by Unknown
Appendix D: Consumer and Credit Data Privacy Laws
469
interjurisdictional intel igence system, criminal intel igence information, participating agency, intelligence project, and validation of information are key terms that are defined in the regulation for the first time.
(3) The operating principles for intelligence systems (28 C.F.R. 23.20) are modified to define the term reasonable suspicion or criminal predicate. The finding of reasonable suspicion is a threshold requirement for entering intelligence information on an individual or organization into an intelligence database (28 C.F.R. 23.20(c)). This determina-
tion, as well as determinations that information was legally obtained
(28 C.F.R. 23.20(d)) and that a recipient of the information has a need
to know and a right to know the information in the performance
of a law enforcement function (28 C.F.R. 23.20(e)), is established as
the responsibility of the project for an interjurisdictional intelligence system. However, the regulation permits these responsibilities to be
delegated to a properly trained participating agency, which is subject
to project inspection and audit (28 C.F.R. 23.20(c),(d),(g)).
(4) Security requirements are established to protect the integrity of
the intelligence database and the information stored in the database
(28 C.F.R. 23.20(g)(1)(i)–(vi)).
(5) The regulation provides that information retained in the system
must be reviewed and validated for continuing compliance with
system submission criteria within a 5-year retention period. Any
information not validated within that period must be purged from
the system (28 C.F.R. 23.20(h)).
(6) Another change continues the general prohibition of direct remote
terminal access to intelligence information in a funded intelligence
system but provides an exception for systems that obtain express
OJP approval based on a determination that the system has adequate
policies and procedures in place to ensure that access to system intel-
ligence information is limited to authorized system users (28 C.F.R.
23.20(i)(1)). OJP will carefully review all requests for exception to
assure that a need exists and that system integrity will be provided
and maintained (28 C.F.R. 23.20(i)(1)).
(7) The regulation requires participating agencies to maintain backup
files for information submitted to an interjurisdictional intelli-
gence system and provide for inspection and audit by project staff
(28 C.F.R. 23.20(h)).
(8) The final rule also includes a provision allowing the attorney general or the attorney general’s designee to authorize a departure from the
specific requirements of this part, in those cases where it is clearly
shown that such waiver would promote the purposes and effec-
tiveness of a criminal intelligence system while at the same time
ensuring compliance with all applicable laws and protection for the
470
Appendix D: Consumer and Credit Data Privacy Laws
privacy and constitutional rights of individuals. The department
recognizes that other provisions of federal law may be applicable to
(or may be adopted in the future with respect to) certain submitters
or users of information in criminal intelligence systems. Moreover,
as technological developments unfold over time in this area, experi-
ence may show that particular aspects of the requirements in this
part may no longer be needed to serve their intended purpose or
may even prevent desirable technological advances. Accordingly,
this provision grants the flexibility to make such beneficial adapta-
tions in particular cases or classes without the necessity to under-
take a new rulemaking process. This waiver authority could only
be exercised by the attorney general or designee, in writing, upon a
clear and convincing showing (28 C.F.R. 23.20 (o)).
(9) The funding guidelines (28 C.F.R. 23.30) are revised to permit
funded intelligence systems to collect information either on orga-
nized criminal activity that represents a significant and recognized
threat to the population or on criminal activity that is multijurisdic-
tional in nature.
Rulemaking History
On February 27, 1992, the Department of Justice, OJP, published a notice of proposed rulemaking in the Federal Register (57 FR 6691). The OJP received a total of 11 comments on the proposed regulation, 7 from state agencies, 2 from Regional Information Sharing Systems (RISS) program fund
recipients, 1 from a federal agency, and 1 from the RISS Project Directors Association. Comments will be discussed in the order in which they
address the substance of the proposed regulation.
Discussion of Comments
Title—Part 23 comment: One commentor suggested reinserting the word Operating in the title of the regulation to read Criminal Intel igence Systems Operating Policies to reflect that the regulation applies only to policies governing system operations.
Response: Agreed. The title has been changed.
Applicability: Section 23.3(a) Comment: A question was raised by one respondent as to whether the applicability of the regulation under Section 23.3(a) to systems operating through support under the Crime Control Act included agencies receiving any assistance funds and who operated an intelligence system or only those who received assistance funds for the specific purpose of funding the operation of an intelligence system.
Appendix D: Consumer and Credit Data Privacy Laws
471
Response: The regulation applies to grantees and subgrantees who receive and use the Crime Control Act funds to fund the operation of an intelligence system.
Comment: Another commentor asked whether the purchase of software and office equipment or the payment of staff salaries for a criminal intel igence system would constitute operating through support under the Crime Control Act.
Response: Any direct Crime Control Act fund support that contributes to the operation of a criminal intelligence system would subject the system to the operation of the policy standards during the period of fund support.
Comment: A third commentor inquired whether an agency’s purchase of a telephone pen register or computer equipment to store and analyze pen register information would subject the agency or its information systems to the regulation.
Response: No. Neither a pen register nor equipment to analyze telephone toll information falls under the definition of a criminal intelligence system even though it may assist an agency to produce investigative or other information for an intelligence system.
Applicability: Section 23.3(b) Comment: Several commentors questioned whether information systems that are designed to collect information on
criminal suspects for purposes of inquiry and analysis and that provide for dissemination of such information qualify as criminal intel igence systems.
One pointed out that the information qualifying for system submission could not be unconfirmed or soft intelligence. Rather, it would generally have to be investigative file-based information to meet the reasonable suspicion test.
Response: The character of an information system as a criminal intelligence system does not depend upon the source or categorization of the
underlying information as raw or soft intelligence, preliminary investigation information, or investigative information, findings, or determi-
nations. It depends upon the purpose for which the information system
exists and the type of information it contains. If the purpose of the system is to collect and share information with other law enforcement agencies on individual
s reasonably suspected of involvement in criminal activity, and the information is identifying or descriptive information about the individual and the suspected criminal activity, then the system is a criminal intelligence system for purposes of the regulation. Only those criminal
intelligence systems that receive, store, and provide for the interagency exchange and analysis of criminal intelligence information in a manner
consistent with this regulation are eligible for funding support with Crime Control Act funds.
472
Appendix D: Consumer and Credit Data Privacy Laws
Comment: One respondent asked whether the definition of criminal intelligence system covered CHRI systems, fugitive files, or other want- or warrant-based information systems.
Response: No. A CHRI system contains information collected on arrests, detention, indictments, informations or other charges, dispositions, sentencing, correctional supervision, and release. It encompasses systems designed to collect, process, preserve, or disseminate such information.
CHRI is factual, historical, and objective information, which provides a
criminal justice system profile of an individual’s past and present involvement in the criminal justice system. A fugitive file is designed to provide factual information to assist in the arrest of individuals for whom there is an outstanding want or warrant. Criminal intel igence information, by contrast, is both factual and conjectural (reasonable suspicion), current and subjective. It is intended for law enforcement use only, to provide law enforcement officers and agencies with useful information on criminal suspects and to foster interagency coordination and cooperation. A criminal intel igence system can have CHRI in it as an identifier, but a CHRI system would not contain the suspected criminal activity information contained in a criminal intel igence system.
This distinction provides the basis for the limitations on criminal intelligence systems set forth in the operating policies. Because criminal intelligence information is both conjectural and subjective in nature, may
be widely disseminated through the interagency exchange of information,
and cannot be accessed by criminal suspects to verify that the information is accurate and complete, the protections and limitations set forth in the regulation are necessary to protect the privacy interests of the subjects and potential subjects of a criminal intelligence system.
Comment: Another commentor asked whether a law enforcement agen-
cy’s criminal intelligence information unit, located at headquarters, which authorizes no outside access to information in its intelligence system, would be subject to the regulation.
Response: No. The sharing of investigative or general file information on criminal subjects within an agency is a practice that takes place on a daily basis and is necessary for the efficient and effective operation of a law enforcement agency. Consequently, whether such a system is described as a case management or intelligence system, the regulation is not intended to apply to the exchange or sharing of such information when it takes place within a single law enforcement agency or organizational entity. For these purposes, an operational multijurisdictional task force would be considered a single organizational entity provided that it is established by and operates under a written memorandum of understanding or interagency agreement. The definition of
criminal intel igence system has been modified to clarify this point. However,
Appendix D: Consumer and Credit Data Privacy Laws
473
if a single agency or entity system provides access to system information to outside agencies on an inquiry or request basis, as a matter of either policy or practice, the system would qualify as a criminal intelligence system and be subject to the regulation.
Comment: A commentor questioned whether the proposed exclusion of analytical information and work products from the definition of intel igence system was intended to exclude all dissemination of analytical results from coverage under the regulation.
Response: No. The exceptions in the proposed definition of intel igence system of modus operandi files, historical telephone toll files, and analytical information and work products are potentially confusing. The exceptions reflect types of data that may or may not qualify as criminal intel igence information depending on particular facts and circumstances. Consequently, these exceptions have been deleted from the definition of intel igence system in the final rule. For example, analytical information and work products that are derived from unevaluated or bulk data (i.e., information that has not been tested to determine that it meets intelligence system submission criteria) are not intelligence information if they are returned to the submitting agency. This information and its products cannot be retained, stored, or made available for dissemination in an intelligence system unless and until the information has been evaluated and determined to meet system submission criteria. The proposed definition of analytical information and work products in Section 23.3(b) has also been deleted.
To address the aforementioned issues, the definition of intel igence system has been modified to define a criminal intel igence system or intel igence system to mean “the arrangements, equipment, facilities, and procedures used for the receipt, storage, interagency exchange or dissemination, and analysis of criminal intelligence information.”
Comment: Several commentors raised questions regarding the concept of evaluated data in the definition of criminal intel igence information, requesting guidance on what criteria to use in evaluating data. Another questioned whether there needed to be an active investigation as the basis for information to fall within the definition and whether information on an individual who or organization that is not the primary subject or target of an investigation or other data source, for example, a criminal associate or coconspirator, can qualify as criminal intel igence information.
Response: The definition of criminal intel igence information has been revised to reflect that data are evaluated for two purposes related to criminal intelligence system submissions: (1) to determine that it is relevant in identifying a criminal suspect and the criminal activity involved and (2) to determine that the data meet criminal intelligence system submission criteria, including
474
Appendix D: Consumer and Credit Data Privacy Laws
reasonable suspicion of involvement in criminal activity. As rewritten,
there is no requirement that an active investigation is necessary. Further, the revised language makes it clear that individuals or organizations that are not primary subjects or targets can be identified in the criminal intelligence information, provided that they independently meet system submission
criteria.
Comment: One commentor requested clarification of the role of the project in the operation of an intelligence system, that is, is the project required to have physical control (possession) of the information in an intelligence system or will authority over the system (operational control) suffice?
Response: Operational control over an intelligence system’s intelligence information is sufficient. The regulation seeks to establish a single locus of authority and responsibility for system information. Once that principle is established, the regulation permits, for example, the establishment of remote (off-premises) databases that meet applicable security requirements.
Operating Principles: Section 23.20(c) Comment: One respondent took the position that reasonable suspicion, as defined in Section 23.20(c), is not necessary to the protection of individual privacy and constitutional rights, suggesting instead that information in a funded intel igence system need only be necessary and relevant to an agency’s lawful purposes.
Response: While it is agreed that the standard suggested is appropriate for investigative or other information files maintained for use by or within an agency, the potential for national dissemination of information in intelligence information systems, coupled with the lack of access by subjects to chal enge the information, justifies the reasonable suspicion standard a
s well as other operating principle restrictions set forth in this regulation. Also, the quality and utility of hits in an information system are enhanced by the reasonable suspicion requirement. Scarce resources are not wasted by agencies in coordinating information on subjects for whom information is vague, incomplete, and conjectural.
Comment: The prior commentor also criticized the proposed definition of reasonable suspicion for its specific reference to an investigative file as the source of intelligence system information, the potential inconsistency between the concepts of infer and conclude as standards for determining whether reasonable suspicion is justified by the information available and the use of reasonable possibility rather than articulable or sufficient facts as the operative standard to conclude that reasonable suspicion exists.
Response: The reference to an investigative file as the information source has been broadened to encompass any information source. The information
available must provide a basis for the submitter to believe there is a reasonable possibility of the subject’s involvement in the criminal activity or enterprise.
Appendix D: Consumer and Credit Data Privacy Laws
475
The concept of a basis to believe requires reasoning and logic coupled with sound judgment based on experience in law enforcement rather than a
mere hunch, whim, or guess. The belief that is formed that there is a reasonable possibility of criminal involvement has been retained because the proposed standard is appropriately less restrictive than that which is required to establish probable cause.
Operating Principles: Section 23.20(d) Comment: Section 23.20(d) prohibits the inclusion in an intelligence system of information obtained in violation of federal, state, or local law or ordinance. Would a project be potentially liable for accepting, maintaining, and disseminating such information even if it did not know that the information was illegally obtained?
Response: In addition to protecting the rights of individuals and organizations that may be subjects in a criminal intel igence system, this prohibition serves to protect a project from liability for disseminating il egal y obtained information.
A clear project policy that prohibits the submission of il egal y obtained information, coupled with an examination of supporting information to determine that the information was obtained legal y or the delegation of such authority to a properly trained participating agency, and the establishment and performance of routine inspection and audit of participating agency records should be sufficient to shield a project from potential liability based on negligence in the performance of its intel igence information screening function.