Connecticut Informational Guide for Noncriminal Justice Use of Criminal History Record Information (CHRI)

Connecticut Informational Guide for Noncriminal Justice Use of Criminal History Record Information (CHRI) This document is designed to guide criminal justice and noncriminal justice agencies, with access criminal justice information (CJI) for noncriminal justice purposes*, with the audit process. All agencies with access to CJI, in any form, will be subjected to an audit. *Noncriminal Justice Purposes: The use of criminal history records for purposes authorized by federal or state law, other than purposes relating to the administration of criminal justice, including employment suitability, licensing determinations, immigration and naturalization matters, and national security clearances. 1

Table of Content Subject Page Defining Criminal Justice Information 3 Access to Criminal Justice Information 4 Introduction to the Interstate Identification Index (III) 5 Introduction to Public Law (Pub. L.) 92-544 6 Introduction to the National Crime Prevention and Privacy Compact (Compact) Act of 1998 7 Introduction to the Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Security Policy 8 Introduction to the National Identity Services (NIS) Audit 9 Basic Parameters for Use 10 Introduction to Privacy Rights 11 Introduction to Physical Protection 12 Introduction to Media Protection 13 Introduction to Dissemination 14 Dissemination & The Applicant 15 Dissemination & Other Agencies 16 Dissemination & The General Public 17 Introduction to Misuse 18 Misuse Reporting Procedures 19 2

Defining Criminal Justice Information Personally Identifiable Information (PII): Information which can be used to distinguish or trace an individual s identity, such as name, social security number, or biometric records, alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, or mother s maiden name. Criminal Justice Information (CJI): FBI CJIS-provided data necessary for law enforcement agencies to perform their mission and enforce the laws, including but not limited to: biometric, identity history, person, organization, property (when accompanied by any personally identifiable information), and case/incident history data. FBI CJIS-provided data necessary for civil agencies to perform their mission; including, but not limited to data used to make hiring decisions. Criminal History Record Information (CHRI): Any notations or other written or electronic evidence of an arrest, detention, complaint, indictment, information or other formal criminal charge relating to an identifiable person that includes identifying information regarding the individual as well as the disposition of any charges. Any FBI data maintained by an agency, including but not limited to, education, financial transactions, medical history, and criminal or employment history that may include PII. Any information that confirms the existence or nonexistence of a criminal record. Information that is transferred or reproduced directly from CHRI and associated with the subject of the record. This includes information such as conviction/disposition data as well as identifiers used to index records regardless of format. Applicant status information, which is either directly attributed to or predominately based on a national FBI check, when no authority or inherent need exists for the release of such information. Further defined at Title 42, United States Code (USC), 14616, Article I and Title 28, Code of Federal Regulations (CFR), 20.3. Examples of formal and informal products or verbalizations include: correspondence such as letters and e-mails; documents such as forms and hand-written notes (including notes on posted notes); conversations either in person or by telephone; and data fields such as those stored in database tables or spreadsheets. CJI is sensitive and confidential data and should be treated as such. 3

Access to Criminal Justice Information If you agency accesses CJI, in any way, you will be subjected to an audit. Access to Criminal Justice Information: The physical or logical (electronic) ability, right or privilege to view, modify or make use of Criminal Justice Information. Physical Access The physical ability, right or privilege to view, modify or make use of CJI by means of physical presence within the proximity of computers and network devices. Example: the ability to insert a flash drive into a computer or make a physical connection (touch) with electronic equipment. Logical Access Direct Access The technical means (e.g., read, create, modify, delete a file, execute a program, or use an external connection) for an individual or other computer system to utilize CJI or CJIS applications. Example: the ability to read an email or log into a portal to view or print a rap sheet. (1) Having the authority to access systems managed by the FBI CJIS Division, whether by manual or automated methods, not requiring the assistance of, or intervention by, any other party or agency (28 CFR, Chapter 1, Part 20). (2) Having the authority to query or update national databases maintained by the FBI CJIS Division including national queries and updates automatically or manually generated by the CSA. Indirect Access Having the authority to access systems containing CJI without providing the user the ability to conduct transactional activities (the capability to query or update) on state and national systems. 4

Introduction to the Interstate Identification Index (III) Since 1921, the FBI has been statutorily authorized to collect and disseminate CHRI to authorized recipients. Title 28, USC, 534 empowers the FBI to exchange CHRI with, and for the official use of, authorized officials of the Federal Government, the United States Sentencing Commissions, States, including State sentencing commissions, Indian tribes, cities, and other institutions. The FBI maintains the national criminal history record repository, known as the Interstate Identification Index (III) System. The III System contains CHRI from all states and U.S. territories, as well as federal agencies. The records in the III System are all based on fingerprints, which provide a positive, biometric match between the individual and his/her record. The III System was initially created for name-based access by criminal justice and law enforcement agencies involved in the administration of criminal justice functions, such as investigations, prosecutions, and sentencing. Over time, however, the use of this criminal history information has been authorized for numerous fingerprint-based noncriminal justice purposes, such as background screening for employment and licensing in industries that are authorized by either state governments or the federal government. The III System provides a means of conducting national criminal history record searches for noncriminal justice purposes as authorized by federal statutes, Executive Orders, and state statutes approved by the Attorney General of the United States. Each statutory authority defines the specific purposes (applicant types) for which CHRI may be requested and used. To ensure that a specific category of applicants is authorized for a national background check, the statutory authority must be closely reviewed. 5

Introduction to Public Law (Pub. L.) 92-544 In 1972, Congress enacted Pub. L. 92-544. This federal statute authorizes states to enact legislation that designates specific licensing or employment purposes for which state and local government agencies may submit fingerprints to the FBI and receive CHRI from the FBI. Prior to fingerprint submission and access to CHRI under Pub. L. 92-544, a state statute must be submitted to the Department of Emergency Services and Public Protection (DESPP) Criminal Justice Business Applications Unit (CJBA) for submission and approval from the FBI Law Unit (FLU) on behalf of the United States Attorney General. The FBI s criteria to approve a statute are as follows: The statute must exist as the result of legislative enactment or its functional equivalent; It must require fingerprinting of the applicant; It must, expressly or by implication, authorize use of FBI records for screening of the applicant; It must not be against public policy; It must identify the specific category(ies) of licensees/employees falling within its purview, thereby avoiding overbreadth; and It may not authorize receipt of the FBI CHRI by a private entity. When changes or modifications to a previously FBI-approved state statute occur, the statute must be re-submitted to the FLU for review and approval. As a matter of FBI policy, fingerprint submissions to the FBI under an approved Pub. L. 92-544 statute must be processed by the DESPP State Police Bureau of Identification (SPBI). This FBI policy requirement was included in Article V of the National Crime Prevention and Privacy Compact (Compact) Act of 1998. The states must also determine a governmental agency to be responsible for receiving and screening the results of the record check to determine an applicant s suitability for employment/licensing. 6

Introduction to the National Crime Prevention and Privacy Compact (Compact) Act of 1998 In 1998, the Compact was enacted and strengthened the requirements for the use of FBI-maintained CHRI for noncriminal justice purposes. These requirements included that: a subsequent record request must be conducted to obtain current information whenever a new authorized need arises; and fingerprints or other approved forms of positive identification must be submitted with all requests for CHRI for noncriminal justice purposes. The Compact Act established the Compact Council. The Compact Council works in partnership with criminal history record custodians, end users, and policy makers to regulate and facilitate the sharing of complete, accurate, and timely CHRI to noncriminal justice users in order to enhance public safety, welfare, and security of society, while recognizing the importance of individual privacy rights. The Compact formalized into law the policies approved in 1986 by the Advisory Policy Board in the Concept for Exchange of Criminal History Records for Noncriminal Justice Uses by means of the III. The Compact can be found at Title 42, USC, 14616. The State of Connecticut agreed to the terms of the Compact Act with the enactment of Connecticut General Statute 29-164f. In addition to Compact Council rules, agencies must adhere to the FBI CJIS Security Policy. 7

Introduction to the FBI CJIS Security Policy The FBI CJIS Security Policy is the minimum security standard policy used by both criminal and noncriminal justice agencies requiring access to CJI maintained by the FBI CJIS Division. The CJIS Security Policy: Applies to every individual contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity with access to, or who operate in support of, criminal justice services and information; Provides the appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit; Provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI; and Can be found on the FBI.gov website and may be posted and shared without restriction. I sent the most recent CJIS Security Policy (effective 6/1/2016) in a previous email. 8

Introduction to the National Identity Services (NIS) Audit In October 2014, the FBI started cycle 0 (informational) audits on agencies with access to CHRI for noncriminal justice purposes. Prior to 2014, user agencies were never subjected to an FBI audit because their only access to FBI data was for noncriminal justice purposes*. With the creation of a federal audit, states were mandated to audit all recipients of CJI. Audits assess compliance with the III System; National Fingerprint File (NFF) participation standards; federal laws and regulations associated with the access, use, dissemination, and security of national CHRI; Compact rules and procedures; and the FBI CJIS Security Policy. Federally Mandated Formal Audits: All agencies must be audited at least once every (3) three years by the DESPP. Audits are conducted by the CJBA Unit. A randomly selected group of agencies will be audited at least once every (3) three years by the FBI CJIS Audit Unit. The FBI s audit is called the NIS Audit. More frequent audits may occur as a result of a possible system violations. Unannounced security inspections and scheduled audits of contractor facilities may be conducted. The results of the FBI audits are reported to the Compact Council s Sanctions Committee (Sanctions Committee) in accordance with Title 28, CFR, Part 907. The Sanctions Committee reviews the results of the audit and determines a course of action necessary to bring agencies into compliance and makes recommendations to the Compact Council or, if applicable, the FBI. 9

Basic Parameters for Use Approved Statutory Authority Authorized Recipient Authorized Use/Purpose Examples: original application for the position or license or the letter of hire. Fingerprint submission Privacy rights forms were sent to recipient agencies by the SPBI on 12/23/2015. Receipt of CHRI Adjudication or fitness determination Closing or maintenance activities The basic parameters for use consists of (chronologically): There must be an approved state statute, federal statute, or Executive Order and approved by the Attorney General (AG) of the United States. The AG s approval authority is delegated to the FBI by Title 28, CFR, 0.85(j) and 50.12(a). The agency must be designated to request civil fingerprint-based background checks, with the full consent of the individual to whom a background check is taking place, for noncriminal justice functions. The agency must be able to prove that the applicant met the statutory requirement to be fingerprinted, under the approved statute, and based on the positive identification via fingerprint submission of the applicant. This documentation must be retained for at least one (1) year, regardless if the applicant was not hired or approved. All applicants must receive the Noncriminal Justice Applicant Privacy Rights Form and FBI Privacy Act Statement, prior to being fingerprinted. The Reason Fingerprinted Field (RFP) or Applying For section of the fingerprint card must contain the correct statutory authority and specific position that the applicant is applying for. The National Child Protection Act/Volunteer for Children s Act (NCPA/VCA) Notice and Consent Form is required for persons fingerprinted under the NCPA/VCA. Electronic and Hardcopy forms of CHRI must be protected pursuant to the CJIS Security Policy. Agency must meet Privacy Requirements for Noncriminal Justice Applicants. This is a federal requirement and failure to do so may result in a civil actions. The Agency Privacy Requirements for Noncriminal Justice Applicant's form was provided to recipient agencies by the SPBI on 12/23/2015. Information must be properly secured until retention is no longer required by state or federal law and then properly destroyed pursuant to the CJIS Security Policy. 10

Introduction to Privacy Rights Overview of Agency Requirements for Noncriminal Justice Applicants: Officials must provide to the applicant written notice that his/her fingerprints will be used to check the criminal history records of the FBI. Officials using the FBI criminal history record (if one exists) to make a determination of the applicant s suitability for the job, license, or other benefit must provide the applicant the opportunity to complete or challenge the accuracy of the information in the record. Officials must advise the applicant that procedures for obtaining a change, correction, or updating of an FBI criminal history record are set forth at Title 28, CFR, 16.34. Officials should not deny the job, license, or other benefit based on information in the criminal history record until the applicant has been afforded a reasonable time to correct or complete the record or has declined to do so. Officials must use the criminal history record solely for the purpose requested and cannot disseminate the record outside the receiving department, related agency, or other authorized entity. Written notification includes electronic notification, but excludes oral notification. Overview of FBI Privacy Act Statement: Principal Purpose: Certain determinations, such as employment, licensing, and security clearances, may be predicated on fingerprint-based background checks. Your fingerprints and associated information/biometrics may be provided to the employing, investigating, or otherwise responsible agency, and/or the FBI for the purpose of comparing your fingerprints to other fingerprints in the FBI s Next Generation Identification (NGI) system or its successor systems (including civil, criminal, and latent fingerprint repositories) or other available records of the employing, investigating, or otherwise responsible agency. The FBI may retain your fingerprints and associated information/biometrics in NGI after the completion of this application and, while retained, your fingerprints may continue to be compared against other fingerprints submitted to or retained by NGI. Routine Uses: During the processing of this application and for as long thereafter as your fingerprints and associated information/biometrics are retained in NGI, your information may be disclosed pursuant to your consent, and may be disclosed without your consent as permitted by the Privacy Act of 1974 and all applicable Routine Uses as may be published at any time in the Federal Register, including the Routine Uses for the NGI system and the FBI s Blanket Routine Uses. Routine uses include, but are not limited to, disclosures to: employing, governmental or authorized nongovernmental agencies responsible for employment, contracting licensing, security clearances, and other suitability determinations; local, state, tribal, or federal law enforcement agencies; criminal justice agencies; and agencies responsible for national security or public safety. Agencies are obligated to ensure that applicants are provided with certain notices and other information and that the results of the check are handled in a manner that protects the applicant s privacy. 11

Introduction to Physical Protection Physically Secure Location: A facility, a criminal justice conveyance, or an area, a room, or a group of rooms, within a facility with both the physical and personnel security controls sufficient to protect CJI and associated information systems. All individuals need to remain cognizant of the designated physically secure areas and ensure that all personnel abide by access control points, entrance and exit procedures, visitor control and handling procedures. All individuals need to maintain vigilance in recognizing individuals who may not have appropriate access and may have been left unescorted. Visitors must be authenticated before escorted access to a secure location can be authorized. Visitors must be escorted at all times. An escort is an authorized individual who accompanies a visitor at all times while within a secure location to ensure the protection and integrity of the secure location and any CJI therein. The use of cameras or other electronic means used to monitor a secure location does not constitute an escort. All individuals should report areas of sensitive access that may be unsecure such as emergency exit doors which may have been left propped open. All authorized individuals must ensure that CJI, whether in physical or electronic form, remain in the secured areas unless they have specific authorization and procedures for taking that information out of the secure area. All authorized individuals are subject to the agency physical protection policy to ensure that the security of CJI is maintained. All agencies are required to implement a physical protection policy. I will send out an audit guide on policy requirements. Physical security incidents must be reported to the Terminal Agency Coordinator (TAC) in a timely manner. 12

Introduction to Media Protection Physical Media: Physical media refers to media in printed form. This definition includes, but is not limited to, printed documents, printed imagery, printed facsimile. Digital Media: Any form of electronic media designed to store data in a digital format. This includes, but is not limited to: memory device in laptops, computers, and mobile devices; and any removable, transportable electronic media, such as magnetic tape or disk, optical disk, flash drives, external hard drives, or digital memory card. All physical forms of CJI should be clearly marked and labeled ensuring documents are maintained according to policy and procedures. It is highly recommended that documents, at a minimum be clearly labeled. Coversheets designating the sensitive nature of the data and user responsibility in handling that data should also be considered as an appropriate measure. Electronic forms of media can become mishandled rather quickly due to the hidden nature of the data. Optical media and flash drives should be clearly labeled especially given those forms of media that are not protected by encryption. When email contains sensitive information, it should be standard practice to label those items as well and to ensure transmission is encrypted when applicable. Encryption is the only approved method for email traffic containing CJI. Users must protect their passwords accordingly, not sharing their individual account access or allowing for the possibility of compromise. All passwords must follow secure password attributes as listed in the CJIS Security Policy. All authorized individuals are subject to the agency media protection policy to ensure that the security of CJI is maintained. All agencies are required to implement a media protection policy. I will send out an audit guide on policy requirements. 13

Introduction to Dissemination Dissemination: The transmission/distribution of CJI to Authorized Recipients within an agency. CHRI may only be disseminated to entities that are authorized to receive it relative to the state or federal statutory authority used to submit the fingerprint check. CHRI must be maintained in such a manner as to not result in unauthorized access. The concept of dissemination applies when CHRI is made available to recipients through physical and logical access: regardless of whether or not the access was intentional; and regardless of whether CHRI is pushed to recipients or pulled by recipients since the end result is the same. Example: A contract cleaning crew that have unsupervised after-hours access to files containing CHRI is considered unintentional residual access. This is a considered unauthorized dissemination and will result in a out-of-compliance finding during an audit. Access to CHRI must be limited to the minimum necessary sub-offices and personnel within a department or agency that are actually required for a particular use. Persons with access to CHRI must have a need/right to know. While authorized receiving agencies may exercise some level of discretion and freedom of maneuver to distribute CHRI within their organizational structure, they must be able to demonstrate a reasonable need for doing so. Example: A local board of education may be designated as an authorized recipient of CHRI for the purpose of conducting background checks for prospective teachers. CHRI is stored as part of an electronic personnel records management system, accessible by all board of education employees. Although the board of education is an authorized recipient, access to CHRI must be limited to personnel within the human resources department responsible for making fitness determinations. This will also limit the board of education s exposure to the inherent risks associated with unauthorized dissemination of CHRI and violation of the prospective teacher s privacy rights. The exchange of CHRI is subject to cancellation if dissemination is made outside the receiving departments or related agencies. 14

Dissemination & The Applicant Agencies may disseminate fingerprint-based criminal history obtained for noncriminal justice purposes to the subject of the record only. This is permissible only when the applicant is challenging an adverse decision based on the CHRI. Agencies cannot initiate national criminal history record checks for the sole intended purpose of providing a subject a copy of his/her record for review or challenge. CHRI cannot be disseminated to spouses, other household or family members, or other parties such as potential employers, even at the subject s request. CHRI can be disseminated to an attorney acting on subject s behalf when the applicant is challenging the agency s adverse decision based on the CHRI obtained. The identity of the attorney and applicant must be satisfactorily established. If an inherent need does exists to advise a particular entity not otherwise authorized relevant to the federal statutory authority being leveraged for the national criminal history check, then it is acceptable to notify the entity of the outcome of applicant fitness determinations. Entities to which an applicant is seeking employment or licensing may receive status notifications which indicate the positive or negative outcome of fitness determinations. Status notifications: Cannot confirm the existence or non-existence of a federal record; Must contain generic pass/fail language to the greatest extent possible, with the understanding that a reasonable balance must exist between the need to notify a potential employer and not indirectly confirming the existence or non-existence of CHRI; Notification language cannot directly reference that a national FBI check was conducted; Cannot be posted to a public website or national directory. 15

Dissemination & Other Agencies CHRI cannot be re-used for subsequent unrelated needs by the original requestor/recipient. CHRI cannot be disseminated to another recipient. CHRI cannot be disseminated to another recipient for future anticipated uses, regardless of whether or not the needs are formally related. CHRI cannot be disseminated outside of the State of Connecticut s jurisdiction. Auditors: Some auditors may require residual access to CHRI based on statutory authority or regulatory obligations. Such access should be limited to only the minimum level of personnel necessary to accomplish oversight responsibilities and controls must be established to reasonably prevent unauthorized disclosure of CHRI. Auditors cannot take or make copies of CHRI for their records. Example: The Department of Education s regulatory auditors must audit a school s personnel file to ensure that a criminal history background check was conducted on a teacher. Agencies must be able to provide the authority for authorized dissemination to auditors upon request. 16

Dissemination &The General Public CHRI cannot be disseminated to the general public. This includes maintaining CHRI in formats that are accessible by the public or within records that are subject to release through public record requests. However, CHRI may be disclosed as part of an adjudication process during a hearing that is open to the public. The agency demonstrates must demonstrate the following: 1) The hearing is based on a formally established requirement; 2) The applicant is aware prior to the hearing that CHRI may be disclosed; 3) The applicant is not prohibited from being present at the hearing; and 4) CHRI is not disclosed during the hearing if the applicant withdraws from the application process. For example, a board or commission may be authorized to access CHRI, and as part of regularly scheduled meetings, applicant appeals are discussed as standard agenda items. Even when the specific conditions are met to allow disclosure during a public hearing, the most preferable method for introducing CHRI is to enter into a closed session which limits participation by the public at large. Agencies must be able to reasonably demonstrate how the prerequisite criteria are being met for audit purposes. 17

Introduction to Misuse All noncriminal justice agencies have authorized access to CJI for noncriminal justice purposes pursuant to a federal law or state statute approved by the United States Attorney General. Any access and/or dissemination of CJI for other purposes are considered misuses of the information. Most misuse cases stem from affairs of the heart, political motivation, monetary gain, idle curiosity, or trying to help out a friend. Misuse does not depend upon whether or not additional compensation was received for such unauthorized activity. Methods of Misuse: Unauthorized requests, receipt, release, interception, dissemination or discussion of CJI; Improper use of information obtained from any CJI System and/or related applications and devices; and/or Violating the confidentiality of any data or record information and using it for personal purposes. Unauthorized requests, receipt, release, interception, dissemination or discussion of CJI is considered misuse. Physical security violations and/or misuse of CJI can and has resulted in: Administrative (internal) investigations and/or sanctions; Termination of access to CJI for the individual user; Termination of access to CJI for the associated agency; Termination of employment or contract; Criminal investigations and/or arrests; and Prosecution and conviction for violation of state and/or federal crimes designed to protect the confidentiality and integrity of CJI. 18

Misuse Reporting Procedures Security incidents and misuse threaten the confidentiality, integrity or availability of state/fbi CJIS data. All employees, contractors and third party users are required to promptly report any security incident and/or misuse to the TAC. All information must be communicated in a timely manner allowing timely corrective action to be taken. Security incidents and/or system misuse may also be reported to the CSO, Darryl Hayes. Events can be reported by mail, phone, fax, and email using the information provided below: Mailing Address Department of Emergency Services and Public Protection Division of State Police Criminal Justice Business Applications Unit 1111 Country Club Road Middletown, CT 06457 Phone Fax 860-685-8020 860-685-8636 Email Address collect.unit.dps@ct.gov Subject Title <CJI Violation for {insert agency name}> 19