, , , , , , , ,


Joe DeVries from the City Administrator’s office and Brian Hofer of the Ad Hoc Advisory DAC Privacy and Data Retention Committee briefed Oakland’s Public Ethics Commission Monday night and took questions. This is my recap of the PEC’s concerns and my answers where I have them.

DeVries explained how the Snowden-era public pressure combined with the DAC’s early ambitions to compel the Council’s limiting DAC coverage to the Port and a strong privacy policy. He explained the Privacy Committee’s seven requests.

Hofer reported the state of the privacy policy, now before the Council’s Public Safety Committee, open for more public comment into next month. He also spoke to the Privacy Committee’s intent to deploy a framework, a privacy structure, that could be refined and applied through the rest of Oakland government. The PEC in this framework would be one of three channels for whistleblowers to report violations of the privacy policy. The PEC would also be a public ombudsman on privacy.

The Commissioners raised four issues.

The policy may add to the PEC’s workload. The PEC’s headcount will triple this summer, from two to six staff; bigger but still small for the job. New duties and powers may stretch the new team’s capacity. What if whistleblower cases rising from the DAC privacy policy demands even more staff time? There’s no additional funding from the DAC. This could be a risk to the PEC’s ability to perform.

Not really. Let’s do some simple math.

  • Fewer employees to get in trouble. The PEC addresses complaints generated by the behavior of the 4000+ City employees. Fewer than five, likely only two or three, will be involved in using the DAC software. That’s 0.1% of the existing workload.
  • Few hours of activity. As originally scoped, the DAC would be staffed all day and night year round. Plans changed, funding was cut and now it will be an on-demand service. Oakland Police knew of 98 protests in 2014 and activated the Emergency Operations Center (where the DAC lives) for 14 of them, about 15% of the time. So let’s say they turn on the DAC for a two-hour look-see 85 times a year and for two shifts 15 times. That’s 410 hours of use a year, or 4.7% of the originally planned 8760 hours/year.
  • Small geography being watched. Oakland has 806 miles of streets. There fewer than 4 miles of street bordering the Port of Oakland. And it’s not a pedestrian hot spot. So the exposure to people who might have privacy, speech, or assembly concerns is vanishingly small. Less than 0.5% of the DAC’s original beat.
  • The PEC is just one of three whistleblower channels. The DAC Privacy Policy calls for the City Auditor and a new privacy committee/commission to also field complaints. So if workload does arise, it would likely receive just one-third of the complains.

0.1% * 4.7% * 0.5% * 33% is a vanishingly small impact. The DAC’s use and application would have to change radically for enough people to be affected by the DAC to create a material risk to the PEC’s whistleblower pipeline.

New expertise needed.  Privacy competence is not required now. PEC staff must master the laws, regulations, and practices for each area where they administer justice. This requires time and training. How could the PEC rapidly become sufficiently knowledgeable and skilled to do a good job without extra headcount and specialized experts?

Assuming even one privacy matter comes before the PEC, this is a fair concern.

The model proposed by the DAC Privacy Policy is that a standing privacy committee or commission would be a central repository for technical, legal, and policy expertise, available to the PEC and City Auditor. Even so, the PEC would want at least familiarity with any new purview asked of it.

Uneven justice for whistleblowers. The new policy calls for three different organizations provide privacy oversight, whistleblower investigations, and public ombudsman services. Today, the PEC and Auditor have different protocols and standards for administering whistleblower investigations. For instance the Auditor’s investigations may be public and optional while the PEC’s investigations are private and mandatory. Their abilities to order operational changes or to punish are different. Could we see different outcomes for the same issue depending on who the whistleblower calls?

Good question. The Policy doesn’t address this. Suggestions?

Duplication of effort. Do we really want to build the oversight, ombudsman, and whistleblower capacity three times?


It’s their duty. Government abuse of the federal and state constitutions or of the City’s charter is within scope for the PEC, City Auditor, and the new privacy committee/commission.

Variety works. City staff and the public perceive real differences between the PEC, Auditor, and the privacy group. The Auditor’s office is known for public crackdowns on waste and poor management. The PEC is known for adeptly resolving conflicts of interest and employee relations investigations. And the privacy group may be known for a focus on civil liberties. Each brand will appeal to different employees in different situations. So they are more likely, as a whole, to report abuse to someone.

Those are my answers and explanations so far. And they’re rough and incomplete, perhaps outright wrong. Are there better answers? Better questions? Or better ways of framing the problems? Chime in.