by Unknown
system, the project is responsible for establishing the existence of rea-
sonable suspicion of criminal activity either through examination of
supporting information submitted by a participating agency or by
delegation of this responsibility to a properly trained participating
agency, which is subject to routine inspection and audit procedures
established by the project.
(d) A project shall not include in any criminal intelligence system information that has been obtained in violation of any applicable federal,
state, or local law or ordinance. In an interjurisdictional intelligence
system, the project is responsible for establishing that no information
is entered in violation of federal, state, or local laws, either through
examination of supporting information submitted by a participating
agency or by delegation of this responsibility to a properly trained
participating agency, which is subject to routine inspection and audit
procedures established by the project.
Appendix D: Consumer and Credit Data Privacy Laws
463
(e) A project or authorized recipient shall disseminate criminal intel-
ligence information only where there is a need to know and a right
to know the information in the performance of a law enforcement
activity.
(f) (1) Except as noted in paragraph (f) (2) of this section, a project shall disseminate criminal intelligence information only to law
enforcement authorities who shall agree to follow procedures
regarding information receipt, maintenance, security, and dis-
semination, which are consistent with these principles.
(2) Paragraph (f) (1) of this section shall not limit the dissemina-
tion of an assessment of criminal intelligence information to a
government official or to any other individual, when necessary,
to avoid imminent danger to life or property.
(g) A project maintaining criminal intelligence information shall ensure that administrative, technical, and physical safeguards (including
audit trails) are adopted to ensure against unauthorized access and
against intentional or unintentional damage. A record indicating who
has been given information, the reason for release of the information,
and the date of each dissemination outside the project shall be kept.
Information shall be labeled to indicate levels of sensitivity, levels of confidence, and the identity of submitting agencies and control officials. Each project must establish written definitions for the need to
know and right to know standards for dissemination to other agencies
as provided in paragraph (e) of this section. The project is responsible
for establishing the existence of an inquirer’s need to know and right
to know the information being requested either through inquiry or
by delegation of this responsibility to a properly trained participating
agency, which is subject to routine inspection and audit procedures
established by the project. Each intelligence project shall assure that
the following security requirements are implemented:
(1) Where appropriate, projects must adopt effective and techno-
logically advanced computer software and hardware designs to
prevent unauthorized access to the information contained in
the system.
(2) The project must restrict access to its facilities, operating envi-
ronment, and documentation to organizations and personnel
authorized by the project.
(3) The project must store information in the system in a manner
such that it cannot be modified, destroyed, accessed, or purged
without authorization.
(4) The project must institute procedures to protect criminal intel i-
gence information from unauthorized access, theft, sabotage, fire,
flood, or other natural or manmade disaster.
464
Appendix D: Consumer and Credit Data Privacy Laws
(5) The project must promulgate rules and regulations based on
good cause for implementing its authority to screen, reject for
employment, transfer, or remove personnel authorized to have
direct access to the system.
(6) A project may authorize and utilize remote (off-premises) sys-
tem databases to the extent that they comply with these security
requirements.
(h) All projects shall adopt procedures to assure that all information,
which is retained by a project, has relevancy and importance. Such
procedures shall provide for the periodic review of information and
the destruction of any information that is misleading, obsolete, or
otherwise unreliable and shall require that any recipient agencies
be advised of such changes, which involve errors or corrections. Al
information retained as a result of this review must reflect the name
of the reviewer, date of review, and explanation of decision to retain.
Information retained in the system must be reviewed and validated
for continuing compliance with system submission criteria before the
expiration of its retention period, which in no event shall be longer
than 5 years.
(i) If funds awarded under the act are used to support the operation of
an intelligence system, then
(1) No project shall make direct remote terminal access to intel igence
information available to system participants, except as specifical y
approved by the Office of Justice Programs (OJP) based on a deter-
mination that the system has adequate policies and procedures in
place to ensure that it is accessible only to authorized system users
(2) A project shall undertake no major modifications to system
design without prior grantor agency approval
(j) A project shall notify the grantor agency prior to initiation of formal information exchange procedures with any federal, state, regional,
or other information systems not indicated in the grant documents
as initially approved at time of award.
(k) A project shall make assurances that there will be no purchase or use in the course of the project of any electronic, mechanical, or other
device for surveil ance purposes that is in violation of the provisions
of the Electronic Communications Privacy Act of 1986; Public Law
99-508; 18 U.S.C. 2510-2520, 2701-2709, and 3121-3125; or any appli-
cable state statute related to wiretapping and surveil ance.
(l) A project shall make assurances that there will be no harassment or
interference with any lawful political activities as part of the intel-
ligence operation.
(m) A project shall adopt sanctions for unauthorized access, utilization, or disclosure of information contained in the system.
Appendix D: Consumer and Credit Data Privacy Laws
465
(n) A participating agency of an interjurisdictional intel igence system must maintain in its agency files information that documents each
submission to the system and supports compliance with project entry
criteria. Participating agency files supporting system submissions
must be made available for reasonable audit and inspection by proj-
ect representatives. Project representatives wil conduct participating
agency inspection and audit in such a manner so as to protect the con-
fidentiality and sensitivity of participating agency intel igence records.
this part with respect to a criminal intelligence system, or for a class
of submitters or users of such system, upon a clear and convincing
showing that such waiver would enhance the collection, maintenance,
or dissemination of information in the criminal intelligence system
while ensuring that such system would not be utilized in violation of
the privacy and constitutional rights of individuals or any applicable
state or federal law.
§ 23.30 Funding Guidelines The following funding guidelines shall apply to all Crime Control Act–funded discretionary assistance awards
and Bureau of Justice Assistance (BJA) formula grant program subgrants,
the purpose of which is to support the operation of an intelligence system.
Intelligence systems shall only be funded where a grantee/subgrantee agrees to adhere to the principles set forth previously and the project meets the following criteria:
(a) The proposed collection and exchange of criminal intelligence infor-
mation have been coordinated with and will support ongoing or
proposed investigatory or prosecutorial activities relating to specific
areas of criminal activity.
(b) The areas of criminal activity for which intelligence information is to be utilized represent a significant and recognized threat to the population and
(1) Are either undertaken for the purpose of seeking illegal power or
profits or pose a threat to the life and property of citizens
(2) Involve a significant degree of permanent criminal organization
(3) Are not limited to one jurisdiction
(c) The head of a government agency or an individual with general policymaking authority who has been expressly delegated such control and
supervision by the head of the agency will retain control and super-
vision of information collection and dissemination for the criminal
intelligence system. This official shall certify in writing that he or
she takes full responsibility and will be accountable for the informa-
tion maintained by and disseminated from the system and that the
466
Appendix D: Consumer and Credit Data Privacy Laws
operation of the system will be in compliance with the principles set
forth in § 23.20.
(d) Where the system is an interjurisdictional criminal intelligence system, the governmental agency, which exercises control and supervi-
sion over the operation of the system, shall require that the head of
that agency or an individual with general policy-making authority
who has been expressly delegated such control and supervision by
the head of the agency
(1) Assume official responsibility and accountability for actions
taken in the name of the joint entity
(2) Certify in writing that the official takes full responsibility and
will be accountable for ensuring that the information transmit-
ted to the interjurisdictional system or to participating agencies
will be in compliance with the principles set forth in § 23.20
The principles set forth in § 23.20 shall be made part of the by-laws or
operating procedures for that system. Each participating agency, as a
condition of participation, must accept in writing those principles that
govern the submission, maintenance, and dissemination of informa-
tion included as part of the interjurisdictional system.
(e) Intelligence information will be collected, maintained, and dissemi-
nated primarily for state and local law enforcement efforts, including
efforts involving federal participation.
§ 23.40 Monitoring and Auditing of Grants for the Funding of Intel igence Systems
(a) Awards for the funding of intel igence systems will receive specialized monitoring and audit in accordance with a plan designed to ensure
compliance with operating principles as set forth in § 23.20. The plan
shall be approved prior to award of funds.
(b) All such awards shall be subject to a special condition requiring
compliance with the principles set forth in § 23.20.
(c) An annual notice will be published by OJP that will indicate the existence and the objective of all systems for the continuing interjuris-
dictional exchange of criminal intel igence information, which are
subject to the 28 C.F.R. Part 23 Criminal Intel igence Systems Policies.
Laurie Robinson, Acting Assistant Attorney General, Office of Justice
Programs (FR Doc. 93-22614 Filed 9-15-93; 8:45 a.m.) Criminal Intelligence Sharing Systems; Policy Clarification [Federal Register: December 30, 1998
(Volume 63, Number 250)] [Pages 71752–71753] from the Federal Register
online via GPO access [wais.access.gpo.gov], Department of Justice, 28
C.F.R. Part 23 [OJP(BJA)-1177B] RIN 1121-ZB40.
Appendix D: Consumer and Credit Data Privacy Laws
467
1993 Revision and Commentary
28 C.F.R. Part 23 Final Revision to the Office of Justice Programs,
Criminal Intelligence Systems Operating Policies
--------------------------------------
Agency: OJP, Justice
Action: Final rule
Summary: The regulation governing criminal intelligence systems operating through support under Title I of the Omnibus Crime Control and Safe
Streets Act of 1968, as amended, is being revised to update basic authority citations and nomenclature, to clarify the applicability of the regulation, to define terms, and to modify a number of the regulation’s operating policies and funding guidelines.
Effective date: September 16, 1993
For further information, contact: Paul Kendall, Esquire, General Counsel, Office of Justice Programs, 633 Indiana Ave., NW, Suite 1245-E, Washington, DC, 20531, Telephone (202) 307-6235.
Supplementary information: The rule, which this rule supersedes, had been in effect and unchanged since September 17, 1980. A notice of
proposed rulemaking for 28 C.F.R. Part 23 was published in the Federal Register on February 27, 1992 (57 FR 6691). The statutory authorities for this regulation are Section 801(a) and Section 812(c) of Title I of the Omnibus Crime Control and Safe Streets Act of 1968, as amended, the
Act, 42 U.S.C. 3782(a) and 3789g(c). 42 U.S.C. 3789g (c) and (d) provide
as follows:
Confidentiality of Information
Section 812
(c) All criminal intel igence systems operating through support under
this title shall col ect, maintain, and disseminate criminal intel igence information in conformance with policy standards, which are prescribed by the OJP and which are written to assure that the funding
and operation of these systems further the purpose of this title and to
assure that such systems are not utilized in violation of the privacy and constitutional rights of individuals.
(d) Any person violating the provisions of this section, or of any rule, regulation, or order issued thereunder, shall be fined not to exceed
$10,000, in addition to any other penalty imposed by law.
468
Appendix D: Consumer and Credit Data Privacy Laws
This statutory provision and its implementing regulation apply to intel-
ligence systems funded under Title I of the act, whether the system is
operated by a single law enforcement agency, is an interjurisdictional intelligence system, is funded with discretionary grant funds, or is funded by a state with formula grant funds awarded under the act’s Drug Contro
l and
System Improvement Grant Program pursuant to part E, subpart 1 of the
act, 42 U.S.C. 3751-3759. The need for change to 28 C.F.R. Part 23 grew
out of the program experience of the OJP and its component agency, the
BJA, with the regulation and the changing and expanding law enforcement
agency need to respond to criminal mobility, the national drug program,
the increased complexity of criminal networks and conspiracies, and the
limited funding available to state and local law enforcement agencies. In addition, law enforcement’s capability to perform intelligence database and analytical functions has been enhanced by technological advancements and
sophisticated analytical techniques.
28 C.F.R. Part 23 governs the basic requirements of the intelligence system process. The process includes
1. Information submission or collection
2. Secure storage
3. Inquiry and search capability
4. Controlled dissemination
5. Purge and review process
Information systems that receive, store, and disseminate information on individuals or organizations based on reasonable suspicion of their involvement in criminal activity are criminal intelligence systems under the regulation.
The definition includes both systems that store detailed intelligence or investigative information on the suspected criminal activities of subjects and those that store only information designed to identify individuals or organizations that are the subject of an inquiry or analysis (a so-called pointer system). It does not include criminal history record information (CHRI) or identification (fingerprint) systems. There are nine significant areas of change to the regulation:
(1) Nomenclature changes (authority citations, organizational names)
are included to bring the regulation up to date.
(2) Definitions of terms (28 C.F.R. 23.3(b)) are modified or added as
appropriate. The term intel igence system is redefined to clarify the fact that historical telephone toll files, analytical information, and
work products that are not either retained, stored, or exchanged
and CHRI or identification (fingerprint) systems are excluded from
the definition and hence are not covered by the regulation; the terms