REPORT
Department of Public Health: Temporary Visitor Registration, ID and Tracking System Surveillance Technology Policy
Committee on Information Technology (COIT)PUBLIC MEETING REVIEW DATES
PSAB Meeting Date(s): 2/27/2025
BOS Approval Date: TBD
The City and County of San Francisco values privacy and protection of San Francisco residents' civil rights and civil liberties. As required by San Francisco Administrative Code, Section 19B, the Surveillance Technology Policy aims to ensure the responsible use of Temporary Visitor Registration, ID, and Tracking System (hereinafter referred to as "surveillance technology") itself as well as any associated data, and the protection of City and County of San Francisco residents' civil rights and liberties.
PURPOSE AND SCOPE
The Department's mission is to protect and promote the health of all San Franciscans.
The Surveillance Technology Policy ("Policy") defines the manner in which the surveillance technology will be used to support this mission, by describing the intended purpose, authorized and restricted uses, and requirements.
This Policy applies to all department personnel that use, plan to use, or plan to secure the surveillance technology employees, contractors, and volunteers. Employees, consultants, volunteers, and vendors while working on behalf of the City with the Department are required to comply with this Policy.
POLICY STATEMENT
The authorized use of the surveillance technology for the Department is limited to the following use cases and is subject to the requirements listed in this Policy.
Authorized Use(s):
1) To provide temporary identification and services for visitors at Department of Public Health medical facilities.
2) To provide contract tracking for all visitors.
Prohibited use cases include any uses not stated in the Authorized Use Case section.
Department may use information collected from technology only for legally authorized purposes, and may not use that information to unlawfully discriminate against people based on race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, gender, gender identity, disability status, sexual orientation or activity, or genetic and/or biometric data.
BUSINESS JUSTIFICATION
Reason for Technology Use
The surveillance technology supports the Department's mission and provides important operational value in the following ways:
This technology provides employee and patient privacy and security at DPH healthcare facilities.
Description of Technology
The technology provides for the temporary issuance of a visitor identification card, visitor registration and tracking. The technology is a visitor management system which can cross reference law enforcement-maintained watchlists.
Resident Benefits
The surveillance technology promises to benefit residents in the following ways:
Resident Benefits
| Benefit | Description | |
|---|---|---|
| Education | |
| Community Development | |
X | Health | This technology provides disease exposure prevention and notification. |
| Environment | |
| Criminal Justice | |
| Jobs | |
| Housing | |
X | Public Safety | This technology increases public safety by providing enhanced security for patients in public hospitals and medical facilities. |
Department Benefits
The surveillance technology will benefit the department in the following ways:
| Benefit | Description | |
|---|---|---|
| Financial Savings | |
| Time Savings | |
| Staff Safety | |
| Data Quality | |
X | Other | The temporary visitor identification and tracking technology provides safety for employees, patients, and visitors. For employees and patients, it clearly identifies and labels a visitor as well as the classification of the visitor/purpose. For the visitor there is assurance of notification should the visitor be exposed to any contagion. |
POLICY REQUIREMENTS
This Policy defines the responsible data management processes and legally enforceable safeguards required by the Department to ensure transparency, oversight, and accountability measures. Department use of surveillance technology and information collected, retained, processed or shared by surveillance technology must be consistent with this Policy; must comply with all City, State, and Federal laws and regulations; and must protect all state and federal Constitutional guarantees.
Specifications: The software and/or firmware used to operate the surveillance technology must be up to date and maintained.
Data Collection: Department shall only collect data required to execute the authorized use cases. All data collected by the surveillance technology, including PII, shall be classified according to the City's Data Classification Standard. The surveillance technology collects some or all of the following data type(s):
- Data Type(s): Visitor photograph, first name, last name, address, phone number, and optional email. - Format(s): jpeg and ASCII text - Classification(s): Level 3
| Data Type | Format | Classification |
Visitor photograph, first name, last name, address, phone number, and optional email | jpeg and ASCII text | Level 3 |
Access: All parties requesting access must adhere to the following rules and processes:
- The vendor provides official end-user training for the technology solution and administrative services.
A. Department employees
Once collected, the following roles and job titles are authorized to access and use data collected, retained, processed or shared by the surveillance technology:
- Clerk-Typist (1424) , Senior Clerk Typist (1426), Licensed Vocational Nurse (2312), Registered Nurse (2320), Public Health Nurse (2830). The number of people in each of these position varies by clinical office.
B. Members of the public
Department will comply with the California Public Records Act, the San Francisco Sunshine Ordinance, the requirements of the federal and State Constitutions, and federal and State civil procedure laws and rules.
Collected data that is classified as Level 1-Public data may be made available for public access or release viaDataSF's Open Data portal. Open Data has a Public Domain Dedication and License, and makes no warranties on the information provided. Once public on Open Data, data can be freely shared, modified, and used for any purpose without any restrictions. Any damages resulting from use of public data are disclaimed.
Members of the public may also request access by submission of a request pursuant to San Francisco's Sunshine Ordinance. No record shall be withheld from disclosure in its entirety unless all information contained in it is exempt from disclosure under express provisions of the California Public Records Act or some other statute.
Training: To reduce the possibility that surveillance technology or its associated data will be misused or used contrary to its authorized use, all individuals requiring access must receive training on data security policies and procedures.
Department shall require all elected officials, employees, consultants, volunteers, and vendors working with the technology on its behalf to read and formally acknowledge all authorized and prohibited uses dictated by this policy. Department shall also require that all individuals requesting data or regularly requiring data access receive appropriate training before being granted access to systems containing PII.
More specifically, Department training will include: The temporary visitor management technology vendor provides initial implementation training, end user training, and administrative training. The training is designed for the various roles, responsibilities and operational levels.
Data Security: Department shall secure PII against unauthorized or unlawful processing or disclosure; unwarranted access, manipulation or misuse; and accidental loss, destruction, or damage. Surveillance technology data collected and retained by the Department shall be protected by the safeguards appropriate for its classification level(s) as defined by the National Institute of Standards and Technology (NIST) security framework 800-53, or equivalent requirements from other major cybersecurity frameworks selected by the department.
Department shall ensure compliance with these security standards through the following:
Administrative Safeguards: The users and administrators of the system receive application training as well as annual DPH security, ethics, and privacy & compliance training.
Technical Safeguards: The application provides industry standard administrative safeguards such as multifactor authentication, role-based access, NIST compliant password requirements, annual account and access reviews and audits.
Physical Safeguards: Access to the facility and the system are protected by locked doors and security cameras.
Data Storage: Data will be stored in the following location:
X | Local storage (e.g., local server, storage area network (SAN), network attached storage (NAS), backup tapes, etc.) |
| Department of Technology Data Center |
| Software as a Service Product |
| Cloud Storage Provider |
Data Sharing: Department will endeavor to ensure that other agencies or departments that may receive data collected by the surveillance technology will act in conformity with this Policy.
For internal and externally shared data, shared data shall not be accessed, used, or processed by the recipient in a manner incompatible with the authorized use cases stated in this Policy.
Department shall ensure proper administrative, technical, and physical safeguards are in place before sharing data with other CCSF departments, outside government entities, and third-party providers or vendors. (See Data Security)
Department shall ensure all PII and restricted data is de-identified or adequately protected to ensure the identities of individual subjects are effectively safeguarded from entities that do not have authorized access under this policy.
Each department that believes another agency or department receives or may receive data collected from its use of surveillance technologies should consult with its assigned deputy city attorney regarding their legal obligations.
Before sharing data with any recipients, the Department will use the following procedure to ensure appropriate data protections are in place:
- Confirm the purpose of the data sharing aligns with the department's mission.
- Consider alternative methods other than sharing data that can accomplish the same purpose.
- Redact names, scrub faces, and ensure all PII is removed in accordance with the department's data policies.
- Review of all existing safeguards to ensure shared data does not increase the risk of potential civil rights and liberties impacts on residents.
- Evaluation of what data can be permissibly shared with members of the public should a request be made in accordance with the San Francisco's Sunshine Ordinance.
- Ensure data will be shared in a cost-efficient manner and exported in a clean, machine-readable format.
A. Internal Data Sharing:
| Data Type | Data Recipient |
|---|---|
Visitor photograph, first name, last name, address, phone number, and optional email | Police Department and other local law enforcement entities in case of an incident and as required by law. |
Frequency - Data sharing occurs at the following frequency: As needed
In the event statistical data is required by another department the data would be de-identified and prepared for the specific data requirement in a compliant manner.
B. External Data Sharing:
| Data Type | Data Recipient |
|---|---|
Visitor photograph, first name, last name, address, phone number, and optional email | Non-local law enforcement entities in case of an incident and as required by law. |
Frequency - Data sharing occurs at the following frequency: As needed
Data Retention: Department may store and retain raw PII data only as long as necessary to accomplish a lawful and authorized purpose. Department data retention standards should align with how the department prepares its financial records and should be consistent with any relevant Federal Emergency Management Agency (FEMA) or California Office of Emergency Services (Cal OES) sections. The Department's data retention period and justification are as follows:
| Retention Period | Retention Justification |
|---|---|
The standard is based on the specific security requirement and data retention capacity. In this case for the period of time the visitor is on site and up to 30 days after the visit. | The Department requires data retention for legal and medical purposes. Data is required in cases of visitor misconduct. A secondary benefit is the ability to notify visitors if they were exposed to an infectious disease during their visit. |
PII data shall not be kept in a form which permits identification of data subjects for any longer than is necessary for the purposes for which the personal data are processed.
Exceptions to Retention Period - PII data collected by the surveillance technology may be retained beyond the standard retention period only in the following circumstance(s):
- In the event of legal action
Departments must establish appropriate safeguards for PII data stored for longer periods.
Data Disposal: Upon completion of the data retention period, Department shall dispose of data in the following manner:
- Practices: The technology solution provides standard data retention period configuration and built-in operational functionality which includes HIPAA and NIST compliant data deletion.
- Processes and Applications: NA - The purpose of the application is to verify visitor identification, classify the nature of the visit, track the visitor's presents in the facility, and enable post visit communication should the visitor be exposed to an infectious disease. After 30 days that application purges or recycles log files.
COMPLIANCE
Department Compliance
Department shall oversee and enforce compliance with this Policy using the following methods: Annual risk assessment and CMS audits
Interdepartmental, Intergovernmental & Non-Governmental Entity Compliance
To ensure that entities receiving data collected by the surveillance technology comply with the Surveillance Technology Policy, Department shall: The department will adhere to all HIPAA and NIST compliance requirements as well as all Department of Public Health Security, Privacy, and Compliance policies.
Oversight Personnel
Department shall be assigned the following personnel to oversee Policy compliance by the Department and third-parties. Clerk Typist (1424)
Sanctions for Violations
Sanctions for violations of this Policy include the following: Employees involved in a violation or breach are subject to mandatory remedial security and HIPAA training. Subsequent violations are reviewed in detail resulting in customized sanctions commensurate with the nature, size, frequency, impact, and details of the violation(s).
If a Department is alleged to have violated the Ordinance under San Francisco Administrative Code Chapter 19B, Department shall post a notice on the Department's website that generally describes any corrective measure taken to address such allegation.
Department is subject to enforcement procedures, as outlined in San Francisco Administrative Code Section 19B.8.
EXCEPTIONS
Only in exigent circumstances or in circumstances where law enforcement requires surveillance technology data for investigatory or prosecutorial functions may data collected, retained or processed by the surveillance technology be shared with law enforcement.
DEFINITIONS
Personally Identifiable Information: Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.
Raw Data: Information collected by a surveillance technology that has not been processed and cleaned of all personal identifiable information. The distribution and use of raw data is tightly restricted.
Exigent Circumstances An emergency involving imminent danger of death or serious physical injury to any person that requires the immediate use of Surveillance Technology or the information it provides.
AUTHORIZATION
Section 19B.4 of the City's Administrative Code states, "It is the policy of the Board of Supervisors that it will approve a Surveillance Technology Policy ordinance only if it determines that the benefits the Surveillance Technology ordinance authorizes outweigh its costs, that the Surveillance Technology Policy ordinance will safeguard civil liberties and civil rights, and that the uses and deployments of the Surveillance Technology under the ordinance will not be based upon discriminatory or viewpoint based factors or have a disparate impact on any community or Protected Class."
QUESTIONS & CONCERNS
Public Inquiries
Members of the public can register complaints or concerns the San Francisco Department of Public Health (DPH) IT Service Desk at (628) 206-7378 or by email at dph.helpdesk@sfdph.org.
Department shall acknowledge and respond to complaints and concerns in a timely and organized response, and in the following manner: All requests are managed by the Departmental customer request system which includes standard service level/response time agreements.
Inquiries from City and County of San Francisco Employees
All questions regarding this policy should be directed to the employee's supervisor or to the director. Similarly, questions about other applicable laws governing the use of the surveillance technology or the issues related to privacy should be directed to the employee's supervisor or the director.