Data custodian and stewardship policy

Purpose and scope

The purpose of this policy is to:

• Designate Department of Technology (DT) as infrastructure manager (Custodian) performing data processing (Infrastructure Manager) for DT-managed IT assets.
• Designate City departments as data owners (Owners).
• Outline roles and responsibilities each party has in connection with this policy.

All other policies covering the authorized use of CCSF computing resources are still in effect, as are all regulations (e.g., HIPAA, CJIS, Sunshine Ordinance, Data Retention, etc.) which protect the confidentiality and integrity of data entrusted to CCSF departments.

This policy applies to DT-managed networks, hardware, software, storage, external cloud environments, SaaS and the data (database records, video, chat, phone, etc), where DT has direct administration and/or technical oversight.  This is to be distinguished from a shared enterprise technology contract or agreement managed by DT whereby multiple departments may use the same Enterprise Agreement but manages or administers their technical implementations or instances separately from each other, including DT.

Policy statement

The Department of Technology (DT) is and will at all times remain the “Custodian” of data transmitted, uploaded, accessed, or stored on DT managed City IT infrastructure. Each Department is the “Owner” of the Department’s data and is responsible for any data practices governing access, segregation, and retention.  Data ownership responsibilities belong to Departments, subject to the other related policies referenced below. Further, DT will not share, record, transmit, alter, or delete information belonging to CCSF departments, except that DT will share and transmit information in response to a request from the City Attorney, Controller, or Ethics Commission related to investigation or a request from the City Attorney related to litigation.

Approved October 21, 2021