by Unknown
implemented:
482
Appendix D: Consumer and Credit Data Privacy Laws
(1) Where appropriate, projects must adopt effective and techno-
logical y advanced computer software and hardware designs to
prevent unauthorized access to the information contained in the
system.
(2) The project must restrict access to its facilities, operating envi-
ronment, and documentation to organizations and personnel
authorized by the project.
(3) The project must store information in the system in a manner
such that it cannot be modified, destroyed, accessed, or purged
without authorization.
(4) The project must institute procedures to protect criminal intelli-
gence information from unauthorized access, theft, sabotage, fire,
flood, or other natural or manmade disaster.
(5) The project must promulgate rules and regulations based on
good cause for implementing its authority to screen, reject for
employment, transfer, or remove personnel authorized to have
direct access to the system.
(6) A project may authorize and utilize remote (off-premises) system
databases to the extent that they comply with these security
requirements.
(h) All projects shall adopt procedures to assure that all information, which is retained by a project, has relevancy and importance. Such procedures
shall provide for the periodic review of information and the destruc-
tion of any information that is misleading, obsolete, or otherwise unre-
liable and shall require that any recipient agencies be advised of such
changes, which involve errors or corrections. All information retained
as a result of this review must reflect the name of the reviewer, date of review, and explanation of decision to retain. Information retained in
the system must be reviewed and validated for continuing compliance
with system submission criteria before the expiration of its retention
period, which in no event shall be longer than 5 years.
(i) If funds awarded under the act are used to support the operation of
an intelligence system, then
(1) No project shall make direct remote terminal access to intel-
ligence information available to system participants, except as
specifically approved by the OJP based on a determination that
the system has adequate policies and procedures in place to
ensure that it is accessible only to authorized system users
(2) A project shall undertake no major modifications to system
design without prior grantor agency approval
(j) A project shall notify the grantor agency prior to initiation of formal information exchange procedures with any federal, state, regional,
Appendix D: Consumer and Credit Data Privacy Laws
483
or other information systems not indicated in the grant documents
as initially approved at time of award.
(k) A project shall make assurances that there will be no purchase or use in the course of the project of any electronic, mechanical, or other
device for surveil ance purposes that is in violation of the provi-
sions of the Electronic Communications Privacy Act of 1986; Public
Law 99-508; 18 U.S.C. 2510-2520, 2701-2709, and 3121-3125; or any
applicable state statute related to wiretapping and surveil ance.
(l) A project shall make assurances that there will be no harassment
or interference with any lawful political activities as part of the
intelligence operation.
(m) A project shall adopt sanctions for unauthorized access, utilization, or disclosure of information contained in the system.
(n) A participating agency of an interjurisdictional intelligence system must maintain in its agency files information that documents each
submission to the system and supports compliance with project
entry criteria. Participating agency files supporting system submis-
sions must be made available for reasonable audit and inspection by
project representatives. Project representatives will conduct partici-
pating agency inspection and audit in such a manner so as to protect
the confidentiality and sensitivity of participating agency intelli-
gence records.
(o) The attorney general or designee may waive, in whole or in part, the applicability of a particular requirement or requirements contained in
this part with respect to a criminal intelligence system, or for a class
of submitters or users of such system, upon a clear and convincing
showing that such waiver would enhance the collection, maintenance,
or dissemination of information in the criminal intelligence system
while ensuring that such system would not be utilized in violation of
the privacy and constitutional rights of individuals or any applicable
state or federal law.
§ 23.30 Funding Guidelines The following funding guidelines shall apply to all Crime Control Act–funded discretionary assistance awards and BJA formula grant program subgrants, the purpose of which is to support the operation of an intelligence system. Intelligence systems shall only be funded where a grantee/subgrantee agrees to adhere to the principles set forth previously and the project meets the following criteria:
(a) The proposed collection and exchange of criminal intelligence infor-
mation have been coordinated with and will support ongoing or
proposed investigatory or prosecutorial activities relating to specific
areas of criminal activity.
484
Appendix D: Consumer and Credit Data Privacy Laws
(b) The areas of criminal activity for which intelligence information is to be utilized represent a significant and recognized threat to the
population and
(1) Are either undertaken for the purpose of seeking illegal power or
profits or pose a threat to the life and property of citizens
(2) Involve a significant degree of permanent criminal organization
(3) Are not limited to one jurisdiction
(c) The head of a government agency or an individual with general
policy-making authority who has been expressly delegated such
control and supervision by the head of the agency will retain con-
trol and supervision of information collection and dissemination for
the criminal intelligence system. This official shall certify in writing
that he or she takes full responsibility and will be accountable for the
information maintained by and disseminated from the system and
that the operation of the system will be in compliance with the prin-
ciples set forth in § 23.20.
(d) Where the system is an interjurisdictional criminal intelligence system, the governmental agency, which exercises control and supervision over
the operation of the system, shall require that the head of that agency
or an individual with general policy-making authority who has been
expressly delegated such control and supervision by the head of the agency (1) Assume official responsibility and accountability for actions
taken in the name of the joint entity
(2) Certify in writing that the official takes full responsibility and
will be accountable for ensuring that the information transmitted
to the interjurisdictional system or to participating agencies will
be in compliance with the principles set forth in § 23.20
The principles set forth in § 23.20 shall be made part of the b
y-laws or operating procedures for that system. Each participating agency, as a condition of participation, must accept in writing those principles that govern the submission, maintenance, and dissemination of information included as part of the interjurisdictional system.
(e) Intelligence information will be collected, maintained, and dissemi-
nated primarily for state and local law enforcement efforts, including
efforts involving federal participation.
§ 23.40 Monitoring and Auditing of Grants for the Funding of Intel igence Systems
(a) Awards for the funding of intelligence systems will receive special-
ized monitoring and audit in accordance with a plan designed to
ensure compliance with operating principles as set forth in § 23.20.
The plan shall be approved prior to award of funds.
Appendix D: Consumer and Credit Data Privacy Laws
485
(b) All such awards shall be subject to a special condition requiring
compliance with the principles set forth in § 23.20.
(c) An annual notice will be published by OJP that will indicate the
existence and the objective of all systems for the continuing inter-
jurisdictional exchange of criminal intelligence information, which
are subject to the 28 C.F.R. Part 23 Criminal Intelligence Systems
Policies.
Laurie Robinson, Acting Assistant Attorney General, Office of Justice
Programs (FR Doc. 93-22614 Filed 9-15-93; 8:45 a.m.)
1998 Policy Clarification
Agency: BJA, OJP, Justice
Action: Clarification of policy
Summary: The current policy governing the entry of identifying information into criminal intelligence sharing systems requires clarification. This policy clarification is to make clear that the entry of individuals, entities and organizations, and locations that do not otherwise meet the requirements of reasonable suspicion is appropriate when it is done solely for the purposes of criminal identification or is germane to the criminal subject’s criminal activity. Further, the definition of criminal intel igence system is clarified.
Effective date: This clarification is effective on December 30, 1998.
For further information, contact: Paul Kendall, General Counsel, Office of Justice Programs, 810 7th Street NW, Washington, DC, 20531, (202) 307-6235.
Supplementary information: The operation of criminal intelligence information systems is governed by 28 C.F.R. Part 23. This regulation was written both to protect the privacy rights of individuals and to encourage and expedite the exchange of criminal intelligence information between and among
law enforcement agencies of different jurisdictions. Frequent interpretations of the regulation, in the form of policy guidance and correspondence, have been the primary method of ensuring that advances in technology did not
hamper its effectiveness.
Comments
The clarification was opened to public comment. Comments expressing unre-
served support for the clarification were received from two RISS and five states.
A comment from the chairperson of a RISS, relating to the use of identifying information to begin new investigations, has been incorporated. A single negative comment was received, but was not addressed to the subject of this clarification.
486
Appendix D: Consumer and Credit Data Privacy Laws
Use of Identifying Information
28 C.F.R. 23.3(b)(3) states that criminal intelligence information that can be put into a criminal intelligence sharing system is “information relevant to the identification of and the criminal activity engaged in by an individual who or organization which is reasonably suspected of involvement in criminal activity, and… meets criminal intelligence system submission criteria.”
Further, 28 C.F.R. 23.20(a) states that a system shall only collect information on an individual if “there is reasonable suspicion that the individual is involved in criminal conduct or activity and the information is relevant to that criminal conduct or activity.” 28 C.F.R. 23.20(b) extends that limitation to [page 71753] collecting information on groups and corporate entities.
In an effort to protect individuals and organizations from the possible
taint of having their names in intelligence systems (as defined at 28 C.F.R.
Section 23.3(b)(1)), the OJP has previously interpreted this section to allow information to be placed in a system only if that information independently meets the requirements of the regulation. Information that might be vital to identifying potential criminals, such as favored locations and companions or names of family members, has been excluded from the systems. This policy has hampered the effectiveness of many criminal intelligence sharing systems.
Given the swiftly changing nature of modern technology and the expan-
sion of the size and complexity of criminal organizations, the BJA has determined that it is necessary to clarify this element of 28 C.F.R. Part 23. Many criminal intelligence databases are now employing “Comment” or “Modus
Operandi” fields whose value would be greatly enhanced by the ability to
store more detailed and wide-ranging identifying information. This may
include names and limited data about people and organizations that are not suspected of any criminal activity or involvement but merely aid in the identification and investigation of a criminal suspect who independently satisfies the reasonable suspicion standard.
Therefore, BJA issues the fol owing clarification to the rules applying to the use of identifying information. Information that is relevant to the identification of a criminal suspect or to the criminal activity in which the suspect is engaged may be placed in a criminal intel igence database, provided that (1) appropriate disclaimers accompany the information noting that is strictly identifying information, carrying no criminal connotations; (2) identifying information may not be used as an independent basis to meet the requirement of reasonable suspicion of involvement in criminal activity necessary to create a record or file in a criminal intel igence system; and (3) the individual who is the criminal suspect identified by this information otherwise meets all requirements of 28 C.F.R. Part 23.
This information may be a searchable field in the intel igence system.
For example, a person reasonably suspected of being a drug dealer is
known to conduct his criminal activities at the fictional “Northwest Market.”
Appendix D: Consumer and Credit Data Privacy Laws
487
An agency may wish to note this information in a criminal intel igence database, as it may be important to future identification of the suspect. Under the previous interpretation of the regulation, the entry of “Northwest Market” would not be permitted, because there was no reasonable suspicion that the “Northwest Market” was a criminal organization. Given the current clarification of the regulation, this will be permissible, provided that the information regarding the “Northwest Market” was clearly noted to be noncriminal in nature.
For example, the data field in which “Northwest Market” was entered could be marked “non–criminal identifying information,” or the words “Northwest Market” could be fol owed by a parenthetical comment such as “This organization has been entered into the system for identification purposes only - it is not suspected of any criminal activity or involvement.” A criminal intel igence system record or file could not be created for “Northwest Market” solely on the basis of information provided, for example, in a comment field on the suspected drug dealer. Independent information would have to be obtained as a basis for the opening of a new criminal intel igence file or record based on reasonable suspicion on “Northwest Market.” Further, the fact that other individuals frequent “Northwest Market” would not necessarily establish reasonable suspicion for those other individuals, as it relates to criminal intel igence systems.
Definition of a Crim
inal Intelligence System
The definition of a criminal intel igence system is given in 28 C.F.R. 23.3(b) (1) as the “arrangements, equipment, facilities, and procedures used for
the receipt, storage, interagency exchange or dissemination, and analysis of criminal intelligence information….” Given the fact that cross-database searching techniques are now commonplace and that multiple databases may
be contained on the same computer system, BJA has determined that this
definition needs clarification, specifically to differentiate between criminal intelligence systems and nonintelligence systems.
The comments to the 1993 revision of 28 C.F.R. Part 23 noted that
“the term ‘intelligence system’ is redefined to clarify the fact that historical telephone toll files, analytical information, and work products that are not either retained, stored, or exchanged and criminal history record information or identification (fingerprint) systems are excluded from the definition, and hence are not covered by the regulation…” 58 FR 48448–48449
(September 16, 1993). The comments further noted that materials that “may assist an agency to produce investigative or other information for an intelligence system…” do not necessarily fall under the regulation. Id.
The aforementioned rationale for the exclusion of nonintelligence infor-
mation sources from the definition of criminal intel igence system suggests now that, given the availability of more modern nonintelligence information sources such as the Internet, newspapers, motor vehicle administration
488
Appendix D: Consumer and Credit Data Privacy Laws
records, and other public record information online, such sources shall not be considered part of criminal intelligence systems and shall not be covered by this regulation, even if criminal intelligence systems access such sources during searches on criminal suspects. Therefore, criminal intelligence systems may conduct searches across the spectrum of nonintelligence systems
without those systems being brought under 28 C.F.R. Part 23. There is also no limitation on such nonintelligence information being stored on the same computer system as criminal intelligence information, provided that sufficient precautions are in place to separate the two types of information and to make it clear to operators and users of the information that two different types of information are being accessed.