event of an informant gathering evidence within a criminal organization). Because of this, annual reporting requirements are waived, but audits will still be conducted to ensure compliance with this policy (see “Accountability” section).

[1] From California Office of Emergency Services: “Critical infrastructure is the assets, systems, and networks, whether physical or virtual, so vital to the California that their incapacitation or destruction would have a debilitating effect on security, economic security, public health or safety, or any combination of these.” Some examples of critical infrastructure include schools, hospitals, voting centers, community centers, and utility facilities vital to service (e.g., electricity, water).

Definition from Cal OES: https://www.caloes.ca.gov/office-of-the-director/operations/homeland-security/state-threat-assessment-center/critical-infrastructure-protection/

Non-exhaustive list of critical infrastructure: https://www.pacificpower.net/outages-safety/wildfire-safety/critical-facilities-infrastructure.html

[2] As of last update to this document, that is one year. Refer to the City retention schedule for up-to-date information: https://www.sanjoseca.gov/your-government/departments-offices/office-of-the-city-manager/official-city-records/records-retention-schedule

[3] An overview of Information Technology’s Incident Response plan can be found in the City’s Information Security Standards Handbook Section 8.7, “Incident Response”: https://www.sanjoseca.gov/home/showdocument?id=85853#page=32