|
|
Meeting date/time:
|
3/10/2016
10:00 AM
|
Minutes status:
|
Final
|
|
|
Meeting location:
|
Room 303, Third Floor, City Hall
|
|
| | 1. | | Call to Order.
Minutes note: Meeting convened at 10:15 a.m.
Mr. Klajbor was nominated Chair Pro Tem by Mr. Owczarski, seconded by Ms. Wilichowski. There was no objection. | | | |
|
Not available
|
|
| | 2. | | Roll Call. | | | |
Roll call
|
Not available
|
|
| | | | Individuals also present:
Minutes note: Nancy Olson, DOA - Information & Technology Management Division
Jacquelyn Block, City Clerk's Office - City Records
Aaron Szopinski, Mayor's Office
Greg Lotzke, Comptroller Office - Audit Division
Peter Block, City Attorney's Office
Casey Lapworth, Milwaukee Public Library | | | |
|
Not available
|
|
| | 3. | | Review and Approval of the Previous Meeting Minutes from December 10, 2015.
Minutes note: The meeting minutes from December 10, 2015 were approved with the amendment to correct the spelling of Ms. Wilichowski’s name throughout the minutes. There was no objection. | | | |
|
Not available
|
|
| | 4. | | Records Retention
Minutes note: -State Record Board Approval of Previous Schedules
Ms. Block said that the state board approved the committee’s previous schedules from September 2015 at its November 2015 meeting with a change to use the word “destroy” rather than “purge” relating to the final disposition of electronic records.
| | | |
|
Not available
|
|
| | 5. | | Old Business
Minutes note: -Report on Email Account Termination Policy Status
Ms. Olson gave an update. The policy was approved on February 1, 2016 and is available with other polices approved by the committee on the MINT under “Technology” and “Policy & Guidelines”. The policy relates to the authority of ITMD to maintain and deactivate email accounts of those employees separating from city service. Email accounts are automatically and generally terminated and deactivated at the end of a month when an employee’s account drops from the HR system within the same month. The HR report is generated at the end of each month. ITMD needs to be notified from departments of any email accounts that should be deactivated immediately, become reactivated, remain active for a period of time, or have a bounce back message. There is no bounce back message for deactivated accounts. Accounts that remain open with a bounce back message remain active typically for six weeks. The policy helps to reduce costs for email licenses and eliminate email accounts that are no longer being used.
-Citywide Study of IT Positions from the Department of Employee Relations (DER)
Ms. Olson said that DER was not prepared to provide an update, she wanted the matter to remain on the committee’s radar, and that the matter should be held over to the next meeting.
-What Works Cities Open Data Initiative Update
Ms. Olson provided an update. There is a signed memorandum of understanding for the technical assistance grant for people of expertise from several organizations. There are no dollars associated with the grant. There will be two projects that will overlap. The first project is the open data initiative that will continue to be in front of the committee. Open data means online data that is free, nonproprietary, unrestricted, and machine processed. The purpose of the initiative is to increase citizen engagement, transparency, and perhaps economic development. A presentation from the Sunlight Foundation, draft policy, and draft data inventory with priorities will likely be before the committee at its next meeting.
The CIMC committee should be the body to have governance of the open data, which follows after the establishment of the policy. She is the point person on the initiative.
Members questioned the proposed governing group, access to proprietary databases from vendors, and verification of data.
Mr. Owczarski said that departments really have the keys and control to their datasets.
Ms. Olson replied. CIMC should be the group to review and approve datasets being made available online. She can help facilitate access to information, start the draft policy, and start the draft data inventory. Departments will be part of the discussion as they are the custodians of their datasets. Her office will serve as a physical custodian of datasets similar to email accounts and the City Treasurer’s Office tax system. For vendor data, future conversations need to have with the offices of City Purchasing and City Attorney to install language into contracts to make data open and available. Departments should be forthcoming on providing clean, verified datasets. Certain attributes of datasets will need to be kept private. | | | |
|
Not available
|
|
| | 6. | | New Business
Minutes note: -Email Use Policy
Ms. Olson gave an overview on the updated email use policy. The policy was last approved on October 19, 2009. There are substantial text changes since the original adoption of the policy due to changes with the email system. The policy format is the same. Changes include mention of the email account termination policy; update of terminology to reflect current definition of terms; removal of some concepts and terms; clean up to make the policy short and concise; and strengthening language to encourage city departments to not request city email accounts for outside consultants, contractors, and agents for the City. Acceptable use did not change.
Atty. Block inquired about an exception regarding enabling city email accounts for outside contracted personnel for the City due to security reasons. Some city departments, such as the City Attorney’s Office and police department, have contractors working for them for many years. Contracts can be structured with language stipulating that they are subject to the open records law and are obligated to assist the City to retain records. A concern would be if the contracted person uses City email to conduct business with third parties.
Mr. Klajbor said that the policy does not prohibit the contracted individuals from having and utilizing city email accounts, but they must truly only utilize city emails for City business. They should identify themselves as non city employees or being under city contract in their emails and comply with open records rules.
Ms. Olson said that the policy can be changed to make exceptions but for only substantial reasons.
Ms. Olson said that another policy change is the addition of a section on encryption email due to recent discussion and RITS (Request IT Support system) requests regarding sending and receiving encrypted emails. There are encrypted emails coming into the city email system from different vendors, who are primarily deal with health institutions. Other cities and counties are sending encrypted emails to the City. ZixCorp is one of the vendors, and they have sent about 1200 encrypted emails to the City. Those emails are not discoverable or searchable by our tools, which is a major concern especially concerning open records requests for litigation purposes. The policy states that encrypted emails sent to the City from outside sources are not searchable for the purposes of records. Also, city users are responsible to save documents from encrypted emails, if they accept them, into a file directory system so that they are available and searchable for the purposes of open records and litigation. Encrypted emails usually require recipients to unlock the email with a passcode and click a link to get the message or information. Encryption basically means the message or information cannot be seen in a regular email. Recipients have to go back to the encrypted email to retrieve the encrypted information each time they want to read the email. The City’s system has the ability to encrypt and send emails out regarding confidential information such as social security numbers and bank account numbers.
Ms. Wilichowski said that the fire department sends encrypted emails due to having protected information on patient contacts under the Health Insurance Portability and Accountability Act (HIPAA). The information is sent to the County’s EMS center to communicate with health institutions.
Ms. Olson said that the City’s Office 365 email system is fully HIPAA compliant. There is security set on the email system for transport layer security between servers where message is encrypted across the internet through TLS protocol. TLS supersedes SSL protocol. SSL encryption is used on the internet for website transactions through eBay, PayPal, and Amazon.
Ms. Olson added that the City may turn on encryption to send from its email system.Encrypted, sent emails would be searchable since they would be in everyone’s sent items. Turning on encryption will be problematic and complicate open records searches.
Ms. Olson said that purchased products for city email encryption have some advantages. The products can do email encryption at the policy level with rules relating to HIPAA. Individual users would not be responsible. The ZixCorp product has searchable emails only between ZixCorp customers where the emails would unencrypt itself in the mailbox; however, the ability to search would not be 100%. ZixCorp is the biggest vendor in the cloud space. The annual cost for purchasing such a product will be significant at $36 per user, over $10,000 for 300 users, and $80,000 for all city users.
Atty. Block made comments. Issues from engaging in email encryption will include inaccurate discovery for public records and the lack of recognition of encryption from every user. There is no control over emails coming in. Retaining and responding to open records request can be a logistical problem. Other municipalities should be facing this issue. His office has tried to contact other municipalities with no response yet on the issue. There is a preliminary look for program systems to deal with email encryption. Buying licenses for these programs may not be feasible as new licenses are required every year.
Mr. Owczarski said the City will have significant liability if it engages in encrypted emails. It should be verified if the City’s email system is HIPAA compliant before the City engages in email encryption. If Office 365 is HIPAA complaint then it would be a satisfactory, existing tool to use rather than utilizing outside products. The concern should be about retaining encrypted emails, and users will resort to printing them.
Ms. Wilichowski said that there should be one file directory to be used by all city departments to save encrypted emails and that her office has used fax machines as a secure communication method for their HIPAA sensitive information.
Atty. Block said that his office contacts asks departments to provide information, if necessary, in response to open records request and also does its own internal search. The same process can be done for requesting for encrypted email records if they are maintained in separate, departmental directories. Regarding HIPAA compliance, his office will try to get a response by working with ITMD. The HIPAA requirement is a best practice that is followed although not being required.
In response to Mr. Klajbor‘s suggestion to reduce costs by having a select number of employees authorized to encrypt, Ms. Olson said that her office does not want to be engaged with maintaining a list of authorized employees.
Mr. Klajbor recommended that encrypted emails should only be used by the City when required by federal, state, or local law.
Mr. Klajbor added departments are responsible to save encrypted emails, determine if encryption is necessary, and contact the source of the encryption email if encryption is not necessary. The City can only control sending emails. The issue is an educational one. A decision should be made by the committee today regarding the City utilizing email encryption and can be revisited if necessary.
Mr. Owczarski said that he has no objection to Mr. Klajbor’ s recommendation so as long as it is verified that the City’s email system is HIPAA compliant. The system is encrypted. The false premise is that the City is not HIPAA complaint.
Mr. Owczarski moved to amend the “Email Use Policy”, as recommended by Mr. Klajbor, in that encrypted emails should only be used by the City when required by federal, state, or local law. Seconded by Ms. Wilichowski. There was no objection.
-2015 CIMC Annual Report
Mr. Lee said that the report summarizes matters deliberated by the committee in 2015.
Mr. Owczarski said that all plural bodies are required to submit an annual body per the city code.
Mr. Owczarski moved approval, seconded by Ms. Wilichowski, of the 2015 CIMC Annual Report. There was no objection.
| | | |
|
Not available
|
|
| | 7. | | The following files may be placed on file as no longer necessary: | | | |
|
Not available
|
|
141706
| 0 | a. | Communication | Communication relating to the matters to be considered by the City Information Management Committee at its March 12, 2015 meeting. | PLACED ON FILE | Pass | 7:0 |
Action details
|
Not available
|
|
150212
| 0 | b. | Communication | Communication relating to the matters to be considered by the City Information Management Committee at its June 1, 2015 meeting. | PLACED ON FILE | Pass | 7:0 |
Action details
|
Not available
|
|
150510
| 0 | c. | Communication | Communication relating to the matters to be considered by the City Information Management Committee at its September 3, 2015 meeting. | PLACED ON FILE | Pass | 7:0 |
Action details
|
Not available
|
|
151093
| 0 | d. | Communication | Communication relating to the matters to be considered by the City Information Management Committee at its December 10, 2015 meeting. | PLACED ON FILE | Pass | 7:0 |
Action details
|
Not available
|
|
| | | | Meeting adjourned at 11:18 a.m.
Linda Elmer, Staff Assistant
Chris Lee, Staff Assistant | | | |
|
Not available
|
|
| | | | Materials for this meeting can be found within the following file: | | | |
|
Not available
|
|
151552
| 0 | | Communication | Communication relating to the matters to be considered by the City Information Management Committee at its March 10, 2016 meeting. | | | |
Action details
|
Not available
|
|
|