by Unknown
Operating Principles: Section 23.20(h) Comment: One commentor requested clarification of the periodic review requirement in Section 23.20(h) and what constitutes an explanation of decision to retain information.
Response: The periodic review requirement is designed to ensure that system information is accurate and as up-to-date as reasonably possible. When a review has occurred, the record is appropriately updated and notated. The explanation of decision to retain can be a variety of reasons including active investigation, preliminary review in progress, and subject believed still active in jurisdiction. When information that has been reviewed or updated and a determination made that it continues to meet system submission criteria, the information has been validated and begins a new retention period. The regulation limits the retention period to a maximum of 5 years without a review and validation of the information.
Operating Principles: Section 23.20(i) Comment: One commentor requested a definition of remote terminal and asked how OJP would determine whether adequate policies and procedures are in place to ensure the continued integrity of a criminal intelligence system.
Response: A remote terminal is hardware that enables a participating agency to input into or access information from a project’s criminal intelligence database
476
Appendix D: Consumer and Credit Data Privacy Laws
without the intervention of project staff. While the security requirements set forth in Section 23.20(g)(1)–(5) should minimize the threat to system integrity from unauthorized access to and the use of system information, special measures are called for when direct remote terminal access is authorized.
The OJP will expect any request for approval of remote terminal access to include information on the following system protection measures:
1. Procedures for identification of authorized remote terminals and
security of terminals
2. Authorized access officer (remote terminal operator) identification
and verification procedures
3. Provisions for the levels of dissemination of information as directed
by the submitting agency
4. Provisions for the rejection of submissions unless critical data fields are completed
5. Technological safeguards on system access, use, dissemination, and
review and purge
6. Physical security of the system
7. Training and certification of system-participating agency personnel
8. Provisions for the audit of system-participating agencies, to include
file data supporting submissions to the system, security of access
terminals, and policy and procedure compliance
9. Documentation for audit trails of the entire system operation
Moreover, a waiver provision has been added to ensure flexibility in
adapting quickly to technological and legal changes, which may impact any of the requirements contained in this regulation (see Section 23.20(o)).
Comment: Related to the aforementioned discussion, another commentor asked whether restrictions on direct remote terminal access would prohibit remote access to an index of information in the system.
Response: Yes. The ability to obtain all information directly from a criminal intelligence system through the use of hardware based outside the system constitutes direct remote terminal access contrary to the provisions of Section 23.20(i)(1), except as specifical y approved by OJP. Thus, a hit/no-hit response, if gleaned from an index, would bring a remote terminal within
the scope of the requirement for OJP approval of direct remote terminal
access.
Comment: One commentor pointed out that the requirement for prior OJP
approval of modifications to system design was overly broad and could be read to require that even minor changes be submitted for approval. The
commentor proposed a substitute that would limit the requirement to those
Appendix D: Consumer and Credit Data Privacy Laws
477
modifications that alter the system’s identified goals in a way contrary to the requirements of this regulation.
Response: While it is agreed that the language is broad, the proposed limitation is too restrictive. The intent was that modifications to system design refer to major changes to the system, such as the nature of the information collected, the place or method of information storage, the authorized uses of information in the system, and the provisions for access to system information by authorized participating agencies. This clarification has been incorporated in the regulation. In order to decentralize responsibility for approval of system design modifications, the proposed regulation has been revised to provide for approval of such modifications by the grantor agency rather than OJP. A similar change has been made to Section 23.20(j).
Operating Principles: Section 23.20(n) Comment: Several commentors expressed concern with the verification procedures set forth in Section 23.20(n). One suggested that file information cannot verify the correctness of submissions but instead serves to document or substantiate its correctness.
Another proposed deleting the requirements that (1) files maintained by participating agencies to support system submissions be subject to the operating principles and (2) participating agencies are authorized to maintain such files separately from other agency files. The first requirement conflicts with the normal investigative procedures of a law enforcement agency in that all information in agency source files cannot meet the operating principles, particularly the reasonable suspicion and relevancy requirements. The important principle is that the information, which is gleaned from an agency’s source files and submitted to the system, meets the operating principles. The second requirement has no practical value. At most, it results in the creation of duplicative files or in submission information being segregated from source files.
Response: OJP agrees with both comments. The word documents has been substituted for verifies, and the provisions subjecting participating agency source files to the operating principles and authorizing maintenance of separate files have been deleted. Projects should use their audit and inspection access to agency source files to document the correctness of participating agency submissions on a sample basis.
Funding Guidelines: Section 23.30(b) Comment: One commentor asked: Who defines the areas of criminal activity that represent a significant and recognized threat to the population?
Response: The determination of areas of criminal activity focus and priority is a matter for projects, project policy boards, and member agencies to determine, provided that the additional regulatory requirements set forth in Section 23.30(b) are met.
478
Appendix D: Consumer and Credit Data Privacy Laws
Monitoring and Auditing of Grants: Section 23.40(a) Comment: One commentor asked: Who is responsible for developing the specialized monitoring and audit of awards for intel igence systems to ensure compliance with the operating principles?
Response: The grantor agency (the agency awarding a subgrant to support an intelligence system) shall establish and approve a plan for specialized monitoring and audit of subawards prior to award. For the BJA Formula Grant
Program, the state agency receiving the award from BJA is the grantor
agency. Technical assistance and support in establishing a monitoring and audit plan is available through BJA.
Information on Juveniles Comment: Can intelligence information pertaining to a juvenile who otherwise meets criminal intelligence system submission criteria be entered into an intelligence database?
Response: There is no limitation or restriction on entering intelligence information on juvenile subjects set forth in federal law or regulation. However, state law may restrict or prohibit the maintenance or dissemination of such information by its law enforcement agencies. Therefore, state laws should be carefully reviewed to determine their impact on this practice and appropriate project policies adopted.
Exec
utive Order 12291
These regulations are not a major rule as defined by Section 1(b) of Executive Order No. 12291, 3 C.F.R. Part 127 (1981), because they do not result in (a) an effect on the economy of $100 million or more, (b) a major increase in any costs or prices, or (c) adverse effects on competition, employment, investment, productivity, or innovation among American enterprises.
Regulatory Flexibility Act
These regulations are not a rule within the meaning of the Regulatory
Flexibility Act, 5 U.S.C. 601-612. These regulations, if promulgated, will not have a significant economic impact on a substantial number of small entities, as defined by the Regulatory Flexibility Act.
Paperwork Reduction Act
There are no collection of information requirements contained in the pro-
posed regulation.
List of Subjects in 28 C.F.R. Part 23
Administrative practice and procedure, grant programs, intelligence, law
enforcement. For the reasons set out in the preamble, Title 28, Part 23, of the Code of Federal Regulations is revised to read as follows:
Appendix D: Consumer and Credit Data Privacy Laws
479
Part 23: Criminal Intelligence Systems Operating Policies Section
23.1. Purpose
23.2. Background
23.3. Applicability
23.20 Operating Principles
23.30 Funding Guidelines
23.40 Monitoring and Auditing of Grants for the Funding of Intelligence
Systems
Authority: 42 U.S.C. 3782(a); 42 U.S.C. 3789g(c)
§ 23.1 Purpose The purpose of this regulation is to assure that all criminal intelligence systems operating through support under the Omnibus Crime
Control and Safe Streets Act of 1968, 42 U.S.C. 3711, et seq., as amended (Pub. L. 90-351, as amended by Pub. L. 91-644, Pub. L. 93-83, Pub. L. 93-415, Pub. L. 94-430, Pub. L. 94-503, Pub. L. 95-115, Pub. L. 96-157, Pub. L. 98-473, Pub. L. 99-570, Pub. L. 100-690, and Pub. L. 101-647), are utilized in conformance with the privacy and constitutional rights of individuals.
§ 23.2 Background It is recognized that certain criminal activities including, but not limited to loan, sharking, drug trafficking, trafficking in stolen property, gambling, extortion, smuggling, bribery, and corruption of public officials often involve some degree of regular coordination and permanent organization involving a large number of participants over a broad geographical area. The exposure of such ongoing networks of criminal activity can be aided by the pooling of information about such activities. However, because the collection and exchange of intelligence data necessary to support control of serious criminal activity may represent potential threats to the privacy of individuals to whom such data relate, policy guidelines for federally funded projects are required.
§ 23.3 Applicability
(a) These policy standards are applicable to all criminal intel igence systems operating through support under the Omnibus Crime Control and
Safe Streets Act of 1968, 42 U.S.C. 3711, et seq., as amended (Pub. L.
90-351, as amended by Pub. L. 91-644, Pub. L. 93-83, Pub. L. 93-415,
Pub. L. 94-430, Pub. L. 94-503, Pub. L. 95-115, Pub. L. 96-157, Pub. L.
98-473, Pub. L. 99-570, Pub. L. 100-690, and Pub. L. 101-647).
(b) As used in these policies, (1) criminal intel igence system or intelligence system means the arrangements, equipment, facilities, and procedures used for the receipt, storage, interagency exchange or
dissemination, and analysis of criminal intelligence information;
(2) interjurisdictional intel igence system means an intelligence system that involves two or more participating agencies representing
480
Appendix D: Consumer and Credit Data Privacy Laws
different governmental units or jurisdictions; (3) criminal intel i-
gence information means data that have been evaluated to determine that it (i) is relevant to the identification of and the criminal activity engaged in by an individual who or organization that is reasonably
suspected of involvement in criminal activity and (ii) meets crimi-
nal intelligence system submission criteria; (4) participating agency means an agency of local, county, state, federal, or other governmental unit, which exercises law enforcement or criminal investigation
authority and which is authorized to submit and receive criminal
intelligence information through an interjurisdictional intelligence
system (a participating agency may be a member or a nonmember of
an interjurisdictional intelligence system); (5) intelligence project or project means the organizational unit that operates an intelligence system on behalf of and for the benefit of a single agency or the
organization that operates an interjurisdictional intelligence system
on behalf of a group of participating agencies; and (6) validation of information means the procedures governing the periodic review of criminal intelligence information to assure its continuing compliance with system submission criteria established by regulation or
program policy.
§ 23.20 Operating Principles
(a) A project shall col ect and maintain criminal intel igence information concerning an individual only if there is reasonable suspicion that
the individual is involved in criminal conduct or activity and the
information is relevant to that criminal conduct or activity.
(b) A project shall not collect or maintain criminal intelligence infor-
mation about the political, religious, or social views, associations, or
activities of any individual or any group, association, corporation,
business, partnership, or other organization unless such informa-
tion directly relates to criminal conduct or activity and there is rea-
sonable suspicion that the subject of the information is or may be
involved in criminal conduct or activity.
(c) Reasonable suspicion or criminal predicate is established when information exists, which establishes sufficient facts to give a
trained law enforcement or criminal investigative agency officer,
investigator, or employee a basis to believe that there is a reason-
able possibility that an individual or organization is involved in
a definable criminal activity or enterprise. In an interjurisdic-
tional intelligence system, the project is responsible for establish-
ing the existence of reasonable suspicion of criminal activity either
through examination of supporting information submitted by a
participating agency or by delegation of this responsibility to a
Appendix D: Consumer and Credit Data Privacy Laws
481
properly trained participating agency, which is subject to routine
inspection and audit procedures established by the project.
(d) A project shall not include in any criminal intelligence sys-
tem information, which has been obtained in violation of any
applicable federal, state, or local law or ordinance. In an inter-
jurisdictional intelligence system, the project is responsible for
establishing that no information is entered in violation of federal,
state, or local laws, either through examination of supporting
information submitted by a participating agency or by delegation
of this responsibility to a properly trained participating agency,
which is subject to routine inspection and audit procedures estab-
lished by the project.
(e) A project or authorized recipient shall disseminate criminal intel-
ligence information only where there is a need to know and a right
to know the information in the performance of a law enforcement
activity.
(f) (1) Except as
noted in paragraph (f) (2) of this section, a project shall disseminate criminal intelligence information only to law
enforcement authorities who shall agree to follow procedures
regarding information receipt, maintenance, security, and dis-
semination, which are consistent with these principles.
(2) Paragraph (f) (1) of this section shall not limit the dissemina-
tion of an assessment of criminal intelligence information to a
government official or to any other individual, when necessary,
to avoid imminent danger to life or property.
(g) A project maintaining criminal intelligence information shall ensure that administrative, technical, and physical safeguards (including
audit trails) are adopted to ensure against unauthorized access and
against intentional or unintentional damage. A record indicating
who has been given information, the reason for release of the infor-
mation, and the date of each dissemination outside the project shall
be kept. Information shall be labeled to indicate levels of sensitiv-
ity, levels of confidence, and the identity of submitting agencies and
control officials. Each project must establish written definitions for
the need to know and right to know standards for dissemination to
other agencies as provided in paragraph (e) of this section. The proj-
ect is responsible for establishing the existence of an inquirer’s need
to know and right to know the information being requested either
through inquiry or by delegation of this responsibility to a properly
trained participating agency, which is subject to routine inspection
and audit procedures established by the project. Each intelligence
project shall assure that the following security requirements are