Book Read Free

Advanced Criminal Investigations and Intelligence Operations

Page 66

by Unknown


  Operating Principles: Section 23.20(h) Comment: One commentor requested clarification of the periodic review requirement in Section 23.20(h) and what constitutes an explanation of decision to retain information.

  Response: The periodic review requirement is designed to ensure that system information is accurate and as up-to-date as reasonably possible. When a review has occurred, the record is appropriately updated and notated. The explanation of decision to retain can be a variety of reasons including active investigation, preliminary review in progress, and subject believed still active in jurisdiction. When information that has been reviewed or updated and a determination made that it continues to meet system submission criteria, the information has been validated and begins a new retention period. The regulation limits the retention period to a maximum of 5 years without a review and validation of the information.

  Operating Principles: Section 23.20(i) Comment: One commentor requested a definition of remote terminal and asked how OJP would determine whether adequate policies and procedures are in place to ensure the continued integrity of a criminal intelligence system.

  Response: A remote terminal is hardware that enables a participating agency to input into or access information from a project’s criminal intelligence database

  476

  Appendix D: Consumer and Credit Data Privacy Laws

  without the intervention of project staff. While the security requirements set forth in Section 23.20(g)(1)–(5) should minimize the threat to system integrity from unauthorized access to and the use of system information, special measures are called for when direct remote terminal access is authorized.

  The OJP will expect any request for approval of remote terminal access to include information on the following system protection measures:

  1. Procedures for identification of authorized remote terminals and

  security of terminals

  2. Authorized access officer (remote terminal operator) identification

  and verification procedures

  3. Provisions for the levels of dissemination of information as directed

  by the submitting agency

  4. Provisions for the rejection of submissions unless critical data fields are completed

  5. Technological safeguards on system access, use, dissemination, and

  review and purge

  6. Physical security of the system

  7. Training and certification of system-participating agency personnel

  8. Provisions for the audit of system-participating agencies, to include

  file data supporting submissions to the system, security of access

  terminals, and policy and procedure compliance

  9. Documentation for audit trails of the entire system operation

  Moreover, a waiver provision has been added to ensure flexibility in

  adapting quickly to technological and legal changes, which may impact any of the requirements contained in this regulation (see Section 23.20(o)).

  Comment: Related to the aforementioned discussion, another commentor asked whether restrictions on direct remote terminal access would prohibit remote access to an index of information in the system.

  Response: Yes. The ability to obtain all information directly from a criminal intelligence system through the use of hardware based outside the system constitutes direct remote terminal access contrary to the provisions of Section 23.20(i)(1), except as specifical y approved by OJP. Thus, a hit/no-hit response, if gleaned from an index, would bring a remote terminal within

  the scope of the requirement for OJP approval of direct remote terminal

  access.

  Comment: One commentor pointed out that the requirement for prior OJP

  approval of modifications to system design was overly broad and could be read to require that even minor changes be submitted for approval. The

  commentor proposed a substitute that would limit the requirement to those

  Appendix D: Consumer and Credit Data Privacy Laws

  477

  modifications that alter the system’s identified goals in a way contrary to the requirements of this regulation.

  Response: While it is agreed that the language is broad, the proposed limitation is too restrictive. The intent was that modifications to system design refer to major changes to the system, such as the nature of the information collected, the place or method of information storage, the authorized uses of information in the system, and the provisions for access to system information by authorized participating agencies. This clarification has been incorporated in the regulation. In order to decentralize responsibility for approval of system design modifications, the proposed regulation has been revised to provide for approval of such modifications by the grantor agency rather than OJP. A similar change has been made to Section 23.20(j).

  Operating Principles: Section 23.20(n) Comment: Several commentors expressed concern with the verification procedures set forth in Section 23.20(n). One suggested that file information cannot verify the correctness of submissions but instead serves to document or substantiate its correctness.

  Another proposed deleting the requirements that (1) files maintained by participating agencies to support system submissions be subject to the operating principles and (2) participating agencies are authorized to maintain such files separately from other agency files. The first requirement conflicts with the normal investigative procedures of a law enforcement agency in that all information in agency source files cannot meet the operating principles, particularly the reasonable suspicion and relevancy requirements. The important principle is that the information, which is gleaned from an agency’s source files and submitted to the system, meets the operating principles. The second requirement has no practical value. At most, it results in the creation of duplicative files or in submission information being segregated from source files.

  Response: OJP agrees with both comments. The word documents has been substituted for verifies, and the provisions subjecting participating agency source files to the operating principles and authorizing maintenance of separate files have been deleted. Projects should use their audit and inspection access to agency source files to document the correctness of participating agency submissions on a sample basis.

  Funding Guidelines: Section 23.30(b) Comment: One commentor asked: Who defines the areas of criminal activity that represent a significant and recognized threat to the population?

  Response: The determination of areas of criminal activity focus and priority is a matter for projects, project policy boards, and member agencies to determine, provided that the additional regulatory requirements set forth in Section 23.30(b) are met.

  478

  Appendix D: Consumer and Credit Data Privacy Laws

  Monitoring and Auditing of Grants: Section 23.40(a) Comment: One commentor asked: Who is responsible for developing the specialized monitoring and audit of awards for intel igence systems to ensure compliance with the operating principles?

  Response: The grantor agency (the agency awarding a subgrant to support an intelligence system) shall establish and approve a plan for specialized monitoring and audit of subawards prior to award. For the BJA Formula Grant

  Program, the state agency receiving the award from BJA is the grantor

  agency. Technical assistance and support in establishing a monitoring and audit plan is available through BJA.

  Information on Juveniles Comment: Can intelligence information pertaining to a juvenile who otherwise meets criminal intelligence system submission criteria be entered into an intelligence database?

  Response: There is no limitation or restriction on entering intelligence information on juvenile subjects set forth in federal law or regulation. However, state law may restrict or prohibit the maintenance or dissemination of such information by its law enforcement agencies. Therefore, state laws should be carefully reviewed to determine their impact on this practice and appropriate project policies adopted.

  Exec
utive Order 12291

  These regulations are not a major rule as defined by Section 1(b) of Executive Order No. 12291, 3 C.F.R. Part 127 (1981), because they do not result in (a) an effect on the economy of $100 million or more, (b) a major increase in any costs or prices, or (c) adverse effects on competition, employment, investment, productivity, or innovation among American enterprises.

  Regulatory Flexibility Act

  These regulations are not a rule within the meaning of the Regulatory

  Flexibility Act, 5 U.S.C. 601-612. These regulations, if promulgated, will not have a significant economic impact on a substantial number of small entities, as defined by the Regulatory Flexibility Act.

  Paperwork Reduction Act

  There are no collection of information requirements contained in the pro-

  posed regulation.

  List of Subjects in 28 C.F.R. Part 23

  Administrative practice and procedure, grant programs, intelligence, law

  enforcement. For the reasons set out in the preamble, Title 28, Part 23, of the Code of Federal Regulations is revised to read as follows:

  Appendix D: Consumer and Credit Data Privacy Laws

  479

  Part 23: Criminal Intelligence Systems Operating Policies Section

  23.1. Purpose

  23.2. Background

  23.3. Applicability

  23.20 Operating Principles

  23.30 Funding Guidelines

  23.40 Monitoring and Auditing of Grants for the Funding of Intelligence

  Systems

  Authority: 42 U.S.C. 3782(a); 42 U.S.C. 3789g(c)

  § 23.1 Purpose The purpose of this regulation is to assure that all criminal intelligence systems operating through support under the Omnibus Crime

  Control and Safe Streets Act of 1968, 42 U.S.C. 3711, et seq., as amended (Pub. L. 90-351, as amended by Pub. L. 91-644, Pub. L. 93-83, Pub. L. 93-415, Pub. L. 94-430, Pub. L. 94-503, Pub. L. 95-115, Pub. L. 96-157, Pub. L. 98-473, Pub. L. 99-570, Pub. L. 100-690, and Pub. L. 101-647), are utilized in conformance with the privacy and constitutional rights of individuals.

  § 23.2 Background It is recognized that certain criminal activities including, but not limited to loan, sharking, drug trafficking, trafficking in stolen property, gambling, extortion, smuggling, bribery, and corruption of public officials often involve some degree of regular coordination and permanent organization involving a large number of participants over a broad geographical area. The exposure of such ongoing networks of criminal activity can be aided by the pooling of information about such activities. However, because the collection and exchange of intelligence data necessary to support control of serious criminal activity may represent potential threats to the privacy of individuals to whom such data relate, policy guidelines for federally funded projects are required.

  § 23.3 Applicability

  (a) These policy standards are applicable to all criminal intel igence systems operating through support under the Omnibus Crime Control and

  Safe Streets Act of 1968, 42 U.S.C. 3711, et seq., as amended (Pub. L.

  90-351, as amended by Pub. L. 91-644, Pub. L. 93-83, Pub. L. 93-415,

  Pub. L. 94-430, Pub. L. 94-503, Pub. L. 95-115, Pub. L. 96-157, Pub. L.

  98-473, Pub. L. 99-570, Pub. L. 100-690, and Pub. L. 101-647).

  (b) As used in these policies, (1) criminal intel igence system or intelligence system means the arrangements, equipment, facilities, and procedures used for the receipt, storage, interagency exchange or

  dissemination, and analysis of criminal intelligence information;

  (2) interjurisdictional intel igence system means an intelligence system that involves two or more participating agencies representing

  480

  Appendix D: Consumer and Credit Data Privacy Laws

  different governmental units or jurisdictions; (3) criminal intel i-

  gence information means data that have been evaluated to determine that it (i) is relevant to the identification of and the criminal activity engaged in by an individual who or organization that is reasonably

  suspected of involvement in criminal activity and (ii) meets crimi-

  nal intelligence system submission criteria; (4) participating agency means an agency of local, county, state, federal, or other governmental unit, which exercises law enforcement or criminal investigation

  authority and which is authorized to submit and receive criminal

  intelligence information through an interjurisdictional intelligence

  system (a participating agency may be a member or a nonmember of

  an interjurisdictional intelligence system); (5) intelligence project or project means the organizational unit that operates an intelligence system on behalf of and for the benefit of a single agency or the

  organization that operates an interjurisdictional intelligence system

  on behalf of a group of participating agencies; and (6) validation of information means the procedures governing the periodic review of criminal intelligence information to assure its continuing compliance with system submission criteria established by regulation or

  program policy.

  § 23.20 Operating Principles

  (a) A project shall col ect and maintain criminal intel igence information concerning an individual only if there is reasonable suspicion that

  the individual is involved in criminal conduct or activity and the

  information is relevant to that criminal conduct or activity.

  (b) A project shall not collect or maintain criminal intelligence infor-

  mation about the political, religious, or social views, associations, or

  activities of any individual or any group, association, corporation,

  business, partnership, or other organization unless such informa-

  tion directly relates to criminal conduct or activity and there is rea-

  sonable suspicion that the subject of the information is or may be

  involved in criminal conduct or activity.

  (c) Reasonable suspicion or criminal predicate is established when information exists, which establishes sufficient facts to give a

  trained law enforcement or criminal investigative agency officer,

  investigator, or employee a basis to believe that there is a reason-

  able possibility that an individual or organization is involved in

  a definable criminal activity or enterprise. In an interjurisdic-

  tional intelligence system, the project is responsible for establish-

  ing the existence of reasonable suspicion of criminal activity either

  through examination of supporting information submitted by a

  participating agency or by delegation of this responsibility to a

  Appendix D: Consumer and Credit Data Privacy Laws

  481

  properly trained participating agency, which is subject to routine

  inspection and audit procedures established by the project.

  (d) A project shall not include in any criminal intelligence sys-

  tem information, which has been obtained in violation of any

  applicable federal, state, or local law or ordinance. In an inter-

  jurisdictional intelligence system, the project is responsible for

  establishing that no information is entered in violation of federal,

  state, or local laws, either through examination of supporting

  information submitted by a participating agency or by delegation

  of this responsibility to a properly trained participating agency,

  which is subject to routine inspection and audit procedures estab-

  lished by the project.

  (e) A project or authorized recipient shall disseminate criminal intel-

  ligence information only where there is a need to know and a right

  to know the information in the performance of a law enforcement

  activity.

  (f) (1) Except as
noted in paragraph (f) (2) of this section, a project shall disseminate criminal intelligence information only to law

  enforcement authorities who shall agree to follow procedures

  regarding information receipt, maintenance, security, and dis-

  semination, which are consistent with these principles.

  (2) Paragraph (f) (1) of this section shall not limit the dissemina-

  tion of an assessment of criminal intelligence information to a

  government official or to any other individual, when necessary,

  to avoid imminent danger to life or property.

  (g) A project maintaining criminal intelligence information shall ensure that administrative, technical, and physical safeguards (including

  audit trails) are adopted to ensure against unauthorized access and

  against intentional or unintentional damage. A record indicating

  who has been given information, the reason for release of the infor-

  mation, and the date of each dissemination outside the project shall

  be kept. Information shall be labeled to indicate levels of sensitiv-

  ity, levels of confidence, and the identity of submitting agencies and

  control officials. Each project must establish written definitions for

  the need to know and right to know standards for dissemination to

  other agencies as provided in paragraph (e) of this section. The proj-

  ect is responsible for establishing the existence of an inquirer’s need

  to know and right to know the information being requested either

  through inquiry or by delegation of this responsibility to a properly

  trained participating agency, which is subject to routine inspection

  and audit procedures established by the project. Each intelligence

  project shall assure that the following security requirements are

 

‹ Prev