Effective Date: Jan 31, 2013
The Policy applies to activities that involve the use of the City's
information assets, namely, the Information of persons doing business with the City or
receiving services from the City, which are owned by, or entrusted to, the City and will
be made available to the City's employees and third party contractors under contract to
the City to provide Software as a Service consulting services. These activities include,
without limitation, accessing the Internet, using e-mail, accessing the City's intranet
or other networks, systems, or devices.
The term "information assets" also includes the personal information
of the City's employees and any other related organizations while those assets are under
the City's control. Security measures will be designed, implemented, and maintained to
ensure that only authorized persons will enjoy access to the information assets. The
City's staff will act to protect its information assets from theft, damage, loss,
compromise, and inappropriate disclosure or alteration. The City will plan, design, implement
and maintain information management systems, networks and processes in order to assure the
appropriate confidentiality, integrity, and availability of its information assets to the City's
employees and authorized third parties.
B) PERSONAL INFORMATION AND CHOICE
Except as permitted or provided by applicable laws, the City will not share the Information
of any person doing business with the City, or receiving services from the City, in violation of this Policy,
unless that person has consented to the City's sharing of such information during the conduct of the City's
business as a local government agency with third parties under contract to the City to provide services.
C) METHODS OF COLLECTION OF PERSONAL INFORMATION
The City may gather the Information from a variety of sources and resources,
provided that the collection of such information is both necessary and appropriate in order for
the City to conduct business as a local government agency in its governmental and proprietary capacities.
That information may be gathered at service windows and contact centers as well as at web sites, by mobile
applications, and with other technologies, wherever the City may interact with persons who need to share
such formation in order to secure the City's services.
The City's staff will inform the persons whose Information are covered by this Policy that
the City's web site may use "cookies" to customize the browsing experience with the City of Palo Alto web site.
The City will note that a cookie contains unique information that a web site can use to track, among others,
the Internet Protocol address of the computer used to access the City's web sites, the identification of the
browser software and operating systems used, the date and time a user accessed the site, and the Internet
address of the website from which the user linked to the City's web sites. Cookies created on the user's
computer by using the City's web site do not contain the Information, and thus do not compromise the
user's privacy or security. Users can refuse the cookies or delete the cookie files from their
computers by using any of the widely available methods. If the user chooses not to accept a cookie on his or
her computer, it will not prevent or prohibit the user from gaining access to or using the City's sites.
D) UTILITIES SERVICE
In the provision of utility services to persons located within Palo Alto, the City of Palo Alto Utilities Department
("CPAU") will collect the Information in order to initiate and manage utility services to customers. To the extent the management
of that information is not specifically addressed in the Utilities Rules and Regulations or other ordinances, rules, regulations or
procedures, this Policy will apply; provided, however, any such Rules and Regulations must conform to this Policy, unless otherwise
directed or approved by the Council. This includes the sharing of CPAU-collected Information with other City departments except
as may be required by law.
Businesses and residents with standard utility meters and/or having non-metered monthly services will have secure
access through a CPAU website to their Information, including, without limitation, their monthly utility usage and billing data.
In addition to their regular monthly utilities billing, businesses and residents with non-standard or experimental electric,
water or natural gas meters may have their usage and/or billing data provided to them through non-City electronic portals
at different intervals than with the standard monthly billing.
Businesses and residents with such non-standard or experimental metering will have their Information covered by
the same privacy protections and personal information exchange rules applicable to Information under applicable federal and California laws.
E) PUBLIC DISCLOSURE
The Information that is collected by the City in the ordinary course and scope of conducting its business
could be incorporated in a public record that may be subject to inspection and copying by the public, unless such information
is exempt from disclosure to the public by California law.
F) ACCESS TO PERSONAL INFORMATION
The City will take reasonable steps to verify a person's identity before the City will grant anyone online
access to that person's Information. Each City department that collects Information will afford access to affected persons who
can review and update that information at reasonable times.
G) SECURITY, CONFIDENTIALITY AND NON-DISCLOSURE
Except as otherwise provided by applicable law or this Policy, the City will treat the Information of persons covered
by this Policy as confidential and will not disclose it, or permit it to be disclosed, to third parties without the express written consent
of the person affected. The City will develop and maintain reasonable controls that are designed to protect the confidentiality and security
of the Information of persons covered by this Policy.
The City may authorize the City's employee and or third party contractors to access and/or use the Information of persons
who do business with the City or receive services from the City. In those instances, the City will require the City's employee and/or the third
party contractors to agree to use such Information only in furtherance of City-related business and in accordance with the Policy.
If the City becomes aware of a breach, or has reasonable grounds to believe that a security breach has
occurred, with respect to the Information of a person, the City will notify the affected person of such breach in accordance
with applicable laws. The notice of breach will include the date(s) or estimated date(s) of the known or suspected breach,
the nature of the Information that is the subject of the breach, and the proposed action to be taken or the responsive action taken by the City.
H) DATA RETENTION / INFORMATION RETENTION
The City will store and secure all Information for a period of time as may be required by law, or if no period is established by law,
for seven (7) years, and thereafter such information will be scheduled for destruction.
I) SOFTWARE AS A SERVICE (SAAS) OVERSIGHT
The City may engage third party contractors and vendors to provide software application and database services,
commonly known as Software-as-a-Service (SaaS).
In order to assure the privacy and security of the Information of those who do business with the City and those
who received services from the City, as a condition of selling goods and/or services to the City, the SaaS
services provider and its subcontractors, if any, including any IT infrastructure services provider, shall design,
install, provide, and maintain a secure IT environment, while it performs such services and/or furnishes goods to
the City, to the extent any scope of work or services implicates the confidentiality and privacy of the Information.
These requirements include information security directives pertaining to: (a) the IT infrastructure,
by which the services are provided to the City, including connection to the City's IT systems; (b)
the SaaS services provider's operations and maintenance processes needed to support the IT environment,
including disaster recovery and business continuity planning; and (c) the IT infrastructure performance monitoring
services to ensure a secure and reliable environment and service availability to the City. The term "IT infrastructure" refers to the integrated framework, including, without limitation, data centers, computers, and database management devices, upon which digital networks operate.
Prior to entering into an agreement to provide services to the City, the City's staff will require the SaaS services provider to complete and submit an Information Security and Privacy Questionnaire. In the event that the SaaS services provider reasonably determines that it cannot fulfill the information security requirements during the course of providing services, the City will require the SaaS services provider to promptly inform the ISM.
J) FAIR AND ACCURATE CREDIT TRANSACTION ACT OF 2003
CPAU will require utility customers to provide their Information in order for the City to initiate and manage utility services to them.
Federal regulations, implementing the Fair and Accurate Credit Transactions Act of 2003 (Public Law 108-159), including the Red Flag Rules
, require that CPAU, as a "covered financial institution or creditor" which provides services in advance of payment and which can affect
consumer credit, develop and implement procedures for an identity theft program for new and existing accounts to detect, prevent, respond and mitigate
potential identity theft of its customers' Information.
CPAU procedures for potential identity theft will be reviewed independently by the ISM annually or whenever significant changes
to security implementation have occurred. The ISM will recommend changes to CPAU identity theft procedures, or as appropriate,
so as to conform to this Policy.
There are California laws which are applicable to identity theft; they are set forth in California Civil Code § 1798.92.
statement, the practices of this website, or your dealings with this website,
you can contact:
City of Palo Alto
Telephone: (650) 329-2161