Two new privacy impact assessments are released

News Article
The Smart City PDX team and the office of Equity and Human Rights have released two more privacy impact assessments. Portland Police Bureau Body worn cameras and Office of Violence Prevention’s case management system: Apricot360.
Published

The Smart City PDX team and the Office of Equity and Human Rights completed the revision process of two technologies used by the City of Portland in December 2023.

What is a Privacy Impact Assessment (PIA)?

The Privacy Impact Assessment (PIA) is a method to quickly evaluate what are the general privacy risks of a technological solution or a specific use, transfer, or collection of data by City bureaus or offices. The PIA is a way to identify factors that contribute to privacy risks and recommend strategies for risk mitigation or alternatives that reduce or remove those risks.

A PIA is recommended when:

  • A project, technology, data sharing agreement, or other review has been flagged as having some privacy risk due to the collection of private or sensitive data.
  • A technology has high financial impact and includes the collection, use or transfer of data by city bureaus or third parties working for or on behalf of the city.

The City of Portland’s PIAs break down risks and impacts in six areas:

  1. Individual Privacy Harms
  2. Equity and Disparate Community Impact
  3. Political, Reputation and Image
  4. City Business, Quality and Infrastructure
  5. Legal and Regulatory
  6. Financial Impact

An impact assessment workflow includes review by the Smart City PDX team, Office of Equity and Human Rights, and the City Attorney’s Office.

Body Worn Cameras privacy impact assessment

Portland Police Bureau officers are using body worn cameras. This technology is quite mature, and most vendors already comply with the minimum public requirements for information protection, device integrity, and procedures for transparency and tracking.

Our privacy impact assessment highlighted the maturation of this technology as one of the benefits to assure transparency and oversight of the use of these devices. The main risks and impacts our analysis found were regarding the complexities for generating data that describes what demographic groups are the most impacted by using these cameras.

The risk of misusing these devices has been constrained already by the monitoring of how officers and supervisors access recordings and footage.

The last main identified risk was the ability to respond to public records requests. Every request of footage and records needs to go through a privacy process of blurring faces and images that may show sensitive context. This includes footage showing dead bodies, nudity, personal and protected information like social security numbers, children, and other situations protected by Oregon law. These services are expensive and take a considerable amount of time for City staff authorized to do this work.

Download the impact assessment:

PPB-Body Worn Camera pilot PIA

Case management system privacy impact assessment

Apricot360 is a case management system used by the Office of Violence Prevention to manage information from people who have experience gun violence and were referred by Portland Police to receive direct services.

This data management system also integrates contractors working on behalf of the City that offer direct services to people who need them. The City shares certain data with these contractors to provide those services.

The privacy impact assessment highlights that the data sharing of sensitive information to third parties increases the risk of privacy breach. The main recommendation to minimize this risk is to inform contractors and clients about these risks and make sure the City is implementing best practices and legal conditions attached to the collection of information.

Contractors need to comply with the City’s information protection standards when accessing and sharing sensitive information. This assessment also recommends periodic information audits that review practices for information protection and that access to sensitive information is limited to the uses specified to this case.

Download the privacy impact assessment for Apricto360:

Apricot360 PIA