Technology & Data Policies

The City of Tucson leverages a variety of advanced technologies to enhance public services and improve the quality of life for its residents. These technologies include:

• Digital Services and Portals: The City provides online portals and mobile applications to streamline access to essential services such as bill payment, permit applications, and public information, making it easier for residents to engage with local government.
• Geographic Information Systems (GIS): GIS technology allows the City to manage spatial data, helping with urban planning, zoning, and resource allocation. This tool is essential for decision-making related to infrastructure, environmental planning, and emergency management.
• Public Safety Technologies: The City utilizes various communication and video-recording technologies to ensure the safety of its residents, including emergency notification systems, body cameras for law enforcement, and advanced dispatch systems for fire and medical services.
• Cloud-Based Solutions and Data Management: To improve efficiency, the City uses cloud-based platforms to store and manage data, enabling better collaboration, enhanced security, and more effective service delivery across different departments. 

All technologies used by the City require a review considering the intended value and operational need, costs, interoperability, sustainability, and security. Novel uses of technology which add risk (namely generative AI and other autonomous solutions) also undergo a supplemental review by our Advanced Technology Committee to ensure risks are properly considered and managed, with disclosure, training and controls established as appropriate.

As with all City endeavors, technology use must ultimately serve the needs of the residents and businesses of Tucson. Furthermore, technology must: 1) fulfill a business or departmental need; 2) be sustainable; and 3) be cost-effective. When the City can meet these principles by procuring a commercial software solution, it will do so.

The Advanced Technology Committee evaluates all advanced technologies, including AI, or novel uses of existing technology which may introduce risk. This group assesses the proposed tools, the use cases, how they could be misused, safeguards and plans to ensure human oversight or correction, and establishes the security and ethical guardrails for AI use. Typically, any approved use that introduces more than minimal risk is limited to only those with individual pre-approval after ensuring controls are set by the department and awareness of requirements by the individual(s) authorized to use the tools. Any evidence of misuse results in a review by the committee, which may lead to tool restrictions, banning tools, or disciplinary action, up to and including termination.

To date, all tools approved for production use by the Advanced Technology Committee require Advanced AI only be used to augment, inform or supplement staff, with a human needing to be the initiator of action or response, as the final owner of the action or product. AI tools users are accountable for disclosure of use and the final product, with higher risk AI solutions requiring department director signoff and approval for use. Public-facing tools involved in consequential decisions, if considered, would require disclosure of use, opt-out provisions and higher-level risk assessment.

The Advanced Technology Committee includes representatives from the Office of Equity, as well as IT representatives trained in AI risks and bias (including an AI Program Manager) to identify sources of bias, risks of bias, and establish guidance or support as needed in minimizing bias in AI systems. AI system owners are also evaluated for their understanding of bias and how it can be introduced and mitigated in their proposed systems. When concerns arise about the outcome of AI to supplement staff activities, pilots are typically performed where AI outcomes are compared against human processed work, to identify the accuracy and reliability of output. If the output does not meet existing criteria for acceptable work products, those systems are not approved for production use.

The City is currently exploring how facial recognition technology might be used responsibly and ethically. As of early 2025, the City of Tucson does not operate a facial recognition program. However, biometric tools are used in limited, specific contexts with trained personnel. For example, the Tucson Police Department uses a system called Morpho, a biometric identification platform used primarily for fingerprint scanning. This tool helps confirm the identity of individuals during lawful booking procedures and is not used for surveillance purposes.

Personal privacy is a core consideration in the City’s use of surveillance technologies. The City implements a range of safeguards to protect residents, including limiting surveillance to legally authorized purposes, restricting access to collected footage or data, and requiring logging of all access or use. Data collected through surveillance tools is governed by retention schedules and cannot be used for purposes outside its original scope without further authorization.

The City has established and continually refines systems, roles and processes to logically and physically secure and protect all sensitive public data. Priority is given to those data which must conform to external regulatory requirements, such as Personally Identifiable Information (PII), payment data, and similar data protected from disclosure by law. This includes employing a full time team of cybersecurity staff, external audits of City security, training programs for staff education about security risks, and improving design of business processes and tools to minimize and restrict access to sensitive information. Best practices are followed for user account security, access permissions, and similar means to restrict access to sensitive information.

Per City of Tucson Administrative Directive 1.08-7 Data Ownership and Access Policy, City departments are accountable for training and processes to protect their respective data. The IT Department and the departments use a combination of access control permissions and software access controls to minimize access to sensitive data designated as level 2 or 3. The City complies with all national and state standards and regulations for data sensitivity and restrictions, including HIPAA, PCI, and CJIS, among others. Backend data access controls are limited to specific IT department personnel and data management roles. Physical security and cybersecurity systems are in place to monitor unauthorized access to systems and networks to further secure data.

The City adheres to federal, state, and local laws for data retention, including the general and custom state retention schedules maintained by the Arizona State Library. Most transitory communications (email, text, etc.) which do not qualify as records are purged after 90 days. Operational data elements for services provided by the City are typically kept for longer periods based on the longevity of software systems which capture the data, cost to store and retain data, and all legal requirements for data destruction. Average retention for these data typically extends to no more than approximately 7-10 years.

The City responds to data breaches or cybersecurity threats by following a predefined incident response plan, which includes identifying the threat, containing the breach, notifying affected parties, and conducting a thorough investigation. It also involves strengthening security measures, complying with legal requirements, and working with relevant authorities to mitigate future risks.