Privacy Protections - SEARCH | The National Consortium … · 2016-10-17 · ... location and...

Privacy Protections

Francis (Paco) X. Aumand IIIDivision of Criminal Justice Services

SEARCH Meeting November 2009

Regulated by law.• Privacy principles have become incorporated

into the legal requirements of our criminal history system.

Vermont Incident Based Reporting System CAD/RMS.• 93% of the PD’s in the state use this system.• In existence since 1992.

User agreement started in 1995.• This agreement has evolved to include privacy

principles.

Agency MOU’s in place since 2000.• Also evolved to include privacy principles.

The System was developed long before there was thought given to the need to protect privacy.• The protection of privacy has grown over time.

A privacy impact assessment is currently being developed.• SEARCH’s form is being used as it serves as an

inventory for collecting information.

New System 2008• Query tool for disparate CAD/RMS

Developed a Privacy Impact Assessment (PIA) at the beginning of system development.• Used Federal Q & A format

Developed Privacy Policy.• Used GLOBAL template

A PIA at the beginning of system development helps determine your business rules.• Elimination of Social Security Numbers is an example.• Pop Up windows cautioning against information use.

Helps to develop your privacy policy.The exact form or format you use depends on you and were you system is, in development.Development of privacy policy and the concerns for privacy is still way ahead of it’s time.No silver bullet.• Understand the privacy principles and • Just start.

Many resources are available.• GLOBAL

http://it.ojp.gov/default.aspx?area=globalJustice&page=1238

• NGAhttp://www.nga.org/portal/site/nga/menuitem.1f41d49be2d3d33eacdcbeeb501010a0/?vgnextoid=81239286d9de1010VgnVCM1000001a01010aRCRD

• SEARCHhttp://www.search.org/

• OJPhttp://it.ojp.gov/default.aspx?area=privacy

VJISSPRIVACYPOLICY08.DOC

Privacy Policy for the

VERMONT JUSTICE INFORMATION SHARING SYSTEM, (VJISS)

Law Enforcement Data Sharing Initiative

October 8, 2008

Francis X. Aumand III, Director, Division of Criminal Justice Services,

Vermont Department of Public Safety

2

A. System Description Section A.1.00 STATEMENT OF PURPOSE The goal of establishing the Vermont Justice Information Sharing System (VJISS) is to provide name, vehicle, location and incident location information from the different CAD/RM systems to criminal justice agencies further the following purposes:

1) Investigative Purposes; 2) Background information on law enforcement activity and; 3) To promote officer safety.

The system also provides the following benefits:

a. Increase public safety and improve national security; b. Minimize the threat and risk of injury to specific individuals and the general public; c. Minimize the threat and risk of injury to law enforcement and other first responder personnel; d. Crime prevention purposes; e. Minimize the threat and risk of damage to real or personal property; f. Protect individual civil rights, civil liberties, and privacy rights and other protected interests; g. Protect the integrity of the criminal investigatory, criminal intelligence, and justice system processes and information; h. Support the role of the justice system in society; i. Promote governmental legitimacy and accountability; j. Not unduly burden the ongoing business of the justice system; and k. Make the most effective use of public resources allocated to justice agencies.

A.2.00 COMPLIANCE WITH LAWS REGARDING PRIVACY, CIVIL RIGHTS, AND CIVIL LIBERTIES

a) The VIBRS Advisory Board, the Vermont Department of Public Safety, and all participating law enforcement and justice agencies, employees and users will comply with all laws protecting privacy, civil rights, and civil liberties in the collection, use, analysis, retention, destruction, sharing, and disclosure of information. b) The VIBRS Advisory Board and the Vermont Department of Public Safety and all participating law enforcement agencies will adopt internal operating policies requiring compliance with all laws protecting privacy, civil rights, and civil liberties in the collection, use, analysis, retention, destruction, sharing, and disclosure of information in the system.

3

A.3.00 AGENCY TRANSPARENCY AND ACCOUNTABILITY

a) The existence of the VIBRS network and VJISS will be made public and the system’s policies on protection of privacy, civil rights, and civil liberties will be made available to the public on request and through any public web sites providing information about the system. b) The VIBRS Advisory Board and the Vermont Department of Public Safety will adopt provisions to insure accountability for compliance with all applicable laws in the collection, use, analysis, retention, destruction, sharing, and disclosure of information.

A.4.00 Vermont Justice Information Sharing System (VJISS) Defined The Vermont justice Information Sharing System has two components.

a) First it is a query tool that searches the computer aided dispatch and records management systems of Vermont Police Agencies. The system queries name records, vehicle records, incident locations and incident numbers. It is a federated searching system, which means that VJISS only provides a look into the contributing CAD/RM systems and does not store information into a database. This allows for agencies to have control over their systems and provides for real time searching of information. b) Second there is a separate server that captures the name records, vehicle records, incident locations and incident numbers from the CAD/RM systems of contributing agencies. This database will be used to implement the visual analytical tool for the purposes of performing rudimentary aspects of data mining by examining certain aspects of data (name records, vehicle records, incident locations and incident numbers) in the respective databases. Access to this portion of the system will be role based, limited and regularly audited.

4

B. OPERATIONS POLICY SECTION B.1.00 STATEMENT OF PURPOSE The goal of establishing the Vermont Justice Information Sharing System (VJISS) is to provide name, vehicle, location and incident location information from the different CAD/RM systems to criminal justice agencies further the following purposes:

1) Investigative Purposes; 2) Background information on law enforcement activity and; 3) To promote officer safety.

The system also provides the following benefits:

a) Increase public safety and improve national security; b) Minimize the threat and risk of injury to specific individuals and the general public; c) Minimize the threat and risk of injury to law enforcement and other first responder personnel; d) Crime prevention purposes; e) Minimize the threat and risk of damage to real or personal property; f) Protect individual civil rights, civil liberties, and privacy rights and other protected interests; g) Protect the integrity of the criminal investigatory, criminal intelligence, and justice system processes and information; h) Support the role of the justice system in society; i) Promote governmental legitimacy and accountability; j) Not unduly burden the ongoing business of the justice system; and k) Make the most effective use of public resources allocated to justice agencies.

B.2.00 COMPLIANCE WITH LAWS REGARDING PRIVACY, CIVIL RIGHTS, AND CIVIL LIBERTIES All participating agency personnel, personnel providing information technology services to the contributing agencies and Department of Public Safety, private contractors, and users will comply with all laws protecting privacy, civil rights, and civil liberties in the collection, use, analysis, retention, destruction, sharing, and disclosure of information.

5

B.3.00 DEFINITIONS Accuracy of information –Accuracy of information means that the Information is of such a quality that it contains of accuracy, completeness, timeliness and objectivity. Together, these attributes contribute to the validity of the information. Good information quality is the cornerstone for sound agency decision making and inspires trust in the justice system and in the law enforcement entities that use information. Agencies should always strive to improve the quality of there information so that it is accurate. Agency – An agency as used in these policies is a department(s) that have a federal ORI number and whose mission/purpose/focus is the investigation and /or prosecution of criminal activity and is an agency that is sharing its records management system information with criminal justice users. Contributing Agency – A contributing agency is an agency that uses the Vermont Incident Based Reporting System CAD/RM system and enters information for the purposes of NIBRS reporting, agency administration and law enforcement investigative purposes. A contributing agency is also an agency that contributes information from their own CAD/RMS into VJISS. CAD/RMS – Is an acronym for computer aided dispatch and records management system. Within this policy the term CAD/RM system means the same. Data Collector – may include, but is not limited to; a police agency or agency or member (s) of an agency that for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with the nonpublic personal identifying information. Disseminate – To spread, release or disperse information from the CAD/RM system to anyone. DPS – Refers to the Vermont Department of Public Safety, Division of Criminal Justice Services. Information - includes individual pieces of or collections of pieces of data about people, organizations, events, incidents, objects, or real or personal property, whether in physical, manual, or electronic form, including documents, writings, electronic representations of text or graphic documents, an electronic image, including a video image, of a document, evidence, object or event, information in the fields or files of an electronic database, or an audio or video recording, analog or digital, of an event or notes in an electronic file from which a transcript of an event can be prepared. Law - As used in this policy “law” includes any federal, state, local, or tribal statute, ordinance, regulation, executive order, or court rule, decision, or order, as construed by appropriate federal, state, tribal, or local officials or agencies.

6

Personal identifying information – Personally identifiable information is one or more pieces of information, when considered together, or combined with other information, and when considered in the context of how it is presented or how it is gathered, is sufficient to identify a unique individual. The pieces of information can be a) personal characteristics,1 b) a unique set of numbers or characters assigned to a specific individual,2 c) descriptions of event(s) or points in time,3 or d) descriptions of location(s) or places.4 Examples of documents or activities in the justice system that may involve personally identifiable information include, but are not limited too:

• Law enforcement: police reports, records of anyone who comes in contact with the justice process, arrests, warrants, neighborhood, city, county, or state crime data, and GIS data;

• Jail: inmate records, including classification and medical records, and pretrial, bail, and release information;

• Prosecution: indictment/charging documents, victim and witness information, and investigative and evidentiary materials;

• Courts: pleadings, motions, hearing transcripts, trial exhibits, dispositions, scheduling information, judge, attorney, and juror information, bail/bond information, or protection orders;

• Corrections: inmate information, including medical information, classification information, gang affiliation, religious affiliation, etc.;

• Probation/parole: terms and conditions of probation or parole, sex offender status, violent offender status, employer information, residence information, or family member information.

• Victims services: treatment providers, contact information, or counseling referrals;

• Traditional criminal history record information; • Criminal intelligence information related to individuals, events,

allegations or reports; • Justice system employee: personnel records, including employee

evaluations, employment histories, medical evaluations, family information, residential information, and financial institution and insurance information;

1 Personal Characteristics includes such things as height., weight, gender, sexual orientation, date of birth, age, hair color, eye color, race, ethnicity, scars, tattoos, gang affiliation, religious affiliation., place of birth, mother’s maiden name, distinguishing features, and biometric information such as fingerprints, DNA, retinal scans , etc. 2 A unique set of numbers or characters assigned to a specific individual includes such things as name, address (home or work), phone number(s), social security number, e-mail addresses, driver’s license number, financial account or credit card number and associated PIN number, AIFIS, booking or detention system number, 3 Descriptions of event(s) or points in time includes information in documents such as police reports, arrest reports, medical records, etc. 4 Descriptions of location(s) or places includes such things as GIS locations, electronic bracelet monitoring information, etc.

7

• Other types of information related to victims, witnesses, jurors, law enforcement officers, justice staff, plaintiffs, respondents, attorneys, judges, defendants, offenders, families and associates of these persons, and anyone else who comes in contact with the justice process

Public - includes:

a) any person and any for-profit or non-profit entity, organization or association; b) any governmental entity for which there is no existing specific law or policy authorizing access to the agency’s information; c) media organizations; and d) entities that seek or receive and disseminate information for whatever reason, regardless of whether it is done with the intent of making a profit, and without distinction as to nature or extent of those requesting information from the agency.

Public - does not include:

e) employees of the agency; f) people or entities, private or governmental, who assist the agency in the operation of the justice information system; and g) public agencies whose authority to access information gathered and retained by the agency is specified in law.

Non-Contributing Agency – A non-contributing agency is an agency that uses the Vermont Incident Based Reporting System CAD/RM system for law enforcement investigative purposes or is a justice agency authorized to access the VJISS database. User – A user is an individual authorized by the head of an agency to have access to the information contained in the databases of the Vermont Justice Information Sharing System (VJISS). The user must be under the employment of the agency head or under contract or agreement where the agency head has the ability to monitor the user’s use of the network. VIBRS – Is an acronym for the Vermont Incident Based Reporting System. This is a broad term used to identify the network that delivers a variety of applications for law enforcement and justice agencies in Vermont and to identify the a CAD/RMS. When this term is used along with CAD/RMS it means the computer aided dispatch records management system that utilizes the Spillman software. Visual Analytical (VA) Tool - This is tool used to analyze information captured from the different CAD/RM systems. A separate server is utilized to populate the database with the name record, vehicle record, location and incident number from the participating police agencies. The visual analytical tool of VJISS will allow a limited number of users to perform rudimentary aspects of data mining by examining the certain aspects of data, name record, vehicle record, location and incident number in the new database. The limited number of users will have access based on their respective roles associated with performing crime analysis functions.

8

B.4.00 SEEKING AND RETAINING INFORMATION

B.4.10 WHAT INFORMATION MAY BE SOUGHT OR RETAINED a) The VJISS and its related data collectors will only seek or retain information that is:

• Collected by law enforcement officers on all persons who has contacts with law enforcement agencies and is stored or placed lawfully into a database in accordance with those agencies policies. This database shall be for the purpose of recording the records of the police agency and shall be for the purposes of crime prevention, crime detection, officer safety, investigative inquiry, management information, crime analysis purposes, and background information. These purposes shall constitute the definition of law enforcement purposes.

b) The agency will not seek or retain information about an individual or organization solely on the basis of their religious, political or social views, their participation in a particular organization, or because of their race, ethnicity, place of origin, sex, or sexual orientation. Such information can be sought and retained if it is:

1) relevant to whether an individual or organization has engaged in, is engaging in, or is planning a criminal or terrorist activity or activities that present a threat to individuals, the community or the nation; or 2) needed by the agency to identify an individual, for the agency’s effective operation, or to provide services to the individuals the agency serves.

c) A record shall be kept of the source of all information retained by the agency. d) Information from the query portion of the system shall only be retained if it is to be used for law enforcement purposes involving a law enforcement action (arrest etc.)

i) Use for law enforcement purposes involving a law enforcement action (arrest etc.) shall only occur with permission from the owner of the information.

B.4.20 METHODS OF SEEKING OR RECEIVING INFORMATION a) Information gathering and investigative techniques used by agencies and data collectors will comply with all applicable laws.

9

b) The VJISS agencies will not accept, seek, receive, or retain information from an individual or non-government information provider, who may or may not receive a fee or benefit for providing the information, if the agency knows or has reason to know that:

1) the individual or information provider is legally prohibited from obtaining or disclosing the specific information sought, 2) the individual or information provider used methods for collecting the information that the agency itself could not legally use, [include any exceptions regarding illegally obtained information] 3) the specific information sought from the individual or information provider could not legally collected by the agency, or 4) the agency has not taken the steps necessary to be authorized to collect the information.

c) Information gathering and investigative techniques used by this agency will be no more intrusive or broad scale than necessary in the particular circumstance to gather information it is authorized to seek or retain pursuant to section [B.4.10].

B.4.30 MERGING OF INFORMATION FROM DIFFERENT SOURCES

a) Information about an individual or organization from two or more sources will be merged on a screen showing in which CAD/RMS the information comes from. However, a user needs to be aware that there needs to be sufficient identifying information to reasonably conclude that the information is about the same individual or organization. b) The combination of personal identifying information sufficient to allow the use of this information will consist of at least two or more of the following:

• Full Name; • Date of Birth; • Law enforcement or corrections system identification number, usually

based on fingerprints; • Photograph; • Physical description: height, weight, eye and hair color, race, ethnicity,

tattoos, scars, etc.; • Driver’s License Number

c) Users should not arrest or detain individuals solely based on information contained within VJISS.

10

B.4.40 CLASSIFICATION OF INFORMATION REGARDING VALIDITY AND RELIABILITY – Use of the Virtual Analytics (VA) Tool This section only applies to those users who have access to the VA Tool.

a) At the time information is used from information stored within the VA Tool server the information will be categorized regarding its content validity, and source reliability. b) The categorization of existing information will be reevaluated when new information is gathered that has an impact on the validity and reliability of existing information. c) This section only applies to users of the query capabilities of VJISS if they copy the information for subsequent use.

B.4.50 CLASSIFICATION OF INFORMATION REGARDING LIMITATIONS ON ACCESS AND DISCLOSURE

a) At the time a decision is made to keep information it will be classified based on applicable limitations on access and sensitivity of disclosure in order to:

1) protect confidential sources, 2) not interfere with or compromise pending criminal investigations, 3) protect an individual’s right of privacy and civil rights, and 4) provide legally required protection based on the status of an individual as a victim of crime or domestic violence, a witness, or [indicate other classes of individual’s accorded protection regarding access to or disclosure of sensitive information].

b) The classification of existing information will be reevaluated whenever

1) new information is added that has an impact on the level of privacy and confidentiality of information; or 2) there is a change in the use of the information affecting access or disclosure limitations.

c) The classification scheme will be used to control:

1) what information a class of users can have access to; 2) what information a class of users can add, change, or delete; and 3) to whom the information can be disclosed, and under what circumstances.

11

d) VJISS is primarily intended to be used as a query system and retention of information should be limited and is only to used, with the owners permission, for law enforcement purposes. e) This section does not apply if the query function is used and no information is copied or stored. f) This section applies to those limited number of users who utilize the VA Tool.

B.5.00 INFORMATION QUALITY a) The agency will make every reasonable effort to ensure that queried information sought and retained is:

1) derived from dependable and trustworthy sources of information; 2) accurate; 3) current; 4) complete, including the relevant context in which it was sought or received and other related information; and 5) merged with other information about the same individual or organization only when the applicable standard [in section B.4.30] has been met.

b) The agency will make every reasonable effort to ensure that only authorized users are allowed to add, change, or delete information in their CAD/RM system. c) The agency will make every effort to ensure that information will be deleted from their respective CAD/RM system when the agency learns that:

1) the information is misleading, obsolete, or otherwise unreliable; 2) the source of the information did not have authority to gather the information or to provide the information to the agency; or 3) the source of the information used illegal means to gather the information.

12

B.6.00 COLLATION AND ANALYSIS OF INFORMATION – VA Tool This section only applies to those users who have access to the VA Tool. a) Information contained in the VJISS VA Tool server will only be analyzed by qualified individuals in an effort to provide tactical and/or strategic intelligence on the existence, identities, and capabilities of individuals and organizations suspected of having engaged in or engaging in criminal or terrorist activities generally and, in particular, to further crime and terrorist prevention and enforcement objectives and priorities established by the agency. b) Information sought or received by the qualified individual from VJISS or from other sources will not be analyzed or combined in a manner or for a purpose that violates section [B.4.10 b)].

B.7.00 SHARING AND DISCLOSURE OF INFORMATION

B.7.10 SHARING INFORMATION WITHIN THE AGENCY AND WITH OTHER JUSTICE SYSTEM PARTNERS a) Access to information gathered through VJISS will only be provided to persons within the agency or in other justice system agencies who are authorized to have access and only for legitimate law enforcement, public protection, public health, or justice purposes and in the performance of official duties in accordance with the law and procedures applicable to this agency.

1) Prior approval from the owner of the information is needed before it is used for a law enforcement action or disseminated. It may be used for officer safety purposes without seeking prior approval.

b) An audit trail is kept of persons accessing information contained in VJISS.

B.7.20 SHARING INFORMATION WITH FIRST RESPONDERS a) Information gathered and retained by this agency may be disseminated to individuals in first responder entities other than law enforcement agencies only for public safety or public health purposes and in the performance of official duties in accordance with applicable laws and procedures.


b) An audit trail will be kept of the access by or dissemination of information to such persons by the agency who disseminated the information.

13

B.7.30 SHARING INFORMATION FOR SPECIFIC PURPOSES a) Information gathered and retained by this agency can be disseminated for other than justice purposes upon request by authorized persons entitled by law to such access and only for those uses or purposes specified in the law.


b) An audit trail will be kept of the request for access and what information is disseminated to such persons.

B.7.40 DISCLOSING INFORMATION TO THE PUBLIC a) Information gathered from VJISS will not be disclosed to a member of the public unless the information is owned by that agency and defined by law to be a public record or is excepted from non-disclosure by a specific law, and it may be disclosed only in accordance with the law and procedures applicable to the agency for this type of information. b) The agency shall not confirm the existence or nonexistence of information belonging to another agency to any person or agency that would not be eligible to receive the information itself.

B.7.50 DISCLOSING INFORMATION TO THE INDIVIDUAL ABOUT WHOM INFORMATION HAS BEEN GATHERED a) No user or agency should disclose information contained in VJISS about an individual unless that information belongs to the agency and the agency head approves of such disclosure. This information is CAD/RM system information for which all contributing agencies should have policies in place regarding the disclosure of information to an individual about information contained in their system on the particular individual. The following is recommended policy information.

1) Upon satisfactory verification of his or her identity, and subject to the conditions specified in b) below, an individual is entitled to know the existence of, and to review the information about him or her that has been gathered and retained by the agency. The individual may obtain a copy of the information for the purpose of challenging the accuracy or completeness of the information. The agency’s response to the request will be made within a reasonable time, and in a form that is readily intelligible to the individual.

14

2) The existence and content of the information will not be made available to an individual when:

i) disclosure would interfere with, compromise, or delay an on-going investigation; ii) disclosure would endanger the health or safety of another individual, organization, or community; iii) the information is in a criminal intelligence system; iv) the information relates to [specify what types of information are not to be disclosed to an individual under the law applicable to the agency].

3) The agency will inform the individual of the procedure for requesting review of objections to the accuracy or completeness of the information retained about the individual. The individual will be given reasons if a request for correction is denied. The individual will also be informed of the procedure for appeal where the agency refuses to correct challenged information to the satisfaction of the individual about whom the information relates.

4) A record will be kept of the request and what information is disclosed to an individual.

B.8.00 INFORMATION RETENTION AND DESTRUCTION

B.8.10 REVIEW OF INFORMATION REGARDING RETENTION Information will be reviewed for purging when information has no further value or meets the criteria for destruction under applicable law, it will be destroyed.

B.9.00 ACCOUNTABILITY AND ENFORCEMENT

B.9.10 INFORMATION SYSTEM TRANSPARENCY

a) The policy establishing protections of privacy, civil rights, and civil liberties will be made available to the public on request and through any public web sites providing information about the system. b) The contributing agency will designate an administrative liaison who is a person responsible for receiving and responding to inquiries about privacy and civil rights protections in the CAD/RM system within their agency.

15

c) The Director of the Division of Criminal Justice Services, Vermont Department of Public Safety shall be the responsible person for responding to inquiries about privacy and civil rights protection for information associated with VJISS.

B.9.20 ACCOUNTABILITY FOR ACTIVITIES

a) Primary responsibility for the operation of this justice information system, including operations, sharing, and disclosure of information, and the enforcement of this policy is assigned to the Director of the Division of Criminal Justice Services, Vermont Department of Public Safety. b) The Director of the Division of Criminal Justice Services, Vermont Department of Public Safety along with the VIBRS Advisory Board and representatives from contributing agencies will establish procedures, practices, and system protocols, and use software and technologies that protect information from unauthorized access, theft, sabotage, fire, flood, or other natural or manmade disaster or intrusion, when applicable. c) The Director of the Division of Criminal Justice Services, Vermont Department of Public Safety will store information in a manner such that it cannot be added to, modified, accessed, destroyed, or purged except by personnel authorized to take such actions. d) The Director of the Division of Criminal Justice Services, Vermont Department of Public Safety will adopt and follow procedures and practices by which it can insure and evaluate compliance of users and the system with the provisions of this policy and applicable law, including: adopting information system security practices, logging of access requests and responses, detection of unauthorized attempts to add, change, delete, or access information, audits, and enforcement mechanisms. e) The Director of the Division of Criminal Justice Services, Vermont Department of Public Safety will require individuals authorized to use the system to agree in writing to comply with the provisions of this policy. f) The Director of the Division of Criminal Justice Services, Vermont Department of Public Safety will periodically conduct audits and inspections of information in the system. The audits will be conducted randomly by a designated representative of the Division of Criminal Justice Services, Vermont Department of Public Safety or designated independent party. The audit will be conducted in such a manner so as to protect the confidentiality, sensitivity and privacy of the agency’s information. g) The Director of the Division of Criminal Justice Services, Vermont Department of Public Safety along with the VIBRS Advisory Board and representatives from

16

contributing agencies will periodically review and update the provisions protecting privacy, civil rights, and civil liberties in its policies and make appropriate changes in response to changes in applicable law, and public expectations.

B.9.30 ENFORCEMENT If a user is suspected or found not to be complying with the provisions of this policy regarding the collection, use, retention, destruction, sharing, or disclosure of information, the contributing agency or user agency will:

a) suspend or discontinue access to information by the user, b) suspend, demote, transfer or terminate the person as permitted by applicable personnel policies, c) apply other sanctions or administrative actions as provided in agency personnel policies, or d) refer the matter to appropriate authorities for criminal prosecution as necessary to effectuate the purposes of the policy as stated in [section B.1.00].

B.10.00 TRAINING a) The agency will require:

1) its personnel, 2) personnel providing IT services to the agency, 3) staff in other public agencies or private contractors providing services to the agency, and 4) users who are not employed by the agency or a contractor to participate in training programs regarding the privacy, civil rights, and civil liberties policy.

b) The training program will cover:

1) Purposes of the privacy, civil rights, and civil liberties protection policy; 2) Substance and intent of the provisions of the policy relating to collecting, use, analysis, retention, destruction, sharing and disclosure of information retained by the agency; 3) The impact of improper activities associated with information accessible within or through the agency; and 4) The nature and possible penalties for policy violations, including possible transfer, dismissal, civil and criminal liability, and immunity, if any.

17

C. MULTI-AGENCY AGREEMENTS SECTION - MOU

C.1.00 MOU Required

a) Memorandums of understandings between the Department of Public Safety and users who use the system of services accessed through the VIBRS network shall be required.

C.2.00 USE AND DISCLOSURE OF INFORMATION ORIGINATING FROM ANOTHER PARTICIPATING AGENCY

C.2.10 DISCLOSURE OF INFORMATION ACCORDING TO ORIGINATING AGENCIES ACCESS RULES

a) A contributing agency or user will not disclose information originating from another agency unless prior approval is received.

C.2.20 REPORTING POSSIBLE INFORMATION ERRORS TO THE ORIGINATING AGENCY

a) When a contributing agency or user seeks or receives information that suggests that information originating from another agency may be erroneous, may include incorrectly merged information, or lacks a complete context the alleged error will be communicated in writing to the person designated in the originating agency to receive such alleged errors.

C.2.30 ENFORCEMENT OF PROVISIONS OF INFORMATION SHARING AGREEMENT If a contributing agency fails to comply with the provisions of the agreement, or fails to enforce provisions in its local policies and procedures regarding proper collection, use, retention, destruction, sharing, or disclosure of information, the information sharing network may:

a) suspend or discontinue access to shared information by a user in the offending agency who is not complying with the agreement or local policies and procedures; b) suspend or discontinue the offending agency’s access to the information sharing system; or c) offer to provide an independent review, evaluation, or technical assistance to the participating agency to establish compliance.

Attachment L: VJISS Participation Agreement 1.0 Purpose This agreement outlines requirements for an agencyʼs participation in the Vermont Justice Information Sharing System (VJISS). It is intended to be an attachment to the Vermont Incident Report Based Reporting System (VIBRS) Agency memorandum of Understand (MOU). 2.0 Background The Vermont Justice Information Sharing System (hereafter referred to as the “VJISS”) is a system for sharing information among local law enforcement and other justice agencies in Vermont. VJISS is one of the systems of service delivered over the VIBRS network. The information each agency agrees to share is information stored in each agencyʼs respective records management system (RMS)/computer aided dispatch (CAD) systems. VJISS information will be delivered over the Vermont Incident Based Reporting (VIBRS) Network. All VIBRS policies shall apply to the collection, use, dissemination and security of the information within VJISS. VJISS is intended to be one of the systems of services offered over the VIBRS network. It is not a CAD/RM system but a system that ties together the disparate CAD/RM systems within Vermont for the sharing of certain name, vehicle, location and incident number data. 3.0 Mission The first phase of the VJISS project is to create a voluntary law enforcement data sharing initiative (LEDSI) that can be used by a variety of law enforcement and justice agencies, based on VIBRS network policies and established technical and security Standards, to assist officers, investigators and other justice practitioners to prevent, detect, investigate and respond to crimes and acts of terrorism. Subsequent VJISS phases are intended to transfer information throughout justice agencies for the purposes stated above and to increase efficiency surrounding the administration of justice. 4.0 Network Responsibilities and Ownership of Data Each participating agency maintains ownership of and responsibility for its information stored in their respective data repository. Each data repository, which

is a “read only” database, is located within each agencyʼs CAD and/or RMS system. All data residing in or accessed through the VIBRS network is the property of the contributing agencies. Prior approval, in writing (to include e-mail), from the originating agency must be obtained before any data may be released (verbally or in print). See the VIBRS User Policy for a more detailed description of use of VIBRS data. Administrative and technical oversight of VJISS is provided by the Division of Criminal Justice Services (CJS) of the Vermont Department of Public Safety and the guidance of the VIBRS Advisory Board. 5.0 VJISS Access Any Vermont law enforcement agency desiring to participate in VJISS that agrees to abide by the governing VIBRS policies and agrees to share RMS/CAD data to VJISS, and possesses user access to the VIBRS network will be provided access to VJISS under the terms and conditions of this participation agreement. If at any time an agency is found to have violated the VIBRS User Agreement, access to VJISS may be denied. 6.0 Participating Agency Responsibilities All agencies participating in VJISS shall adopt appropriate internal policy, orders, procedures, rules or directives to inform and ensure that its employees are aware of and comply with the provisions of this agreement and all VIBRS policies. Due diligence shall be taken to ensure that all participating agency employees have read, understand and comply with all VIBRS policies and VJISS policies. Each agency shall assign technical Liaison, in addition to the Agency CEO, to coordinate all activities related to VJISS participation. It is understood that the initial costs for VJISS and two years of maintenance and operational costs will be provided by VJISS. Any additional or subsequent costs will be the responsibility of the participating agency. The minimum acceptable speed of connection to the VIBRS Network is 56k.This will provide for timely and accurate updating of information stored on the Network. Each participating agency shall maintain a maintenance agreement with their vendor supporting the agencyʼs CAD and RMS systems or shall have other procedures in place for maintaining their CAD and RMS systems. 7.0 Acceptable Use The Network is to be used for law enforcement purposes only. It is restricted to the official responsibilities of law enforcement in the performance of their official duties and shall not be used for any other purpose. Authorized users shall not use the Network for illegal or inappropriate purposes or in support of such activities. All agencies and users shall comply with the VIBRS User Policy.

8.0 Security The protection and security of information resources is the responsibility of each agencyʼs department head and all employees. The department head shall establish security controls and practices sufficient to ensure that confidentiality (to the extent required by law), integrity, availability, and appropriate use of all electronic data and information assets. 9.0 Minimum Data It is understood that all participating agencies will submit the minimum data for Information-sharing purposes as established by VJISS policy. 10.0 Dissemination Information disseminated by VJISS will be controlled through the required use of standard queries approved by the VIBRS Advisory Board. All information provided by VJISS will include a disclaimer indicating that the information provided is for investigative purposes only, and may contain error. The originating agency should be contacted to verify all information. 11.0 Audits The system may be audited for completeness. It is also understood that the VJISS data submitted by a participating agency may be audited from time to time to ensure compliance with the minimum set of data elements required for VJISS participation. The agency CEO may request in writing to the CJS staff, information on the use of the system by an employee with regards to who used the system, when it was used, and what queries were submitted. 12.0 Support Any technical questions or difficulties related to connecting to VJISS must be directed to the organizationʼs CAD or RMS provider. The provider will contact CJS if they determine the difficulty resides outside their site. If the user or user agency does not have a CAD/RMS contributing information to VJISS then the Criminal Justice Services Help Desk should be contacted. 13.0 Adherence to User Agreement Each Participating Agency will be provided a copy of the VJISS and VIBRS policies and shall agree to adhere to them, along with the conditions set forth in this Participation Agreement. Violations may result in sanctions as outlined in the VIBRS user policy. 14.0 Duration This agreement shall commence on the date it is executed and shall continue until it is revoked. 15.0 Termination Any Participating Agency may withdraw from this agreement in writing with 30 days notice to the Director of the Division of Criminal Justice Services. The Division of Criminal Services may terminate an agencyʼs participation in the system on an emergency basis if it is determined that security violation exits to

the extent that it will create a security problem for the network or the privacy and confidentiality of the information is compromised. An involuntary termination of participation may occur if a policy violation occurs and the matter has been reviewed by the VIBRS Advisory Board and the Board concurs with the recommended termination or other sanction. Written notice will be provided to the terminated agency to explain the reason for termination and any steps that must be taken for re-establishing the agency connection. Designated Agency Contact Person Name:_________________________________________________________________ Title:__________________________________________________________________ Address:_______________________________________________________________ City:________________________________ State:________ Zip:_________________ Phone:_______________________ Fax:______________________ Email:____________________________________ Official Agency Acceptance Agency Name: __________________________________________________________ Signature:______________________________________________________________ Date:__________________________________________________________________ Name:_________________________________________________________________ Title:__________________________________________________________________

Privacy Impact Assessment for the

VERMONT JUSTICE INFORMATION SHARING SYSTEM,

Law Enforcement Data Sharing Initiative

May 13, 2008

Francis X. Aumand III, Director, Division of Criminal Justice Services, Vermont Department of Public Safety

2

INTRODUCTION

Today, Vermont law enforcement agencies depend on modern information technology (IT) to increase agency effectiveness and officer safety. Jurisdictions recognize the critical need for daily interagency information-sharing, cooperation, and communication. Recognizing the cross-jurisdictional nature of criminal activity and increased post-9/11 attention on law enforcement interoperability, many police chiefs and sheriffs have come to understand that they need to improve their regional information-sharing capability. They see participation in a regional information sharing system (ISS) as having two benefits: it enables agencies to respond more efficiently to criminal and public-safety incidents, and it facilitates the evolution of proactive strategies for preventing crime, reducing the occurrence of public safety incidents and building a robust community-oriented policing environment.

Over the course of the past several years several police departments in Vermont have developed Computer Aided Dispatch (CAD) and Records Management Systems (RMS) independent of the Spillman solution managed by the Division of Criminal Justice Services (DCJS) of the Vermont Department of Public Safety (DPS). The Spillman software solution called VIBRS CAD/RMS is being utilized by 93% of the law enforcement agencies in the state. As a result, there are data elements contained in each system that cannot be shared with each other or the statewide database. In each case, these disparate databases shield valuable information from other law enforcement officials, sometimes in their own immediate area.

Although the concept of sharing law enforcement information is often practiced by these agencies, most of the established information-sharing occurs through informal relationships between officers in other jurisdictions. Other instances of information-sharing occur in response to joint operations or on a case-by-case basis as needs arise. The Vermont Justice Information Sharing System (VJISS) can bring a change of culture to law enforcement as agencies will be able to work as a team on crime response, resolution and prevention. Officer safety is another benefit to this law enforcement data sharing initiative (LEDSI) of VJISS.

A broader issue is the sharing of information beyond law enforcement agencies to a broader audience of criminal justice partners such as Courts, Prosecutors and Corrections which brings with it additional concerns dealing with privacy, user authentication to appropriate levels of information and confidentiality. The initial phase of VJISS will lead the way to higher levels of sharing into a true “Criminal Justice Sharing” environment.

For the purposes of this document personal identifying information means one or more pieces of information, when considered together, or combined with other information, and when considered in the context of how it is presented or how it is gathered, is sufficient to identify a unique individual.

This document will be edited and updated as additional functionality is developed

into the VJIS System.

3

Section 1.0 The System and the Information Collected and Stored within the System. 1.1 What information is to be collected? The VJIS System will consist of two parts, the query of four different databases and the ability to analyze the information from these disparate sources. The two functions will operate within two different servers. The query system will utilize a federated search concept to look at and return to the user the information the user requested. This information will consist of a query by name, location, vehicle and location. The visual analytical (VA) tool will collect the all name, location, vehicle and location information from the disparate databases and store them on a separate server for analysis. Access to this system will be closely monitored and limited only to those persons involved in a crime analytical capacity. VJISS will collect “user” data in the form of the identity of the individual making a query into the respective databases. The date and time of the query, department which made the request and identity of the individual making the query is also collected. It is important to note that personal identifying information from individuals who have had contacts with Vermont law enforcement agencies will be queried and viewed over this system by authorized criminal justice personnel. Criminal justice agencies and their users participating in this system will view and utilize this information for investigative purposes, to provide background information on law enforcement activity and officer safety purposes. This personal identifying information is information that has already been captured in accordance with policies and procedures from the individual agency records management systems. Regularly scheduled audits will record a summary of activity that will be stored on a DCJS server for future review or access should the need arise for review of system access. This server is housed at the DPS/DCJS data center. 1.2 From whom is the information collected? “User” data information will be collected from all participating and credentialed criminal justice agencies using VJISS. Personal identifying information will not be collected from any user of the system. The system will also collect personal identifiers, such as login and passwords, identifying who the “user” is and from which agency they are from. All personal identifying information that may be viewed through a query of this system is information that has already been collected through an agency CAD/RMS.

4

Section 2.0 The Purpose of the System and the Information Collected and Stored within the System. 2.1 Why is the information being collected? The information on users is being collected in order to determine how, when and by whom VJISS is being used and to assist in ensuring that the VIBRS User Agreement and other applicable policies are being followed. The information will be accessible to administrative/management staff of any of the participating agencies or DCJS staff. Information contained within the different police computer aided dispatch and records management systems is being viewed and collected (VA tool) for the purpose of enhancing the criminal investigative function and for officer safety purposes. Other than the information that is collected on who is accessing the system personal identifying information from individuals coming in contact with the police will also be made available to authorized criminal justice users. 2.2 What specific legal authorities, arrangements, and/or agreements authorize the collection of information? Records management is a fundamental function of all law enforcement agencies. Statutory authority relative to police records management systems is contained in Title 1 Section 317(c) (5) of the Vermont Statutes Annotated and pertains to the disclosure and dissemination of information not the collection of information. T. 20 V.S.A. Section 2056a also defines the “criminal history record”, which means all information documenting an individual’s contact with the criminal justice system, including data regarding identification, arrestor citation, arraignment, judicial disposition, custody and supervision. Police records management systems contain information on a person’s contact with law enforcement, the gateway agency within the criminal justice system, and they contain data regarding identification. However, these records do not represent a complete set of information relating to a person’s arrest and conviction of a criminal offense or an individual’s contact throughout the criminal justice system. This section authorizes the Vermont Crime Information Center’s (VCIC) to disseminate criminal history information to criminal justice agencies. This record has been a record created within VCIC that documents an individual’s complete contact with the component parts of the criminal justice system for criminal acts the individual may have been charged. A police records management system is not a database of information as mentioned above but may include some information that is collected by VCIC. DCJS VIBRS User’s Agreement, VJISS Memorandum of Understanding and the VJISS privacy policy authorize the collection of the information in VJISS.

5

2.3 Privacy Impact Analysis: Given the amount and type of information collected, as well as the purpose, what privacy risks were identified and how are they were mitigated? VJISS’ stated purpose is to only enable access to collected data from record management systems. Information from these record management systems will not be stored on the query server portion of VJISS. Login information that identifies the user and the agency they are from is stored on the system. However, this information taken out of the context of the VJIS System will not by itself identify the name of the user. The system is also a closed system with a substantial level of security. No privacy risks are identified as once again, personal identifying information being queried through VJISS is information that is already controlled within the CAD/RMS policies and procedures of the respective departmental systems. The VA tool being implemented will collect and store a snapshot of information from the different records management systems. The purpose is to enable crime analysts the ability to review and analyze information for criminal investigation purposes. This snapshot of information will be updated every 24 hours in order to capture any changes within the respective records management systems. The privacy risks are mitigated by limiting the number of users that have access to this portion of the system. Section 3.0 Uses of the System and the Information. 3.1 Describe all uses of the information. The information collected and stored by VJISS will be used to determine how, when and by whom VJISS is being used and to assist in ensuring that the User Agreement and other applicable policies are being followed. Audit logs of user activity will be downloaded and backed up as a regular occurrence onto a separate DCJS server. 3.2 Does the system analyze data to assist users in identifying previously unknown areas of note, concern, or pattern? (Sometimes referred to as data mining.) The analytical tool of VJISS will allow a limited number of users to perform rudimentary aspects of data mining by examining certain aspects of data in the respective databases. However, the information gained from this analysis will not be recorded or stored in any portion of the VJIS system. Users may copy and retain information obtained in investigative files or utilize it for future investigative leads. Likewise, users of the query part of VJISS may copy from different CAD/RM systems for their use. 3.3 How will the information collected from individuals or derived from the system, including the system itself be checked for accuracy? Accuracy of data will be the responsibility of the respective agency or entity that maintains and “owns” the data that is being queried. There is no provision or responsibility that VJISS creates to determine accuracy of the data being shared. A disclaimer is placed on the opening

6

web page advising that users should not arrest or detain an individual based solely on information contained in this system. 3.4 What is the retention period for the data in the system? Has the applicable retention schedule been approved by the Vermont Department of Buildings and General Services (BGS)? The user audits collected and stored by VJISS will be retained for a minimum of three years. The retention period for audit information has not been approved by BGS. Section 4.0 Internal Sharing and Disclosure of Information within the System. 4.1 With which members of Vermont Justice Information Sharing System (VJISS) is the information shared? VJISS allows sharing of information with all individual users who have signed user agreements and authorized agencies completing an MOU. During the law enforcement data sharing initiative (LEDSI) phase of implementation these individual(s) and agencies will be law enforcement agencies or criminal justice agencies whose purpose is the investigation of criminal conduct. 4.2 For each recipient or agency, what information is shared and for what purpose? VJISS will share name(s), vehicle(s), location(s) and incident number(s) and location information from all participating member CAD/RMS databases. The law enforcement purpose of the sharing is to enhance investigative efforts, to provide background information on law enforcement activity and to promote officer safety. Users of VJISS will also, be able to access incident report narratives containing a variety of personal identifying and descriptive information excluding social security numbers. Social security numbers will be available for the limited users who use the analytical tool of VJISS, which are those individuals assigned as crime analyst. Incident narratives may contain information that is speculative, unverified and merely the opinion of the author. All information should be verified for accuracy before being utilized for investigative purposes. Personal identifying information that is available through other public means is available for dissemination as long as it is for law enforcement purposes. 4.3 How is the information transmitted or disclosed? Information is queried and shared by individual users through a secure data connection network maintained by the Vermont Department of Public Safety Criminal Justices Services division.

7

4.4 Privacy Impact Analysis: Given the internal sharing, discuss what privacy risks were identified and how they were mitigated. Incident or event data that is contained within agency records management systems contain a variety of personal identifying information. This information is being viewed by users of the VJISS. This personal identifying information is already being collected by individual agencies and the collection is controlled by policy within the respective agencies and records management systems. In some cases social security numbers are captured within these agencies RMS as they are deemed by law enforcement to be personal identifiers. Within VJISS social security numbers will be redacted. Users of VJISS can contact the individual law enforcement agencies who own the data if this form of identification is needed. Furthermore, other personal identifying information such as name, date of birth, place of birth, address, phone number, drivers license number may be found in other publicly accessible places or databases. Also users are required to complete and abide by a VIBRS Users Agreement and VJISS Agency MOU. All users will be required to comply with collection, use and dissemination policies in place within their respective agency CAD/RM systems. Also user information is collected but it is only intended to be used to associate an individual with an agency and to determine whether the user is an authorized user. Section 5.0 Technical Access and Security 5.1 Which user group(s) will have access to the system? All agencies that are either part of the DCJS Spillman user network or that have completed a VJISS MOU will have access to VJISS. This represents at a minimum all law enforcement officers (federal, state, local and county) in Vermont and select members of the Vermont Criminal Justice System. It is expected that as the system matures other justice related agencies may have access to this information. However, VJISS MOU’s and user agreements will be required from all user agencies and individuals. 5.2 Will contractors to the DCJS have access to the system? Contractors responsible for the development and implementation and subsequent maintenance of the VJIS System will have access to the system. Their access will come only after completion of a Network Access Agreement including a fingerprint supported background check and only pursuant to a secure network access protocol. A copy of the contract will remain on file with DCJS for inspection or review. The contractor’s access complies with all FBI CJIS security policies. 5.3 Does the system use “roles” to assign privileges to users of the system? VJISS will not make a determination as to “roles” or assign privileges for the query component of the system. It will be the responsibility of the user agencies to determine appropriate levels of access and ensure that VIBRS Users agreements or the VJISS Privacy

8

Policy is completed for all users. However, only a limited number of specifically named individuals working as or in the capacity as crime analyst’s will have access to the VA tool. This database is the database that has collected and stored all name, vehicle, location and incident number information from the different records management databases. 5.4 How are the actual assignments of roles and rules verified according to established security and auditing procedures? User agencies will provide DCJS with documentation certifying that all users have completed a VIBRS User’s agreement and will maintain specific records toward that end. It will be the user agencies that will ensure the users lists are properly maintained and updated regularly. 5.5 What auditing measures and technical safeguards are in place? VJISS Audit logs will be retained by DCJS and reviewed on a regular basis to ensure proper operation and compliance with user regulations. DCJS will update and maintain sufficient technical safeguards for VJISS. 5.6 Privacy Impact Analysis: Given access and security controls, what privacy risks

were identified and describe how they were mitigated. With current access and security controls no privacy risks were identified and no additional effort was needed to address them. Conclusion VJISS was designed to provide a secure and private sharing of incident data elements with the law enforcement and criminal justice community and bring together disparate databases in a seamless and simple integration of existing software programs at a minimal expense. By not creating a data “warehouse”, except for a small role based number of individuals, critical privacy information is not extracted or stored from any system and data continues to be “owned” and controlled by each respective agency or system. As a result, privacy concerns remained minimal and were addressed by utilizing standard and proven access controls and existing user agreements. Auditing by DCJS will ensure proper utilization of VJISS and MOU’s with participating agencies will clarify participant’s specific responsibilities. Responsible Officials Commissioner, Vermont Department of Public Safety Director, Division of Criminal Justice Services. VJISS Steering Committee

NUMBER: ADM-P-12

MICHIGAN DEPARTMENT OF STATE POLICE

CRIMINAL JUSTICE INFORMATION CENTER

DATE: 02/01/09

Page 1 of 8

Policy FinalPrivacyPolicy.doc SUBJECT: Privacy Policy PURPOSE: To establish data security standards and practices for the

protection of the Statistical Records Division’s (SRD) sensitive or confidential data or data processed by a SRD owned application, system or database from unauthorized access or disclosure.

RESOURCES: Social Security Number Privacy Act, MCL 445.84 Freedom of Information Act, MCL 15.231 et seq Identity Theft Protection Act, MCL 445.61 et seq State of Michigan Operating Procedure on breach of Personal Information Incidents LEIN Policy Council Act, MCL 28.214 MDIT Cybersecurity.com

Information that is originated, entered, processed, transmitted, sorted and disposed of within the Statistical Records Division is considered to be SRD data. Any person who sees, uses, processes, transmits, stores or destroys SRD information is responsible for its protection. Everyone’s diligence in safeguarding SRD information reduces the chance of it falling into the wrong hands and possibly resulting in personal or legal damages. AUTHORITY TO COLLECT DATA The Michigan State Police are mandated by state and/or federal statutes to collect certain information relevant to the criminal justice system. Many of the repositories for the collected information are established within the Criminal Justice Information Center, Statistical Records Division. Data collected may only be used for criminal justice purposes. SRD employees have access to information about individuals that must only be used while performing official, work related functions. Several state and federal laws govern such information and use various definitions when referring to it.

• Personal identifying information (PII) means a name, number, or other information that is used for the purpose of identifying a specific person,

NUMBER: ADM-P-12



DATE: 02/01/09

Page 2 of 8

Policy FinalPrivacyPolicy.doc

including, but not limited to, name, address, telephone number, driver license or state personal identification number, and social security number.

• Personal information, which is defined and used in Michigan’s Identity Theft

Protection Act, is the first name or first initial and last name linked to at least one of the following data elements:

1. Social Security Number (SSN) 2. Driver license or State personal identification card number 3. Financial account information in combination with any required security

code, password, or access code.

• Sensitive: Other sensitive data contained in SRD databases, although personal, does not specifically meet the above definitions (i.e. descriptions of criminal acts committed upon a victim, photographs with no specific identifiers contained in them). This information must still be treated as confidential by SRD employees.

The following requirements apply to all personal identifying information and personal information as well as confidential and sensitive data. REQUIREMENTS

• Access to applications, systems, utilities or databases which allow access to confidential or sensitive data is limited to authorized users.

• A confidentiality agreement must be signed by each employee, vendor and

temporary employee who will access SRD confidential or sensitive data. (Attachment 1)

• All agencies and organizations that receive SRD data containing any personal,

non-public information must sign an agreement to protect SRD data.

• No confidential data may be divulged to an unauthorized person. An individual is authorized to receive confidential data if they are a SRD employee that needs the information for work related purposes; they represent an organization or agency that has signed a confidentiality agreement; or have a legal basis to receive the information.

• Employees must protect social security numbers of individuals consistent with

the Social Security Number Privacy Act. Social security numbers may not be displayed on computer screens if the screen is visible to unauthorized individuals. (Attachment 2)

NUMBER: ADM-P-12



DATE: 02/01/09

Page 3 of 8


• Original and back-up copies of confidential and sensitive data must be stored in a secure location.

• Passwords must be kept confidential and not shared with other individuals.

• All SRD data must be handled responsibly. No data which includes personal

information should be left in areas where non-SRD employees may have access (i.e. conference rooms, break rooms).

• Security of portable computers must be ensured by locking of PCs when not in

use.

• Sensitive and confidential material must be disposed of in accordance with SRD disposal guidelines (See “Data Disposal Procedures” below).

• Data must be retained in accordance with the SRD retention schedule or

applicable statutes.

• Any computer equipment being returned to MDIT must be done so through an SRD computer liaison who will ensure that MDIT properly sanitizes the equipment.

• All SRD laptops must be protected and used in compliance with the laptop use

guidelines. (Attachment 3)

• Employees must immediately notify their supervisor/manager of any potential breach of security. See Potential Security Breach section below.

COMPLIANCE All SRD employees must adhere to this policy, including all attachments, while in the performance of their duties. Intentional release of privacy information not in accord with this policy or noncompliance with this policy and its attachments may result in disciplinary action against the individual(s). Release of certain information, in violation of state or federal law, may also subject the individual to criminal prosecution and civil liability.

NUMBER: ADM-P-12



DATE: 02/01/09

Page 4 of 8

Policy FinalPrivacyPolicy.doc DATA ACCURACY AND CORRECTION OF DATA Data quality must be maintained in order to ensure that inaccurate information is not collected, stored, or disseminated. Inaccurate information may lead to public criticism upon release of the information, even if the release was appropriate. SRD database managers shall internally monitor data quality on an ongoing basis and task their employees to do the same. Each section will implement a process for correcting or removing inaccurate date.

MERGING OF DATA Any time data from one application is merged with another, the data shall be validated. If an error is identified, the source agency shall be notified of the error and a correction made.

ACCESS TO SRD RECORDS

1. ACCESS TO PERSONAL RCORDS

a) A person has the right to receive a copy of any record maintained by SRD that pertains to him or herself under the Freedom of Information Act (FOIA), MCL 15.231 et seq. This copy will be furnished in accordance with all applicable laws, statutes and regulations. The social security number will be removed consistent with the Social Security Number Privacy Policy (Attachment 2). Reasonable fees for the search, copying, and mailing may be assessed as permitted by law.

b) An attorney may receive a copy of a record pertaining to a client,

provided the request is made under FOIA on business letterhead and includes a statement of representation. An attorney may also receive a copy by serving a valid subpoena. Copies will be furnished in accordance with all applicable laws, statutes and regulations. Reasonable fees for the search, copying, and mailing may be assessed as permitted by law.

2. ACCESS TO SRD RECORDS BY A THIRD PARTY

a) A third party may request a copy of any record maintained by SRD through the Freedom of Information Unit. Records will be released in compliance with the FOIA, and all applicable laws, statutes and regulations. Any information that infringes upon the privacy of the

NUMBER: ADM-P-12



DATE: 02/01/09

Page 5 of 8


subject of the record will be removed as a matter of law. Reasonable fees for the search, copying, and mailing may be assessed as permitted by law.

b) The following information or pairing of information will generally be

removed in accordance with this policy:

• Social Security number • Driver License number • Name and date of birth • Name and address • Information that infringes upon a person’s health privacy pursuant

to the Health Insurance Portability and Privacy Act (HIPPA).

3. ACCESS TO SRD RECORDS BY THE MEDIA

A member of the media may request a copy of any record maintained by SRD through the FOI Unit. Records will be released consistent with the FOIA and applicable laws, statutes and regulations. Any information that infringes upon the privacy of the subject of the record will be removed as a matter of law. Reasonable fees for the search, copying, and mailing may be assessed as permitted by law. Requests for statistical data only may be directed to section managers and handled at their discretion.

The following information or pairing of information will generally be removed in accordance with this policy:

• Social Security number • Driver License number • Name and date of birth • Name and address • Information that infringes upon a person’s health privacy pursuant

to the Health Insurance Portability and Privacy Act (HIPPA).

4. ACCESS TO SRD RECORDS BY A CRIMINAL JUSTICE AGENCY

a) A criminal justice agency may receive access to certain records contained in SRD databases through the MiCJIN portal or through an interface to the database.

NUMBER: ADM-P-12



DATE: 02/01/09

Page 6 of 8


b) Criminal justice agencies shall only access SRD database information for approved criminal justice purposes in accordance with an executed MiCJIN Agreement.

c) Criminal justice agencies will be provided with access to records in the

normal course of SRD business based on the necessary exchange of information for proper implementation of law enforcement activities.

5. INTERNET ACCESS TO SRD RECORDS

a) Several SRD databases are available for public inquiry on the Internet.

A complete listing of the available databases can be found at http://www.michigan.gov/msp

b) SRD databases that require specific information for online inquiries have

restricted unredacted dissemination by statute. A list of the statutes by database is available at http://www.michigan.gov/miparentresources

6. ACCESS TO SRD RECORDS FOR RESEARCH PURPOSES

a) Information from SRD databases may be available to researchers upon

request and in accordance with any applicable laws and regulations.

b) Requests for research data should be directed to the database manager for each application or his or her designee.

c) Requests for research data shall be denied if not permitted by state or

federal law.

d) Data released for statistical research shall have all personal identifiers removed prior to release of the information.

DATA DISPOSAL PROCEDURES All SRD data, regardless of the format it is in, must be retained in compliance with the SRD Retention Schedule. Care must be taken to protect sensitive and confidential information until it is properly disposed of. Confidential information may be found on: Computer printouts Fax sheets Correspondences Post it notes Computer discs Scratch paper Forms DVDs

NUMBER: ADM-P-12



DATE: 02/01/09

Page 7 of 8

Policy FinalPrivacyPolicy.doc Materials containing sensitive or confidential material must not be discarded in waste baskets, trash, or the usual recycling receptacle found in work areas or adjacent areas. All documents containing sensitive and confidential information must either be personally shredded by the employee, or placed in a secured shred/recycle bin. Employees who have access to a shredder should use it to dispose of small amounts of paper documents. In the absence of a shredder, employees may keep a box or other container in their office for documents that will later be placed in secure bins. Such boxes or containers must be emptied at the close of business each day, prior to the employee’s departure. Data stored on other forms of media (CDs, DVDs) must be placed in specifically designated destruction bins. These bins are clearly marked and must also be kept locked. As with paper media, employees may accumulate these items and dispose of them daily at the close of business. INCIDENTS An incident is an event threatening some aspects of physical or financial security, when financial resources or items valued at $100 or more are missing or misused, any event violating confidentiality or privacy of information, or any event involving unauthorized or unlawful activity. Examples of incidents include missing computer equipment containing non-personal information or a missing briefcase that does not contain personal information. A material incident involves confidential information. For example, a missing laptop containing SRD confidential or sensitive information would be considered a material incident. An incident becomes a security breach when an unauthorized person gains access to or acquires unencrypted or unredacted personal information. POTENTIAL SECURITY BREACH All employees must be familiar with the procedure to handle a material incident that is a potential security breach. The steps that must be followed are outlined below:

1. The employee must immediately notify his/her immediate supervisor/manager. If unavailable, the employee must notify the next available manager in the chain of command. All information regarding the incident must be provided to the supervisor/manager at the time of notification.

2. The supervisor/manager notifies the assistant division director and the division

director, and completes as completely as possible, Parts 1 and 2 of the Incident Report (Attachment 4)

NUMBER: ADM-P-12



DATE: 02/01/09

Page 8 of 8


3. The division director/assistant director notifies the Bureau commander within 24 hours of discovering the potential breach.

4. The Bureau Commander, or designee, performs an initial assessment and

determines if the potential breach requires further investigation.

5. If further investigation is warranted, and the incident occurred before 5:00pm, the Bureau commander or designee contacts our MDIT Agency IO and the MDIT Chief Information Security Officer (CISO)/MDIT Office of Enterprise Security (OES) for assistance.

6. If the incident occurred after 5:00 pm, the Bureau commander or designee calls

the DIT Client Service Center and submits a remedy ticket within 24 hours of notification of the potential breach. Such notification must include: date and time of potential breach, contact person name and phone number, type of data involved, device the data is stored on.

7. The OES will initiate an investigation to determine the nature and scope of the

incident and provides a preliminary finding to the Bureau commander within 24 hours of the CISCO being informed or receiving the remedy ticket.

8. If after reasonable investigation, the Bureau commander determines that the

security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to one or more residents of Michigan, the incident is documented. A review of internal controls must be completed to ensure integrity, security and confidentiality in the future.

9. If after reasonable investigation, the Bureau Commander determines that the

security breach has or is likely to cause substantial loss or injury to, or result in identity theft with respect to one or more residents of Michigan, the Bureau Commander informs the Director of the scope of the breach. The Director shall:

a. Immediately contact the Governor’s Communications Office to plan a

response to the media. b. Immediately contacts other agencies potentially affected (i.e. Dept. of

State, Dept. of Corrections). c. Composes the appropriate notice of breach response to the affected

person or party in compliance with the State of Michigan guidelines and subsection 12 of Identity Theft Protections Act, PA 566 of 2006, without unreasonable delay.

10. The Division director, or designee, completes Part 3 of the Incident Report.

Attachment 2 ADM-P-12 02/09

- 1 -

SOCIAL SECURITY NUMBER PRIVACY REFERENCE: Social Security Number Privacy Act, MCL 445.81 et seq RESOURCES: Social Security Number Privacy Act, MCL 445.84 et seq The Statistical Records Division (SRD) adopts this Social Security Privacy Policy, pursuant to MCL 445.84 (Social Security Number Privacy Act). This policy applies to all SRD employees. SRD will ensure, to the extent possible, the confidentiality of Social Security Numbers (SSNs) it holds. SSNs shall not be disclosed outside of SRD, except as authorized by law. According to the Act public display means “to exhibit, post, or make visible or set out for open view, including, but not limited to, open view on a computer device, computer network, website, or other electronic medium or device to members of the public or in a public manner.” Access to information or documents that contain SSNs is limited to those who require access to conduct SRD business, and information shall be used solely for that purpose. SRD employees who have access to databases that include social security numbers must be sure to protect the confidentiality of those numbers when being viewed on a computer screen. Only the last four digits of a SSN shall be publicly displayed, used as a password or identifier, or included in or on any document sent outside of SRD, except as authorized by law. SRD is authorized to mail a document or information that includes the social security number under the following circumstances:

1. The document or information is a copy of a vital record and is mailed by or at the request of the individual whose SSN appears in the document or information, or his or her parent of legal guardian [MCL 445.83(1)(g)(v)].

2. The document or information is a public record and is mailed in

compliance with the Freedom of Information Act [MCL 12.231 et seq; MCL 445.83 (1)(g)(iv)A)].

3. The document is sent as part of an application or enrollment process that

is initiated by the individual [MCL 445.83(1)(g)(ii)]. Violation of this policy may result in discipline, up to and including discharge. In addition, anyone who violates the Social Security Number Privacy Act may be subject to fines, imprisonment, or both.

Hawaii Integrated Justice Information Sharing (HIJIS)

Liane Moriyama, Administrator Hawaii Criminal Justice Data Center Department of the Attorney General

SEARCH Membership Meeting Washington DC, November 16, 2009

Hawaii Integrated Justice

HIJIS Mission & Vision

HIJIS Mission Collaborative and coordinated decision-making, planning and implementation among justice agencies and relevant partners for the fair, efficient and effective operation of the justice system.

HIJIS Vision Statewide services via a common architecture to improve public safety and homeland security by securely and efficiently sharing appropriate justice and non-justice information both locally and nationally while respecting citizens’ privacy.

•  Common interface between justice systems •  Facilitates federated query function •  Message routing with guaranteed delivery •  Adheres to GJXDM/NIEM open standards •  Transports messages using push/pull, publish/subscribe •  Built using Service Oriented Architecture

HIJIS Broker

Web-based User Interface •  Enterprise

query functions

•  E-mail •  Notifications

& Alerts •  Wireless

Access

•  System Admin •  Monitoring &

Management •  Business

Process Mgmt •  Security •  Auditing

Tools

Message Gateway

Law Enforcement

Courts HCJDC

Probation Intake Service Centers

Dept of Public Safety

Prosecutor Non-Justice Agencies

Repository

•  Business Process Maps

•  Schemas/IEPDs •  Transformation

Maps

NCIC Nlets

Other Justice Agencies

•  VINES •  JJIS •  Fusion Center •  Federal (FBI/DHS) •  Military

The HIJIS Vision

•  Drivers License •  Human Services •  Health •  Missing Child •  DOT (Traffic)

•  CJIS Hawaii •  AFIS •  Sex Offender •  Wants/Warrants •  Firearms

•  HAJIS •  District Court •  JIMS

•  Local RMS •  Green Box •  Booking

•  Case Management System



•  Offender Mgmt System

•  Parole Case Mgmt System

HIJIS Design Principles

•  Data captured once at originating point and used many times

•  Agencies retain the right to design and operate IT systems for their internal needs

•  Agencies continue to be owners/custodians of the information they exchange

•  Need to ensure secure information-sharing capabilities

Challenges Moving Forward

•  Privacy impact assessment (PIA) of integrated justice information systems – how do we accomplish? –  Not a traditional system or database, but a framework

•  Privacy protections are diminishing for paper-based information sharing –  Technology brings changes –  Technology outpacing existing statutes

•  Incremental development focused on criminal justice agencies working within current parameters/policies –  Will expand to non-criminal justice agencies and the general

public

Challenges Moving Forward

•  Start with these exchanges and build on the PIA: –  Federated Query

•  Access to non-criminal justice databases such as driver’s licenses, state identification cards, etc

•  Commercial harvesters and consolidators •  Public access

–  Subscription/Notification •  Non-criminal justice agencies including, e.g., departments of

education, human services, health •  Public access

NGA Privacy Policy Academy: HIJIS Approach

•  Scoping –  Review information sharing requirements: Revisit

strategic plan to ensure that process complies with goals, objectives and outcomes anticipated/expected by stakeholders/users

–  Evaluate governing statutes, policies, and practices of all participants

•  PIA template –  Privacy team drafting HIJIS template –  Focus on individual exchanges and builds –  Conduct PIA with agencies involved in exchange


•  Analysis –  Evaluate data ownership/responsibilities –  Legal requirements –  Identify privacy challenges and gaps –  Define privacy policy boundaries –  Establish breach notification policy/procedure

•  Input –  Solicit and incorporate input of HIJIS stakeholders

and intended users


•  Write –  Draft policy –  Identify/incorporate any legislative changes

•  Review –  Draft with HIJIS governance –  With a broad range of interest groups, e.g., ACLU,

other privacy advocates, concerned local citizens –  Incorporate feedback into privacy policy if appropriate


•  Monitor/Revise –  Develop process to monitor privacy policy

effectiveness –  Process should include method to revise policy to

reflect changing expectations, new legislation, policy gaps identified through monitoring

Questions?

Questions?

HIJIS PIA: HIP Project 1/19/2010 Page 1 of 16

HIJIS Privacy Impact Assessment Section 1 Introduction and Background

The HIJIS Program envisions statewide services via a common architecture to securely and efficiently share appropriate information, both locally and nationally, for justice and non-justice purposes, for improved public safety and homeland security, while respecting the privacy of citizens. HIJIS is not envisioned as a comprehensive, singular data warehouse that duplicates information agencies already captured, nor as an all encompassing system that each agency must adopt in lieu of their internal information systems. Rather, HIJIS is envisioned as an information sharing framework that will enable agencies to share information that is already collected and generated in their internal information systems as part of their daily business operations. Additionally, HIJIS is not designed to share all information that an agency may collect, generate and use, but only that information that is appropriate, according to information sharing business rules the agencies themselves collectively define, consistent with privacy and confidentiality policies and statutes.

Section 2 Detailed information regarding the specific exchange(s) addressed by this

PIA: This PIA covers information sharing associated with the Horizontal Integration Pilot (HIP) Project. a) Overview of the exchange:

The HIP project was designed to demonstrate the ability and value of implementing an automated information sharing framework that will enable real-time sharing of critical information at key decision points between relevant justice agencies throughout Hawaii County. The pilot has been expanded and is now available to all counties throughout the state. Booking information captured by the law enforcement agencies in Hawaii is electronically sent to the Green Box booking database, and is then electronically transferred to other relevant justice agencies (i.e., Intake Service Centers, Prosecutors, Judiciary, Community Correctional Centers), thereby immediately notifying them of the status of the case and obviating their need to re-enter the same information into their internal agency information systems. Additional functionality contemplated down line may enable automated notification of arrest to authorized users (e.g., notification to a supervising Probation/Parole Officer of the arrest of a person assigned to their caseload), real-time exchange of subsequent legal actions and events (e.g., electronic exchange of court dispositions between the Judiciary and law enforcement, prosecution and correctional officials), and enterprise-wide federated query capabilities.


b) Detailed information regarding the nature of the actual exchange (agencies involved, triggering events, data content/payload, source/contributing agencies/systems, conditions, etc.). Information from the OBTS/CCH Arrest Report1 is transmitted to HIJIS2 from state’s Green Box booking database, where it is transformed into Global Justice XML Data Model (GJXDM)-compliant standards.3 Applying business rules that have been defined and documented in the Hawaii JIEM database, HIJIS pushes relevant arrest and booking information to the Intake Service Centers (ISC) to identify persons apprehended and held in custody and, therefore, requiring pre-trial assessment prior to initial court appearance. ISC receives the relevant arrest and booking data, which (after it has been validated) is incorporated into their case management information system, obviating their need to reenter information already automated by the booking agency. ISC thereafter augments case information regarding the arrested party after they have completed their pre-trial interview with the defendant and produce the Pretrial Bail Report for the court. Similarly, relevant information from the OBTS/CCH Arrest Report is transmitted by HIJIS to Prosecutors, the Judiciary, and Community Correctional Centers to initiate case files, support creation of charging documents, court schedules and other relevant legal proceedings, as well as correctional intake, should the defendant remain in custody pending trial and begin serving a confinement sentence.4

1 The actual data content/payload of the OBTS/CCH Arrest Report is detailed in Appendix A of this document. 2 The HIP project utilized an Integrated Justice Information Sharing (IJIS) Broker to exchange information among participating agencies in the pilot project environment, but this technology will not support HIJIS in the long term. Since implementation of the HIP project, Hawaii has completed and published the HIJIS Strategic Plan and the HIJIS Architecture. This PIA reflects the information sharing practices, policies, and technologies of the HIJIS program as defined in these two foundation documents, as well as current operations. 3 While existing exchanges in the HIP pilot are GJXDM-compliant, the HIJIS Architecture calls for using National Information Exchange Model (NIEM) standards (which incorporate and extend GJXDM standards), which are being implemented. 4 It should be noted that the HIP project initially implemented information sharing with Police, Prosecutors, the Judiciary, Community Corrections Centers (CCC), and the Intake Service Center (ISC) only in Hawaii County. With successful implementation among initial participating agencies, and given the statewide operation of the Green Box booking system and case management systems supporting CCC and ISC, information sharing is presently operating statewide with Police, CCC and ISC. HIP continues to support information sharing with the Hawaii County Prosecutor and the Judiciary in Third Circuit; plans are presently underway to begin information sharing with other Prosecutors throughout the State as well as all Judicial circuits.


All agencies continue to operate their own information systems and data is exchanged using eXtensible Mark-up Language (XML) standards developed and approved by the U.S. Department of Justice and the Hawaii Criminal Justice Data Center.

c) What specific legal authorities, arrangements, and/or agreements authorize the collection/sharing of this information?

HIJIS: HCJDC: §HRS 846-3 requires Hawaii arresting agencies to share

information with the Hawaii Criminal Justice Data Center.5 Police: Hawaii County Pros: Judiciary: ISC: CCC: Section 3 Uses of the System and the Information

a) Uses of the information. HIJIS: As presently configured HIJIS operates simply to share

information with authorized users for authorized purposes without retaining and/or compiling the core data.

HCJDC: Arrest information obtained from the OBTS/CCH Arrest Report populates CJIS-Hawaii (the Computerized Criminal History--CCH), which is used to provide criminal history record information to authorized agencies. In addition, the information is shared with the FBI according to statutory provisions of the National Crime Prevention and Privacy Compact.6

Police: Arrest and booking information reported in the OBTS/CCH Report is originated by law enforcement agencies as part of their standard operating procedures in documenting the arrest of the record subject.

Hawaii County Pros: Uses the basic arrest information for case initiation and review.

Judiciary: Uses the basic arrest information for case initiation. ISC: Uses the basic arrest information for case initiation.

5 HRS §846-3. Reporting to data center. The chiefs of the police of the counties of the State and agencies of state and county governments having power of arrest shall furnish the data center with descriptions of all such persons who are arrested by them for any felony or misdemeanor, or as fugitives from the criminal justice system of another jurisdiction, or for any offense declared by rule or regulation promulgated by the attorney general to be a significant offense necessary to be reported for the proper administration of criminal justice. The data center shall in all appropriate cases forward necessary identifying data and other information to the system maintained by the Federal Bureau of Investigation. [L 1979, c 129, pt of §2. 6 See HRS §846C-1 for detailed information regarding the National Crime Prevention and Privacy Compact.


CCC: Uses the basic arrest information for case initiation. b) Does your system analyze data to assist users in identifying previously

unknown areas of note, concern, or pattern? HIJIS: No. As presently configured, HIJIS operates simply to share

information with authorized users for authorized purposes without retaining and/or compiling the core data or enabling users to perform any analysis or data mining.

HCJDC: No. As presently configured, the system is designed to provide detailed information regarding individual persons and their longitudinal history of involvement in the criminal justice system. Users are not able to analyze data to identify patterns or other areas of note or concern.

Police: No Hawaii County Pros: No Judiciary: No ISC: No CCC: No

c) How will this information be checked for accuracy?

HIJIS: OBTS/CCH Arrest Report information is captured either directly through data entry into the Green Box Booking system (for law enforcement agencies without any other automated booking capabilities) or by data exchange with the law enforcement agencies’ internal booking system. In either event, edits are applied to the collection and reporting of information to ensure accurate and complete reporting, insofar as the systems are capable of applying logical data edits and minimum data reporting requirements are met. HCJDC: As CJIS-Hawaii receives information from other agencies in the criminal justice process, information (charges, report numbers, etc.) is cross-checked with the arrest information. Discrepancies are reconciled with the arresting agency.

Police: OBTS/CCH Arrest Report information is captured either directly through data entry into the Green Box Booking system (for law enforcement agencies without any other automated booking capabilities) or by data exchange with the law enforcement agencies’ internal booking system. In either event, edits are applied to the collection and reporting of information to ensure accurate and complete reporting, insofar as the systems are capable of applying logical data edits and minimum data reporting requirements are met.

Hawaii County Pros: Arrest information pushed from HIJIS will be verified by subsequent comparison with original source documents, which contribute to the official case record, and by subsequent internal data


collection activities as part of the standard operating procedures of the agency.

Judiciary: Arrest information pushed from HIJIS will be verified by subsequent comparison with original source documents, which contribute to the official case record, and by subsequent internal data collection activities as part of the standard operating procedures of the agency.

ISC: Arrest information pushed from HIJIS will be verified by subsequent comparison with original source documents, which contribute to the official case record, and by subsequent internal data collection activities as part of the standard operating procedures of the agency.

CCC: Arrest information pushed from HIJIS will be verified by subsequent comparison with original source documents, which contribute to the official case record, and by subsequent internal data collection activities as part of the standard operating procedures of the agency.

d) What is the retention period for this data?

HIJIS: As previously noted, HIJIS is the data sharing framework.

HIJIS does not retain the core information, but only that information necessary for proper receipt, efficient and effective delivery, appropriate safeguards, business rules, data transformation, etc.

HCJDC: Information in Green Box is currently purged on an as-needed basis; information that is shared with CJIS-Hawaii is kept indefinitely.

Police: Original police incident, arrest and booking information is retained indefinitely by the originating agency.

Hawaii County Pros: Judiciary: ISC: CCC: Section 4 Sharing and Disclosure of Information

a) Will this information be shared with any other agencies/departments, organizations, or the public? If so, with which agencies/departments is the information shared? Arrest and disposition information is shared and/or disclosed to three separate categories of users, depending on statutory authorization and purpose: 1) criminal justice agencies and authorized users, 2) other governmental agencies and licensing authorities, and 3) the general public. Since the provisions vary substantially among these different user categories, each is separately addressed below. Criminal Justice Agencies/Users:


HCJDC: Through CJIS-Hawaii rap sheets, this information is shared with other authorized agencies.7

Police: [Police usually DO report arrest information and this information, is typically considered public information. Not all of the data, however, is openly available to the public. We will need to look at public records law for Hawaii to determine what information is public. In addition, we will need to look at agency policy and practice, as some arrest information will not be made public for investigative reasons, as well as to protect the identity of juveniles.]

Hawaii County Pros: Judiciary: ISC: CCC:

Other Governmental Agencies and Licensing Authorities: HCJDC: Criminal history record information is statutorily authorized

for select government agencies and licensing authorities to ensure

7 §846-9 Limitations on dissemination. Dissemination of nonconviction data shall be limited, whether directly or through any intermediary, only to:

(1) Criminal justice agencies, for purposes of the administration of criminal justice and criminal justice agency employment;

(2) Individuals and agencies specified in section 846-10; (3) Individuals and agencies pursuant to a specific agreement with a criminal justice agency to provide

services required for the administration of criminal justice pursuant to that agreement; provided that such agreement shall specifically authorize access to data, limit the use of data to purposes for which given, and insure the security and confidentiality of the data consistent with the provisions of this chapter;

(4) Individuals and agencies for the express purpose of research, evaluative, or statistical activities pursuant to an agreement with a criminal justice agency; provided that such agreement shall specifically authorize access to data, limit the use of data to research, evaluative, or statistical purposes, and insure the confidentiality and security of the data consistent with the purposes of this chapter;

(5) Individuals and agencies for any purpose authorized by statute, ordinance, executive order, or court rule, decision, or order, as construed by appropriate state or local officials or agencies; and

(6) Agencies of state or federal government which are authorized by statute or executive order to conduct investigations determining employment suitability or eligibility for security clearances allowing access to classified information.

These dissemination limitations do not apply to conviction data. These dissemination limitations also do not apply to data relating to cases in which the defendant is acquitted, or charges are dismissed, by reason of physical or mental disease, disorder, or defect under chapter 704. Criminal history record information disseminated to noncriminal justice agencies shall be used only for the purposes for which it was given. No agency or individual shall confirm the existence or nonexistence of criminal history record information to any person or agency that would not be eligible to receive the information itself. [L 1979, c 129, pt of §2; am L 1996, c 116, §2]


public safety in providing services and in dealing with vulnerable populations.8

8 §846-2.7 Criminal history record checks. (a) The agencies and other entities named in subsection (b) may conduct state and national criminal history record checks on the personnel identified in subsection (b), for the purpose of determining suitability or fitness for a permit, license, or employment; provided that the Hawaii criminal justice data center may charge a reasonable fee for the criminal history record checks performed. The criminal history record check shall include the submission of fingerprints to:

(1) The Federal Bureau of Investigation for a national criminal history record check; and (2) The Hawaii criminal justice data center for a state criminal history record check that shall include

nonconviction data. Criminal history record information shall be used exclusively for the stated purpose for which it was obtained. (b) Criminal history record checks may be conducted by: (1) The department of health on operators of adult foster homes or developmental disabilities

domiciliary homes and their employees, as provided by section 333F-22; (2) The department of health on prospective employees, persons seeking to serve as providers, or

subcontractors in positions that place them in direct contact with clients when providing non-witnessed direct mental health services as provided by section 321-171.5;

(3) The department of health on all applicants for licensure for, operators for, and prospective employees, and volunteers at one or more of the following: skilled nursing facility, intermediate care facility, adult residential care home, expanded adult residential care home, assisted living facility, home health agency, hospice, adult day health center, special treatment facility, therapeutic living program, intermediate care facility for the mentally retarded, hospital, rural health center and rehabilitation agency, and, in the case of any of the above-related facilities operating in a private residence, on any adult living in the facility other than the client as provided by section 321-15.2;

(4) The department of education on employees, prospective employees, and teacher trainees in any public school in positions that necessitate close proximity to children as provided by section 302A-601.5;

(5) The counties on employees and prospective employees who may be in positions that place them in close proximity to children in recreation or child care programs and services;

(6) The county liquor commissions on applicants for liquor licenses as provided by section 281-53.5; (7) The department of human services on operators and employees of child caring institutions, child

placing organizations, and foster boarding homes as provided by section 346-17; (8) The department of human services on prospective adoptive parents as established under section

346-19.7; (9) The department of human services on applicants to operate child care facilities, prospective

employees of the applicant, and new employees of the provider after registration or licensure as provided by section 346-154;

(10) The department of human services on persons exempt pursuant to section 346-152 to be eligible to provide child care and receive child care subsidies as provided by section 346-152.5;

(11) The department of human services on operators and employees of home and community-based case management agencies and operators and other adults, except for adults in care, residing in foster family homes as provided by section 346-335;

(12) The department of human services on staff members of the Hawaii youth correctional facility as provided by section 352-5.5;

(13) The department of human services on employees, prospective employees, and volunteers of contracted providers and subcontractors in positions that place them in close proximity to youth when providing services on behalf of the office or the Hawaii youth correctional facility as provided by section 352D-4.3;

(14) The judiciary on employees and applicants at detention and shelter facilities as provided by section 571-34;

(15) The department of public safety on employees and prospective employees who are directly involved with the treatment and care of persons committed to a correctional facility or who possess police powers including the power of arrest as provided by section 353C-5;


Police: [Police usually DO report arrest information and this information, is typically considered public information. Not all of the data, however, is openly available to the public. We will need to look

(16) The department of commerce and consumer affairs on applicants for private detective or private

guard licensure as provided by section 463-9; (17) Private schools and designated organizations on employees and prospective employees who may be

in positions that necessitate close proximity to children; provided that private schools and designated organizations receive only indications of the states from which the national criminal history record information was provided as provided by section 302C-1;

(18) The public library system on employees and prospective employees whose positions place them in close proximity to children as provided by section 302A-601.5;

(19) The State or any of its branches, political subdivisions, or agencies on applicants and employees holding a position that has the same type of contact with children, vulnerable adults, or persons committed to a correctional facility as other public employees who hold positions that are authorized by law to require criminal history record checks as a condition of employment as provided by section 78-2.7;

(20) The department of human services on licensed adult day care center operators, employees, new employees, subcontracted service providers and their employees, and adult volunteers as provided by section 346-97;

(21) The department of human services on purchase of service contracted and subcontracted service providers and their employees serving clients of the adult and community care services branch, as provided by section 346-97;

(22) The department of human services on foster grandparent program, retired and senior volunteer program, senior companion program, and respite companion program participants as provided by section 346-97;

(23) The department of human services on contracted and subcontracted service providers and their current and prospective employees that provide home and community-based services under Section 1915(c) of the Social Security Act (Title 42 United States Code Section 1396n(c)), or under any other applicable section or sections of the Social Security Act for the purposes of providing home and community-based services, as provided by section 346-97;

(24) The department of commerce and consumer affairs on proposed directors and executive officers of a bank, savings bank, savings and loan association, trust company, and depository financial services loan company as provided by section 412:3-201;

(25) The department of commerce and consumer affairs on proposed directors and executive officers of a nondepository financial services loan company as provided by section 412:3-301;

(26) The department of commerce and consumer affairs on the original chartering applicants and proposed executive officers of a credit union as provided by section 412:10-103;

(27) The department of commerce and consumer affairs on: (A) Each principal of every non-corporate applicant for a money transmitter license; and (B) The executive officers, key shareholders, and managers in charge of a money transmitter's

activities of every corporate applicant for a money transmitter license, as provided by section 489D-9; and

(28) Any other organization, entity, or the State, its branches, political subdivisions, or agencies as may be authorized by state law. (C) The applicant or employee subject to a criminal history record check shall provide to the

requesting agency: 1. Consent to obtain the applicant's or employee's fingerprints and conduct the criminal

history record check; 2. Identifying information required by the Federal Bureau of Investigation which shall

include but not be limited to name, date of birth, height, weight, eye color, hair color, gender, race, and place of birth; and

A statement indicating whether the applicant or employee has ever been convicted of a crime. [L 2003, c 95, §7; am L 2004, c 10, §12 and c 79, §6; am L 2006, c 131, §2 and c 220, §5; am L 2008, c 136, §7, c 154, §28, c 195, §15, and c 196, §11]


at public records law for Hawaii to determine what information is public. In addition, we will need to look at agency policy and practice, as some arrest information will not be made public for investigative reasons, as well as to protect the identity of juveniles.]


The General Public: HCJDC: If the arrest resulted in a conviction, the public can view the

following authorized information via e-Crim [https://ecrim.ehawaii.gov]: name, AKAs, year of birth, height, weight, hair color, eye color, gender, mugphoto (if available), final charge (which could be the same as the arrest charge), arrest report number, case number, conviction/sentence information.

Police: [Police usually DO report arrest information and this information, is typically considered public information. Not all of the data, however, is openly available to the public. We will need to look at public records law for Hawaii to determine what information is public. In addition, we will need to look at agency policy and practice, as some arrest information will not be made public for investigative reasons, as well as to protect the identity of juveniles.]


b) For each recipient, what information is shared, and for what purpose?

Criminal Justice Agencies/Users: HCJDC: CJIS-Hawaii rap sheets are accessed by other authorized

agencies for criminal justice operations Police: Hawaii County Pros: Judiciary: ISC: CCC:

Other Governmental Agencies and Licensing Authorities: HCJDC: Authorized non-criminal justice agencies access this

information for employment and licensing purposes.


Police: Hawaii County Pros: Judiciary: ISC: CCC:

The General Public: HCJDC: The public can view certain pieces of information as is their

right. Police: Hawaii County Pros: Judiciary: ISC: CCC:

c) How is the information transmitted or disclosed? HCJDC: For authorized agencies, through direct terminal access to

CJIS-Hawaii; for the public, through eCrim (Internet application) Police: Hawaii County Pros: Judiciary: ISC: CCC:

d) Are there any agreements concerning the security and privacy of the data once it is shared?

HCJDC: Yes, all authorized agencies and users sign a security

agreement which states that the information in CJIS-Hawaii is confidential and describes limitations on use and access to information and workstation access. The user agrees to a criminal history record check and to abide by any statutes, regulations, rules and policies relating to privacy of information. A copy of which is attached to this document as Appendix B.


e) What type of training is required for users from agencies/departments prior to receiving access to the information?


HCJDC: Training is provided to users of CJIS-Hawaii by HCJDC staff. They are shown how to use the system and are told that information should only be used for the purposes of conducting their business. However, at this point in time, training is not required prior to gaining access to the system.


f) Are there any provisions in place for auditing the recipients’ use of the information?

HCJDC: No, not at this time. 9 Police: Hawaii County Pros: Judiciary: ISC: CCC: Section 5 Notice

a) Was any form of notice provided to the individual prior to collection of information? If yes, please provide a copy of the notice as an appendix.

HCJDC: No notice is provided to the individual, as the information

collected is part of the development and documentation of the official record.

Police: No notice is provided to the individual, as the information collected is part of the development and documentation of the official record.

Hawaii County Pros: No Judiciary: No ISC: No CCC: No

9 §846-6 Systematic audit. All criminal justice agencies shall institute a process of data collection, entry, storage, and systematic audit of criminal history record information that will minimize the possibility of recording and storing inaccurate information. Any criminal justice agency which finds that it has reported inaccurate information of a material nature shall forthwith notify all criminal justice agencies known to have received such information. All criminal justice agencies shall:

(1) Maintain for a minimum period of one year a listing of the individuals or agencies both in and outside of the State to which criminal history record information was released, a record of what information was released, and the date such information was released;

(2) Establish a delinquent disposition monitoring system; and (3) Verify all record entries for accuracy and completeness. [L 1979, c 129, pt of §2].


b) Do individuals have an opportunity and/or right to decline to provide

information? HCJDC: N/A Police: No Hawaii County Pros: N/A Judiciary: N/A ISC: N/A CCC: N/A

c) Do individuals have an opportunity to consent to particular uses of the information, and if so, what is the procedure by which an individual would provide such consent?

HCJDC: No; the information is part of the official record of the

criminal justice process throughout the State of Hawaii. Police: No Hawaii County Pros: No Judiciary: No ISC: No CCC: No

d) What notification procedures are in place to notify record subjects of a breach of security or the unauthorized release of their information?

HCJDC: No procedures are in place at the present time to notify

record subjects of a breach of security or unauthorized release of their information.

Police: Hawaii County Pros: Judiciary: ISC: CCC: Section 6 Individual Access and Redress

a) What are the procedures which allow individuals the opportunity to seek access to or redress of their own information?

HCJDC: Hawaii statutes provide a process for access and review of

criminal history record information.10

10 §846-14 Access and review. Any individual who asserts that the individual has reason to believe that criminal history record information relating to the individual is maintained by any information system in this State shall be entitled to review such information for the purpose of determining its accuracy and completeness by making application to the agency operating such system. The applicant shall provide



b) How are individuals notified of the procedures for seeking access to or amendment of their information?

HCJDC: Through the HCJDC official web site

[http://hawaii.gov/ag/hcjdc/main/faqs/faqs#nonconviction] individuals are notified that they can review their criminal history information and can challenge the completeness and accuracy of the information. In order to find out how to go about doing this, they would need to contact the HCJDC.


c) If no opportunity to seek amendment is provided, are any other redress alternatives available to the individual?

HCJDC: N/A Police: Hawaii County Pros: Judiciary: ISC: CCC: Section 7 Technical Access and Security

a) Which technical support staff will/do have access to the information? HIJIS: Technical staff of the HIJIS Center for Excellence (COE) have

access to HIJIS. Presently, this includes only technical staff of the

satisfactory identification which shall be positively verified by fingerprints. Rules and regulations promulgated under this section shall include provisions for administrative review and necessary correction of any claim by the individual to whom the information relates that the information is inaccurate or incomplete; provisions for administrative appeal where a criminal justice agency refuses to correct challenged information to the satisfaction of the individual to whom the information relates; provisions for supplying to an individual whose record has been corrected, upon the individual's request, the names of all noncriminal justice agencies to which the data have been given; and provisions requiring the correcting agency to notify all criminal justice recipients of corrected information. The review authorized by this section shall be limited to a review of criminal history record information. [L 1979, c 129, pt of §2; gen ch 1985]


HCJDC, though the technical staff will expand at the technical COE is developed and implemented.

HCJDC: HCJDC technical staff assigned to maintain CJIS-Hawaii, Green Box, and the HIJIS program have access to this information.


b) Will contractors have access to the information? If so, please submit a copy of the contract describing their role with this PIA.

HIJIS: A formal agreement regarding privacy and security will be

required for all technical staff providing service or having access to HIJIS will be implemented.

HCJDC: Depending on the work being performed by the contractor, they may have access to this information.


c) Does the system use “roles” to assign different levels privileges to users of the information?

HIJIS: [This includes not only technical staff, but other users as

well—users, administrators, etc.] HCJDC: ??? Police: Hawaii County Pros: Judiciary: ISC: CCC:

d) What procedures are in place to determine which users may access the information, and are they documented?

HIJIS: HCJDC: Potential users are asked to provide statutory references as to

their authority to access information; if the HCJDC is unsure, we ask for a legal review by our deputy attorney general. Yes, these procedures are documented.

Police: Hawaii County Pros:


Judiciary: ISC: CCC:

e) How are the actual assignments of “roles” and rules verified according to established security and auditing procedures?

HIJIS: HCJDC: N/A at this time. Police: Hawaii County Pros: Judiciary: ISC: CCC:

f) What auditing measures and technical safeguards are in place to prevent misuse of data?

HIJIS: HCJDC: All entry/update/inquiry of information in CJIS-Hawaii and

Green Box is logged (user, date, and time) in an audit trail. User logins and passwords are assigned to only authorized users.


g) Describe what privacy training is provided to users either generally or specifically relevant to the use/access of this information.

HIJIS: HCJDC: This is covered in the CJIS-Hawaii user training. Police: Hawaii County Pros: Judiciary: ISC: CCC: Section 8 Technology

a) Describe how data integrity, privacy, and security were analyzed as part of the decisions made for this information sharing.

HIJIS: HCJDC: ???



b) What design choices were made to enhance privacy? HIJIS: HCJDC: ??? Police: Hawaii County Pros: Judiciary: ISC: CCC: Section 9 Privacy Impact Analysis

a) Given the amount and type of information collected/shared, as well as the purpose, discuss what privacy risks were identified and how they were mitigated.

HIJIS: HCJDC: Police: Hawaii County Pros: Judiciary: ISC: CCC:

b) Describe any types of controls that may be in place to ensure that information is handled in accordance with appropriate uses of the system, as previously described.

HIJIS: HCJDC: Police: Hawaii County Pros: Judiciary: ISC: CCC:

The Benefits of Using JIEM to Capture Privacy Requirements 1

Technical Brief

February 2008

SEARCH

The National Consortium for Justice Information and Statistics

The Benefits of Using the Justice Information

Exchange Model (JIEM) to Capture Privacy Requirements

By Scott Came Director, Systems and Technology

SEARCH

SEARCH, with the advice and consent of the Justice Information Exchange Model

(JIEM) practitioner steering committee, plans to enhance the JIEM conceptual

framework and JIEM software tool to allow JIEM users to capture privacy

requirements in the same manner as they capture other information exchange

requirements in JIEM. The purpose of this Technical Brief is to identify the benefits of

this approach.

Background on JIEM The JIEM methodology, developed by SEARCH with funding from the Bureau of

Justice Assistance, U.S. Department of Justice, provides a structured framework for

capturing the essential requirements of information exchange. For each exchange, JIEM

identifies who is involved (what agencies/organizations), why the exchange is taking

place (business process), when it takes place (business events and conditions), and what

information is being exchanged. JIEM also includes reference models, which are the

end-product of research to identify common or typical exchange requirements across

jurisdictions, and which allow users to incorporate best practices into their own local

requirements.


JIEM has been used by more than 100 jurisdictions over the past decade and has an active

user base of several hundred practitioner and industry users.

More information about JIEM, see http://www.search.org/programs/info/jiem.asp.

Background on Privacy As justice and public safety organizations exchange information, it is essential that they

ensure proper protection of privacy and civil liberties. Several key documents from the

Global Justice Information Sharing Initiative and Federal partners have emphasized the

importance of information privacy. Most recently, the President’s National Strategy for

Information Sharing stated:

Protecting the rights of Americans is a core facet of our information sharing

efforts. While we must zealously protect our Nation from the real and continuing

threat of terrorist attacks, we must just as zealously protect the information

privacy rights and other legal rights of Americans. With proper planning we can

have both enhanced privacy protections and increased information sharing—and

in fact, we must achieve this balance at all levels of government, in order to

maintain the trust of the American people.

As the strategy indicates, proper planning—including identification of protected

information and documentation of privacy policy rules—is a key step to protecting

privacy while meeting the growing needs to share information.

In response to these concerns, the Global Information Quality and Privacy Working

Group and the Global Security Working Group formed the Technical Privacy Task Team,

which has developed a framework for capturing privacy policy rules.

Proposed Approach to Privacy Requirements Capture in JIEM SEARCH has completed a preliminary design of an approach to capture privacy

requirements in JIEM, and is planning to implement this design in the JIEM conceptual

framework and software in 2008. This design is in part a response to the Technical

Privacy Task Team’s recommendation that Global leadership and the justice community

should “evaluate [the] feasibility of augmenting the SEARCH JIEM Tool to define policy

constraints for common information exchanges.” The design also follows the Technical

Privacy Task Team’s conceptual framework.

The design proposes to enhance the JIEM conceptual framework as follows:

• Each exchange in JIEM will have one or more privacy policy rules associated

with it.

• Each policy rule will include user and data categories, allowable actions,

conditions, business purposes, and obligations that express the policy.


For example, a JIEM user may decide to define a person query in JIEM. As with the

current JIEM framework, the user would define these elements, which form the context

of this exchange:

• agencies (e.g., law enforcement, probation, courts)

• events (tip or lead), and

• business processes (investigation).

The user might also define the content of the exchange:

• the query parameters (e.g., driver’s license number), and

• expected results (e.g., rap sheet, wants and warrants, etc.).

In addition, using the new privacy rule elements, the user might specify the privacy

requirements of this exchange, as follows:

• Only sworn law enforcement officers (user category)

• are able to view (allowable action)

• personally identifiable information (data category)

• if their agency has signed a memorandum of understanding (condition),

• if the query is part of an authorized law enforcement investigation (business

purpose), and

• if the agency discards all query results upon closure of the investigation

(obligation).

Use of the privacy requirements capture features will be optional; that is, JIEM users will

still be able to document information exchanges without capturing privacy requirements,

if that makes sense for their project or situation. However, the JIEM conceptual

framework will encourage users to consider privacy requirements at the proper place and

time, and will provide easy-to-use support (via the Tool) for capturing those requirements.

SEARCH intends to follow the guidance of the Global Federated Identity and Privilege

Management (GFIPM) initiative regarding the definition of user categories, as

appropriate. This is still an open area of investigation.

Benefits of Capturing Privacy Requirements in JIEM Enhancing the JIEM conceptual framework and software to include the capture of

privacy requirements will result in the following benefits to the JIEM user community

and the justice community overall:

• Increased alignment of privacy and exchange requirements. Maintaining privacy

requirements in the same model as other information exchange requirements will

improve consistency of requirements. Users will more easily and accurately reflect

changes to requirements (and keep them aligned) if they are side by side, so to speak,

in the same model and tool.

• Increased attention to privacy. The addition of privacy requirements to an existing

information exchange requirements model involves less work than documenting


privacy requirements “from scratch.” The user-friendly JIEM application will also

allow requirements capture with less writing and effort. Less effort means a greater

likelihood that jurisdictions will give proper attention to the important subject of

privacy.

• Increased conformance to guidelines. The JIEM software, through step-by-step

“wizard” screens and similar interface capabilities, will help enforce the concepts of

Global frameworks and guidelines as users document their requirements.

• Increased consistency and reuse across jurisdictions. A key factor in the ability to

reuse requirements across jurisdictions is the consistency of terminology and structure

in those requirements. The JIEM framework and software will enforce a high level of

uniformity in how users define requirements (e.g., using standardized concepts like

“data category,” “user category,” and so on). A standardized set of concepts used

consistently across requirements models will dramatically improve the usability of

models in other jurisdictions. This in turn will increase attention nationally to privacy

issues.

• Development of reference models representing national best practices. Beyond

sharing requirements models directly between jurisdictions, as envisioned in the

previous paragraph, the capture of privacy requirements in JIEM will allow SEARCH

to build (or expand existing) “reference models” that represent national best practices

across a large number of jurisdictions. SEARCH will closely monitor users’ adoption

of the privacy requirements capture functionality in JIEM, and will conduct research

(as funding is available) to identify these best practices.

• Cost savings from policy reuse. Through both reference models and direct sharing

between jurisdictions, the sharing of policy rules will reduce the cost of protecting

privacy by allowing practitioners to “reuse and tweak” the work of others, versus

having to re-think rules in every case. Just as with general information exchange

requirements, many policy requirements will be very similar across jurisdictions, and

the JIEM software will allow users to tweak these rules where necessary while

directly reusing those parts that are the same.

• Better ability to generate implementation artifacts. The JIEM software will save

requirements into an open, standards-based XML structure that can be transformed

into “downstream” artifacts (such as eXtensible Access Control Markup Language

(XACML)) that speed the implementation and deployment of policy rules at runtime.

SEARCH does not intend to implement such transformations in the initial release of

the JIEM-privacy functionality, but it will be relatively easy to do so in the future by

leveraging the open “pluggable” nature of the Eclipse tools platform on which JIEM

is built.

Direct questions about this Technical Brief to [email protected].


This project was supported by Cooperative Agreement #2006-MU-BX-K006 by the U.S. Department of Justice Bureau of Justice Assistance. Points of view or opinions contained in this document are those of the author and do not necessarily represent the official position or policies of the U.S. Department of Justice.

Francis X. Aumand II Chairman

Ronald P. Hawley Executive Director

Kelly J. Harris Deputy Executive Director

SEARCH 7311 Greenhaven Drive, Suite 145 • Sacramento, CA 95831

(916) 392-2550 • (916) 392-8440 (fax) • www.search.org

Recommended Action itemsAdopt the Global Privacy Policy Technical �Framework for providing a comprehensive approach to define, enforce, monitor, and manage information exchanges subject to privacy policy requirements.

Use a common set of �standards and metadata for privacy policy that are specific to the justice domain and aligned with current initiatives, such as the Justice Reference Architecture, National Information Exchange Model, and the Global Federated Identity and Privilege Management initiative.

Develop a transition strategy for moving to �the Privacy Policy Technical Framework and to enterprise electronic policy services.

Executive Summary

As information sharing in the justice domain expands, it has become increasingly important to find ways

to use technology to help implement and enforce protections of privacy, civil liberties, and civil rights. Converting privacy policy to a form understandable to computers continues to be a significant problem and a high priority for the justice community. Implementing Privacy Policy in Justice Information Sharing: A Technical Framework seeks to fill this need by exploring approaches and alternatives to resolve technical and interoperability challenges in supporting privacy policy through automation. The goal is to identify an approach and framework for protecting privacy that will be generally applicable to information sharing in the justice environment and that can be readily implemented using existing information technology architectures, standards, and software tools.

Implementing Privacy Policy in Justice Information Sharing: A Technical Framework builds on and therefore serves as a companion document to the following references:

Privacy Policy Development Guide and �Implementation Templates

Fusion Center Guidelines: Developing and �Sharing Information and Intelligence in a New Era; Guidelines for Establishing and Operating Fusion Centers at the Local, State, and Federal Levels; Law Enforcement Intelligence, Public Safety, and the Private Sector

Global Justice Reference Architecture (JRA) �Specification

Applying Security Practices to Justice �Information Sharing

Information Sharing Environment (ISE) �Implementation Plan

Leveraging existing resources, the privacy policy technical requirements were developed with a focus on the data about people and organizations stored

within information systems. Three key outcomes from this important work effort are recommended as action items for implementers, as shown in the box below.

Privacy Policy Technical FrameworkThe technical framework outlines a sequence of steps for implementing a set of electronic privacy policy rules. The electronic policy rules are based on written policies, such as privacy policy, laws, documents, memoranda of understanding, contracts, and agreements. The framework requires that all electronic information requests be submitted with a set of electronic identity credentials to allow the

Audittrail

PolicyServices

Obligations

Response message

Contentmetadata

WrittenpolicyElectronic

policystatements(dynamic,federated)

Environmentalconditions

Actions: release,modify, access, delete,...

Request message

Identitycredentials

Audittrail

PolicyServices

Obligations

Response message

Contentmetadata

WrittenpolicyElectronic

policystatements(dynamic,federated)

Environmentalconditions

Actions: release,modify, access, delete,...

Request message

Identitycredentials

The development of policy services as an independent set of security and access control services helps ensure consistent implementation of policy across all of an agency’s information resources. Development of enterprise policy services affords opportunities for consistent reuse and standardization of policy administration. Separate policy services can be maintained without making expensive coding changes to the information systems governed by the policy services.

About GlobalThe U.S. Department of Justice’s Global Justice Information Sharing Initiative (Global) serves as a Federal Advisory Committee to the U.S. Attorney General on critical justice information sharing initiatives. Global promotes standards-based electronic information exchange to provide justice and public safety communities with timely, accurate, complete, and accessible information in a secure and trusted environment. Global is administered by the U.S. Department of Justice, Office of Justice Programs, Bureau of Justice Assistance.

policy service to determine whether the requestor has the authorization to access the information resource. The policy service is composed of software modules referred to as policy decision points (PDPs) and policy enforcement points (PEPs). It ensures that the request is authenticated, authorized, and audited before granting access to the information resource. Additionally, the policy service may impose a set of obligations on the consumer regarding restrictions on further information dissemination, record retention, and audit logging. A diagram depicting the high-level view of the technical framework appears in the box on the right.

Benefits of Policy ServicesHistorically, each information system programmed its own independent set of security and access controls, creating numerous silos of varied levels of information security policy enforcement throughout the enterprise. By adopting a common technical framework and justice domain vocabulary for expressing electronic policy rules, justice enterprises will have these advantages:

Enhanced security and privacy of information �exchanges

Better management of the security and access �controls for information resources

New capability for communicating their privacy �policy requirements to other justice agencies

Increased interoperability of secure information �through utilization of a common set of standards and privacy policy metadata

This project was supported by Grant No. 2005-NC-BX-K164 awarded by the Bureau of Justice Assistance, in collaboration with the U.S. Department of Justice’s Global Justice Information Sharing Initiative. The Bureau of Justice Assistance is a component of the Office of Justice Programs, which also includes the Bureau of Justice Statistics, the National Institute of Justice, the Office of Juvenile Justice and Delinquency Prevention, and the Office for Victims of Crime. Points of view or opinions in this document are those of the author and do not represent the official position or policies of the U.S. Department of Justice.

1

Products & Publications

Global Privacy and Information Quality Working Group Global Justice Information Sharing Initiative

http://it.ojp.gov/default.aspx?area=globalJustice&page=1238 Guide to Conducting Privacy Impact Assessments for State, Local, and Tribal Information Sharing Initiatives Guide to Conducting Privacy Impact Assessments: Privacy Impact Assessment Template The Guide to Conducting Privacy Impact Assessments for State, Local, and Tribal Information Sharing Initiatives allows justice practitioners to examine the privacy implications of their information systems and information-sharing collaborations so they can design and implement policies to address vulnerabilities identified through the assessment process. The template allows users to complete the PIA by entering information electronically. Justice Information Privacy Guideline - Developing, Drafting and Assessing Privacy Policy for Justice Information Systems The goal of this guideline is to provide assistance to justice leaders and practitioners who seek to balance public safety, public access, and privacy when developing privacy policies for their agencies' systems. This guideline was prepared through the collaboration of nearly 100 local, state, and tribal justice leaders, as well as academia, elected officials, the media, and the commercial sector. Key Issues - Privacy and Public Access The Office of Justice Programs (OJP), U.S. Department of Justice (DOJ) has highlighted Privacy and Public Access as a Key Issue. Information related to this issue is currently contained within the Privacy and Public Access page within the Key Issues section of the OJP Information Technology Initiatives Web site. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, including Fair Information Principles (FIPs) The eight Fair Information Principles (FIPs) contained within this Organization for Economic Cooperation and Development (OECD) document were developed around commercial transactions and the trans-border exchange of information. However, they do provide a straight forward description of underlying privacy and information exchange principles and provide a simple framework for the legal analysis that needs to be done with regard to privacy in integrated justice systems. Some of the individual principles may not apply in all instances of an integrated justice system. Privacy and Civil Liberties Policy Development Guide and Implementation Templates Geared toward practitioners charged with developing or revising their agency’s privacy policy, this document is a practical, hands-on resource and is the next logical step for those justice entities that are ready to move beyond awareness into the actual policy development process. It assists agencies in articulating privacy obligations in a manner that protects the justice agency, the individual, and the public and makes it easier to do what is necessary–share critical justice information. The Implementation Templates included in this document are an essential tool for justice system practitioners to use during the drafting process.

2

Privacy and Information Quality Policy Development for the Justice Decision Maker Privacy and Information Quality Policy Development for the Justice Decision Maker introduces the framework for a systematic consideration of privacy and information quality policy and practices within your agency. Since 9/11, few would argue against the criticality of justice information exchange. However, while pursuing a broad-scale sharing capability, decision makers must also vigorously protect our constitutional privacy rights and ensure information quality and accuracy. In short: agencies need privacy and information quality policies to guide their information sharing efforts. Many good resources already exist, helping justice and public safety leaders make the best possible business decisions in their information sharing practices, including addressing privacy and data quality concerns. This document is one such tool.

Privacy Policy Development Guide Overview CD Privacy Technology Focus Group: Executive Summary This document summarizes the detailed final report and recommendations of the Privacy Technology Focus Group. Privacy Technology Focus Group: Final Report and Recommendations This Privacy Technology Focus Group (Focus Group) was chartered to examine the use and exchange of personally identifiable information (PII) in the context of justice information systems and in the dissemination and aggregation of justice and public safety data. Working teams addressed the following subject matters: Access and Authentication, Data Aggregation and Dissemination, Identity Theft, and Personal Safety and Protection. The charter for this first Focus Group meeting was to provide BJA with specific recommendations for action that leverage technology in support of privacy policy; the Final Report and Recommendations fulfills that charter. U.S. Department of Justice's (DOJs) Privacy Impact Assessment (PIA) Privacy Impact Assessments (“PIAs”) are required by Section 208 of the E-Government Act for all Federal government agencies that develop or procure new information technology involving the collection, maintenance, or dissemination of personally identifiable information or that make substantial changes to existing information technology that manages personally identifiable information. A PIA is an analysis of how personally identifiable information is collected, stored, protected, shared, and managed.


Technical Brief

February 2008

SEARCH

The National Consortium for Justice Information and Statistics

The Benefits of Using the Justice Information

Exchange Model (JIEM) to Capture Privacy Requirements

By Scott Came Director, Systems and Technology

SEARCH

SEARCH, with the advice and consent of the Justice Information Exchange Model

(JIEM) practitioner steering committee, plans to enhance the JIEM conceptual

framework and JIEM software tool to allow JIEM users to capture privacy

requirements in the same manner as they capture other information exchange

requirements in JIEM. The purpose of this Technical Brief is to identify the benefits of

this approach.

Background on JIEM The JIEM methodology, developed by SEARCH with funding from the Bureau of

Justice Assistance, U.S. Department of Justice, provides a structured framework for

capturing the essential requirements of information exchange. For each exchange, JIEM

identifies who is involved (what agencies/organizations), why the exchange is taking

place (business process), when it takes place (business events and conditions), and what

information is being exchanged. JIEM also includes reference models, which are the

end-product of research to identify common or typical exchange requirements across

jurisdictions, and which allow users to incorporate best practices into their own local

requirements.


JIEM has been used by more than 100 jurisdictions over the past decade and has an active

user base of several hundred practitioner and industry users.

More information about JIEM, see http://www.search.org/programs/info/jiem.asp.

Background on Privacy As justice and public safety organizations exchange information, it is essential that they

ensure proper protection of privacy and civil liberties. Several key documents from the

Global Justice Information Sharing Initiative and Federal partners have emphasized the

importance of information privacy. Most recently, the President’s National Strategy for

Information Sharing stated:

Protecting the rights of Americans is a core facet of our information sharing

efforts. While we must zealously protect our Nation from the real and continuing

threat of terrorist attacks, we must just as zealously protect the information

privacy rights and other legal rights of Americans. With proper planning we can

have both enhanced privacy protections and increased information sharing—and

in fact, we must achieve this balance at all levels of government, in order to

maintain the trust of the American people.

As the strategy indicates, proper planning—including identification of protected

information and documentation of privacy policy rules—is a key step to protecting

privacy while meeting the growing needs to share information.

In response to these concerns, the Global Information Quality and Privacy Working

Group and the Global Security Working Group formed the Technical Privacy Task Team,

which has developed a framework for capturing privacy policy rules.

Proposed Approach to Privacy Requirements Capture in JIEM SEARCH has completed a preliminary design of an approach to capture privacy

requirements in JIEM, and is planning to implement this design in the JIEM conceptual

framework and software in 2008. This design is in part a response to the Technical

Privacy Task Team’s recommendation that Global leadership and the justice community

should “evaluate [the] feasibility of augmenting the SEARCH JIEM Tool to define policy

constraints for common information exchanges.” The design also follows the Technical

Privacy Task Team’s conceptual framework.

The design proposes to enhance the JIEM conceptual framework as follows:

• Each exchange in JIEM will have one or more privacy policy rules associated

with it.

• Each policy rule will include user and data categories, allowable actions,

conditions, business purposes, and obligations that express the policy.


For example, a JIEM user may decide to define a person query in JIEM. As with the

current JIEM framework, the user would define these elements, which form the context

of this exchange:

• agencies (e.g., law enforcement, probation, courts)

• events (tip or lead), and

• business processes (investigation).

The user might also define the content of the exchange:

• the query parameters (e.g., driver’s license number), and

• expected results (e.g., rap sheet, wants and warrants, etc.).

In addition, using the new privacy rule elements, the user might specify the privacy

requirements of this exchange, as follows:

• Only sworn law enforcement officers (user category)

• are able to view (allowable action)

• personally identifiable information (data category)

• if their agency has signed a memorandum of understanding (condition),

• if the query is part of an authorized law enforcement investigation (business

purpose), and

• if the agency discards all query results upon closure of the investigation

(obligation).

Use of the privacy requirements capture features will be optional; that is, JIEM users will

still be able to document information exchanges without capturing privacy requirements,

if that makes sense for their project or situation. However, the JIEM conceptual

framework will encourage users to consider privacy requirements at the proper place and

time, and will provide easy-to-use support (via the Tool) for capturing those requirements.

SEARCH intends to follow the guidance of the Global Federated Identity and Privilege

Management (GFIPM) initiative regarding the definition of user categories, as

appropriate. This is still an open area of investigation.

Benefits of Capturing Privacy Requirements in JIEM Enhancing the JIEM conceptual framework and software to include the capture of

privacy requirements will result in the following benefits to the JIEM user community

and the justice community overall:

• Increased alignment of privacy and exchange requirements. Maintaining privacy

requirements in the same model as other information exchange requirements will

improve consistency of requirements. Users will more easily and accurately reflect

changes to requirements (and keep them aligned) if they are side by side, so to speak,

in the same model and tool.

• Increased attention to privacy. The addition of privacy requirements to an existing

information exchange requirements model involves less work than documenting


privacy requirements “from scratch.” The user-friendly JIEM application will also

allow requirements capture with less writing and effort. Less effort means a greater

likelihood that jurisdictions will give proper attention to the important subject of

privacy.

• Increased conformance to guidelines. The JIEM software, through step-by-step

“wizard” screens and similar interface capabilities, will help enforce the concepts of

Global frameworks and guidelines as users document their requirements.

• Increased consistency and reuse across jurisdictions. A key factor in the ability to

reuse requirements across jurisdictions is the consistency of terminology and structure

in those requirements. The JIEM framework and software will enforce a high level of

uniformity in how users define requirements (e.g., using standardized concepts like

“data category,” “user category,” and so on). A standardized set of concepts used

consistently across requirements models will dramatically improve the usability of

models in other jurisdictions. This in turn will increase attention nationally to privacy

issues.

• Development of reference models representing national best practices. Beyond

sharing requirements models directly between jurisdictions, as envisioned in the

previous paragraph, the capture of privacy requirements in JIEM will allow SEARCH

to build (or expand existing) “reference models” that represent national best practices

across a large number of jurisdictions. SEARCH will closely monitor users’ adoption

of the privacy requirements capture functionality in JIEM, and will conduct research

(as funding is available) to identify these best practices.

• Cost savings from policy reuse. Through both reference models and direct sharing

between jurisdictions, the sharing of policy rules will reduce the cost of protecting

privacy by allowing practitioners to “reuse and tweak” the work of others, versus

having to re-think rules in every case. Just as with general information exchange

requirements, many policy requirements will be very similar across jurisdictions, and

the JIEM software will allow users to tweak these rules where necessary while

directly reusing those parts that are the same.

• Better ability to generate implementation artifacts. The JIEM software will save

requirements into an open, standards-based XML structure that can be transformed

into “downstream” artifacts (such as eXtensible Access Control Markup Language

(XACML)) that speed the implementation and deployment of policy rules at runtime.

SEARCH does not intend to implement such transformations in the initial release of

the JIEM-privacy functionality, but it will be relatively easy to do so in the future by

leveraging the open “pluggable” nature of the Eclipse tools platform on which JIEM

is built.

Direct questions about this Technical Brief to [email protected].


This project was supported by Cooperative Agreement #2006-MU-BX-K006 by the U.S. Department of Justice Bureau of Justice Assistance. Points of view or opinions contained in this document are those of the author and do not necessarily represent the official position or policies of the U.S. Department of Justice.

Francis X. Aumand II Chairman

Ronald P. Hawley Executive Director

Kelly J. Harris Deputy Executive Director

SEARCH 7311 Greenhaven Drive, Suite 145 • Sacramento, CA 95831

(916) 392-2550 • (916) 392-8440 (fax) • www.search.org

Privacy Protections - SEARCH | The National Consortium … · 2016-10-17 · ... location and...

Documents

Transcript of Privacy Protections - SEARCH | The National Consortium … · 2016-10-17 · ... location and...