Criminal Intelligence Systems Operating Policies

Federal Register: July 31, 2008 (Volume 73, Number 148)

Proposed Rules

Page 44673-44677

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

DOCID:fr31jy08-17

DEPARTMENT OF JUSTICE

Office of Justice Programs 28 CFR Part 23

Docket No. OJP 1473

RIN 1121-AA59

Criminal Intelligence Systems Operating Policies

AGENCY: Office of Justice Programs, Justice.

ACTION: Proposed rule.

SUMMARY: The Office of Justice Programs is publishing this proposed rule to amend its regulations that govern the operating policies of criminal intelligence systems that receive federal funding under the

Omnibus Crime Control and Safe Streets Act of 1968, as amended (``Crime

Control Act''). The regulations were issued pursuant to 42 U.S.C. 3789(g), which requires that ``criminal intelligence systems'' receiving Crime Control Act support must collect, maintain, and disseminate criminal intelligence information ``in conformance with policy standards which are prescribed by the Office of Justice

Programs.'' The statute specifies that the policy standards must be written to assure that the funding and operation of the systems further the purpose of the funding provisions and assure that such systems

``are not utilized in violation of the privacy and constitutional rights of individuals.'' The existing regulations were last revised in 1993 and the purpose of the revisions proposed in this document is to clarify and update the regulations in light of the new, post-9/11 information sharing environment and investigative policies aimed at preventing terrorism.

DATES: Written comments must be submitted on or before September 2, 2008.

ADDRESSES: Comments may be mailed to Michael Dever, Bureau of Justice

Assistance, 810 7th Street, NW., Washington, DC 20531. To ensure proper handling, please reference OJP Docket No. 1473 in your correspondence.

You may submit comments electronically or view an electronic version of this proposed rule at http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Michael Dever, Bureau of Justice

Assistance, 810 7th Street, NW., Washington, DC 20531. Telephone: (202) 616-6500.

SUPPLEMENTARY INFORMATION:

Posting of Public Comments

Please note that all comments received are considered part of the public record and made available for public inspection online at http:/

/www.regulations.gov. Such information includes personal identifying information (such as name and address) voluntarily submitted by the commenter.

If you wish to submit personal identifying information (such as your name, address, etc.) as part of your comment, but do not wish for it to be posted online, you must include the phrase ``PERSONAL

IDENTIFYING INFORMATION'' in the first paragraph of your comment. You also must locate all the personal identifying information you do not wish to be posted online in the first paragraph of your comment and identify what information you would like redacted.

If you wish to submit confidential business information as part of your comment but do not wish for it to be posted online, you must include the phrase ``CONFIDENTIAL BUSINESS INFORMATION'' in the first paragraph of your comment. You also must prominently identify confidential business information to be redacted within the comment. If a comment has so much confidential business information that it cannot be effectively redacted, all or part of that comment may not be posted on http://www.regulations.gov.

Personal identifying information and confidential business information identified and located as set forth above will be placed in the agency's public docket file, but not posted online. If you wish to inspect the agency's public docket file in person by appointment, please see the FOR FURTHER INFORMATION CONTACT paragraph.

Discussion

The proposed rule would revise the Office of Justice Program (OJP) regulations in 28 CFR part 23 that set forth policy guidelines for

Crime Control Act-funded state criminal intelligence information systems. The part 23 regulations were issued pursuant to a requirement in 42 U.S.C. 3789(g) that ``criminal intelligence systems'' receiving

Crime Control Act support must collect, maintain, and disseminate criminal intelligence information ``in conformance with policy standards which are prescribed by the Office of Justice Programs.'' The statute specifies that the policy standards must be written to assure that the funding and operation of the systems further the purpose of the funding provisions and assure that such systems ``are not utilized in violation of the privacy and constitutional rights of individuals.''

The existing part 23 regulations were last revised in 1993 and the purpose of the revisions proposed in this notice is to clarify and update the regulations in light of the new, post-9/11 information- sharing environment and investigative policies aimed at preventing terrorism. Multiple initiatives are being pursued at the federal, state, and local levels to promote and strengthen information sharing among responsible government agencies that can promote risk identification and protective action, including, for example, the creation of state, local, and regional fusion centers across the country and information sharing initiatives involving Joint Terrorism

Task Forces. The intent of these proposed revisions to part 23 is to ensure that the standards for sharing criminal intelligence information subject to the regulation be uniform and clear and not create unreasonable impediments to information sharing, whether real or perceived, while at the same time continuing to ensure that the systems not be used in violation of the privacy and constitutional rights of individuals.

Page 44674

Section 23.1

Section 23.1 contains a parenthetical list of statutory amendments to the Crime Control Act that is out of date. It is proposed that this section be revised to strike this parenthetical.

Section 23.2

Section 23.2 describes the background for the part 23 criminal intelligence operating policies. It recognizes that certain criminal activities often involve some degree of regular coordination and permanent organization involving a large number of participants over a broad geographical area. The examples currently cited of such ongoing networks of criminal activities do not include a reference to terrorism or the material support of terrorism. To clarify that the detection, exposure, investigation, and prevention of terrorist activity and conduct is an important part of the role played by criminal intelligence systems, it is proposed that ``domestic and international terrorism, including the material support thereof,'' be added to the examples of criminal activities about which it is important to gather, maintain, and share criminal intelligence information.

Section 23.3

It is proposed to remove the outdated parenthetical statutory references and to make some non-substantive grammatical/syntactical changes in this section.

Section 23.20

Paragraph (a) of section 23.20 currently states the basic operating principle that a project shall collect and maintain criminal intelligence information concerning ``an individual'' only if there is reasonable suspicion that the individual is involved in criminal conduct or activity and the information is relevant to that conduct or activity. Because criminal conduct or activities can be engaged in by organizations as well as individuals, it is proposed that this section be amended to clarify that criminal intelligence information can be collected and maintained about organizations, as well as individuals.

This clarification is consistent with section 23.3(b)(3)(i), which defines the term ``criminal intelligence information'' as meaning data that has been evaluated to determine that it ``is relevant to the identification of criminal activity engaged in by an individual who or organization which is reasonably suspected of involvement in criminal activity.'' (Emphasis added.) It should be noted that the inclusion of the term ``organization'' in section 23.20(a) does not affect the prohibition in section 23.20(b) of the ``[collection] or [maintenance of] criminal intelligence information about the political, religious or social views, associations, or activities of any individual or any group, association, corporation, business, partnership, or other organization. * * *''

Paragraph (e) is proposed to be revised to define more clearly the circumstances under which criminal intelligence information subject to the regulations may be shared. The existing language provides that such information shall only be disseminated ``where there is a need to know and a right to know the information in the performance of a law enforcement activity.'' The terms ``need to know'' or ``right to know'' are not defined in the regulation. Instead, section 23.20(g) requires that ``[e]ach project must establish written definitions for the need to know and right to know standards for dissemination to other agencies as provided in paragraph (e) of this section.'' While some agencies may broadly interpret these terms to allow efficient sharing of criminal intelligence information with all authorized officials or entities, other agencies may construe this language more restrictively. There is no uniform definition of the information sharing standard. In addition, there is no reference in this provision to disseminating criminal intelligence information for preventative law enforcement, homeland security, or counterterrorism purposes. The terrorist attacks of

September 11, 2001, have made it clear that the sharing of intelligence information should be maximized, to the extent consistent with applicable law and protection for privacy and civil liberties, among federal, state, and local agencies responsible for law enforcement, preventing terrorism, and securing our homeland. Reducing real or perceived barriers to the sharing of investigative and intelligence information that could aid in law enforcement or in the prevention of crime or terrorism is now a well-recognized priority of federal, state, and local agencies. Therefore, to provide clearer guidance on the circumstances under which criminal intelligence information may be shared, a revision to paragraph (e) is proposed that would establish a uniform standard of permissible purposes for the dissemination of criminal intelligence information, authorizing dissemination when the information falls within the law enforcement, counterterrorism, or national security responsibility of the receiving agency or may assist in preventing crime or the use of violence or any conduct dangerous to human life or property. The proposed revision also would clarify the authorities to whom information may be disseminated, including agencies with law enforcement, homeland security, or counterterrorism missions.

The proposed revision also would provide that criminal intelligence information may be disseminated to officials of the Office of Justice

Programs when such officials are monitoring or auditing compliance by a project with the operating principles and funding guidelines under Part 23.

Paragraph (f)(1) currently limits dissemination of criminal intelligence information only to ``law enforcement authorities'' that

``agree to follow procedures regarding information receipt, maintenance, security, and dissemination which are consistent with'' part 23 principles. Consistent with the change in the dissemination rule in section 23.20(e), this section is proposed to be amended to clarify that the authorities to which information may be disseminated would include agencies qualified to receive the information under paragraph (e). In addition, it is proposed that paragraph (f)(1) be further amended to provide that the receiving agencies have information procedures in place that are consistent with part 23's operating principles, rather than that they ``agree to follow'' such procedures.

This retains the requirement that receiving agencies implement part 23 principles, while removing the potential barrier to information sharing that requiring an ``agreement'' for each sharing arrangement might entail. It is important to note that a new proposed provision--section 23.30, paragraph (f)--will require projects to have in place, or establish within timeframes specified by OJP's Bureau of Justice

Assistance (BJA), a written privacy policy specifying the operational steps being followed to comply with section 23.20 principles.

Paragraph (f)(2) creates an exception to the requirement in paragraph (f)(1) allowing the dissemination of ``an assessment of criminal intelligence information to a government official or any other individual, when necessary to avoid imminent danger to life or property.'' The term ``imminent'' is not defined. Because the provision already requires a determination that the sharing of the information assessment is ``necessary'' to avoid danger to life or property, it is proposed that the term ``imminent'' be deleted.

Changes are proposed to paragraph (g) to conform to the proposed change in paragraph (e) that substitutes a national standard of dissemination for the

Page 44675

existing, locally-defined ``need to know and right to know'' dissemination standard. The proposed changes do not substantively alter the longstanding requirement that criminal intelligence systems record certain information regarding the dissemination of criminal intelligence information. Taking this into account, OJP has determined that there is no need for a new Information Collection Review or burden calculation for this recordkeeping requirement in this notice of proposed rulemaking.

Paragraph (h) provides rules for projects to assure the continuing relevance and importance of criminal intelligence information and requires projects to have procedures for the periodic review of information and destruction of any information that is misleading, obsolete, or otherwise unreliable. The regulation limits the retention period to a maximum of five years without a review and validation of the information. When information has been reviewed or updated and a determination has been made that it continues to meet system submission criteria, the information has been ``validated'' and a new retention period begins. The five-year retention period was established before the events of 9/11 and the advent of the current terrorist threat environment. This relatively-short retention period may not be long enough to cover terrorist planning cycles and/or the need for historical data for terrorism threat assessment. New technologies for data storage and analysis make possible the extended retention and potential usefulness of this information for purposes of such threat assessments. In addition, information about subjects of criminal intelligence incarcerated during the five-year retention period may be unavailable to a jurisdiction upon the subject's release from prison.

For these reasons, it is proposed that the retention period be changed to 10 years and that an exception be made to allow the tolling of the retention period during a subject's incarceration so that the intelligence file can be available to law enforcement upon the subject's release from prison.

Finally, paragraph (i)(1) currently prohibits making remote terminal access to intelligence information available to system participants except as specifically approved by OJP upon a determination that the system has adequate policies and procedures in place to insure that such access is available only to authorized users.

System managers have informed the Department that this provision's requirement of pre-approval by OJP is outdated, given the modern access controls that routinely provide appropriate security for remote access arrangements. It is therefore proposed that this provision be revised to remove the requirement that OJP approve a system's security policy and procedures before remote-access may be implemented. Although this would remove the requirement of OJP approval, OJP expects to continue to provide projects with training and technical assistance regarding information privacy and security practices and polices, including those prescribed through the Department of Justice's Global Justice

Information Sharing Initiative or successor entity.

Finally, a few non-substantive grammatical/syntactical changes are proposed variously throughout the section.

Section 23.30

Section 23.30 specifies funding guidelines that require, among other things, that intelligence systems agree to adhere to the principles set forth in section 23.20, have an agency head or official with general policy-making authority certify in writing that he takes responsibility and will be accountable for the information in the system and the system's compliance with the section 23.20 principles.

In the case of interjurisdictional systems, section 23.30(d)(2) requires (1) that section 23.20 principles be made part of the system's by-laws or operating policies and (2) that agencies participating in the interjurisdictional system, as a condition of participation,

``accept in writing'' section 23.20 principles relating to the submission, maintenance, and dissemination of information. In light of advancements in technology since the rule was first published, it is proposed that the latter requirement be modified to provide that participating agencies, as a condition of ``access'' thereunder,

``affirmatively accept'' those principles. This change is proposed to account for new technology that provides methods other than writing for an individual to express acceptance of conditions of access, such as when computer users click on an ``accept'' button for an end-user's licensing agreement. Also, changing the affirmative acceptance requirement as a condition of ``access'' (as opposed to a condition of

``participation'') means that the user will be required to express his acceptance of section 23.20 principles each time access is sought, and not merely just once at the outset of an agency's participation in the interjurisdictional system.

It is also proposed that a reference to counterterrorism be added in paragraph (a) regarding the purposes for which criminal intelligence information may be collected and exchanged.

In addition (aside from some non-substantive grammatical/ syntactical proposed changes), it is proposed that another requirement be added to section 23.30, in a new paragraph (f), requiring systems to have in place, or establish within timeframes specified in grant-making or other guidance by BJA, a written privacy policy that details the specific operational steps being followed to comply the section 23.20 privacy and civil liberty safeguards. It is expected that such a requirement would be imposed within BJA-specified timeframes that allow projects adequate time and support to develop such written policies. It is also contemplated that such written policies would be consistent with existing privacy guidance for justice information systems, including the Global Justice Information Sharing Initiative's privacy recommendations, DOJ privacy guidance, and other relevant privacy guidelines such as the privacy guidance for the information sharing environment.

Regulatory Flexibility Act

The Attorney General, in accordance with the Regulatory Flexibility

Act (5 U.S.C. 605(b)), has reviewed this proposed rule and by approving it certifies that it would not have a significant economic impact on a substantial number of small entities for the following reasons: The proposed clarifying changes in the regulations governing operating policies for federally-funded criminal intelligence systems do not involve changes that would impose significant costs on the state and local projects that manage these systems.

Executive Order 12866

This proposed rule has been drafted and reviewed in accordance with

Executive Order 12866, ``Regulatory Planning and Review,'' section 1(b), Principles of Regulation. The Department of Justice has determined that this proposed rule is a ``significant regulatory action'' under Executive Order 12866, section 3(f), and accordingly it has been reviewed by the Office of Management and Budget.

Executive Order 13132

This proposed rule would not have substantial direct effects on the

States, on the relationship between the national government and the

States, or on the distribution of power and responsibilities among the various levels of government. Therefore, in

Page 44676

accordance with Executive Order 13132, it is determined that this rule does not have sufficient federalism implications to warrant the preparation of a Federalism Assessment.

Executive Order 12988--Civil Justice Reform

This proposed rule meets the applicable standards set forth in sections 3(a) and 3(b)(2) of Executive Order 12988.

Unfunded Mandates Reform Act of 1995

This proposed rule would not result in the expenditure by State, local and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year, and it would not significantly or uniquely affect small governments. Therefore, no actions were deemed necessary under the provisions of the Unfunded

Mandates Reform Act of 1995.

Small Business Regulatory Enforcement Fairness Act of 1996

This proposed rule is not a major rule as defined by section 251 of the Small Business Regulatory Enforcement Fairness Act of 1996. 5

U.S.C. 804. This proposed rule would not result in an annual effect on the economy of $100 million or more; a major increase in costs or prices; or significant adverse effects on competition, employment, investment, productivity, or innovation, or on the ability of United

States-based companies to compete with foreign-based companies in domestic and export markets.

List of Subjects in 28 CFR Part 23

Crime, Information, Law enforcement, Recordkeeping.

For the reasons stated in the preamble, the Office of Justice

Programs proposes to amend 28 CFR Chapter I part 23 as follows:

PART 23--CRIMINAL INTELLIGENCE SYSTEMS OPERATING POLICIES 1. The authority citation for part 23 continues to read as follows:

Authority: 42 U.S.C. 3782(a); 42 U.S.C. 3789g(c). 2. Section 23.1 is revised to read as follows:

Sec. 23.1 Purpose.

The purpose of this regulation is to assure that all criminal intelligence systems operating through support under the Omnibus Crime

Control and Safe Streets Act of 1968, Public Law 90-351, codified as amended at 42 U.S.C. 3711, et seq., (``Crime Control Act'') are utilized in conformance with the privacy and constitutional rights of individuals and organizations.

Sec. 23.2 [Amended] 3. The first sentence of Section 23.2 is amended by removing

``and'' after ``bribery,'' and adding ``and domestic and international terrorism (including the material support thereof)'' after ``corruption of public officials''. 4. Section 23.3 is revised to read as follows:

Sec. 23.3 Applicability.

(a) The provisions of this part are applicable to all criminal intelligence systems described in section 23.1.

(b) As used in this part:

(1) Criminal Intelligence System or Intelligence System means the arrangements, equipment, facilities, and procedures used for the receipt, storage, interagency exchange or dissemination, and analysis of criminal intelligence information;

(2) Interjurisdictional Intelligence System means an intelligence system that involves two or more participating agencies representing different governmental units or jurisdictions;

(3) Criminal Intelligence Information means data that have been evaluated to determine that it:

(i) Is relevant to the identification of and the criminal activity engaged in by an individual who, or an organization that is reasonably suspected of involvement in criminal activity, and

(ii) Meets criminal intelligence system submission criteria;

(4) Participating Agency means an agency of local, county, State,

Federal, or other governmental unit that exercises law enforcement or criminal investigation authority and that is authorized to submit and receive criminal intelligence information through an interjurisdictional intelligence system. A participating agency may be a member or a nonmember of an interjurisdictional intelligence system;

(5) Intelligence Project or Project means either the organizational unit that operates an intelligence system on behalf of and for the benefit of a single agency, or the organization that operates an interjurisdictional intelligence system on behalf of a group of participating agencies; and

(6) Validation of Information means the procedures governing the periodic review of criminal intelligence information to assure its continuing compliance with system submission criteria established by regulation or program policy. 5. Section 23.20 is amended as follows: a. In paragraph (a), add ``or organization'' after ``individual'' both places it occurs. b. In paragraphs (c), (d), (h), and (n), remove ``which'' each place it occurs and add ``that'' in its place; in paragraph (n), remove

``so'' from the last sentence. c. Remove reserved paragraph (ii) immediately preceding paragraph

(j). d. Revise paragraphs (e), (f), and (g) introductory text, revise the last sentence of paragraph (h) and add a new sentence to follow it; and revise paragraph (i) to read as follows:

Sec. 23.20 Operating principles.

* * * * *

(e)(1) Criminal intelligence information may be disseminated to law enforcement, homeland security, or counterterrorism agencies by a project or authorized recipient for any type of detective, investigative, preventive, or intelligence activity only when the information--

(i) Falls within the law enforcement, counterterrorism, or national security responsibility of the receiving agency or

(ii) May assist in preventing a crime or the use of violence or any conduct dangerous to human life or property.

(2) Criminal intelligence information may also be disseminated to officials within the Office of Justice Programs when they are monitoring or auditing a project's compliance with the provisions of this part.

(f)(1) Except as provided in paragraph (f)(2) of this section, a project shall disseminate criminal intelligence information only to agencies qualified to receive the information under paragraph (e) of this section and that have procedures regarding information receipt, maintenance, security, and dissemination that are consistent with the privacy and civil liberties safeguards included in these operating principles.

(2) Paragraph (f)(1) of this section shall not limit dissemination of an assessment of criminal intelligence information to a government official or to any other individual, when reasonably necessary to avoid danger to life or property.

(g) A project shall ensure the adoption of administrative, technical, and physical safeguards (including audit trails) to protect against unauthorized access and against intentional or unintentional damage. A record indicating to whom information has been disseminated outside the project, the reason for the dissemination, and the date of each such dissemination shall be kept. Information shall be labeled to indicate levels of sensitivity, levels of confidence, and the identity of submitting agencies and control

Page 44677

officials. Each intelligence project shall assure the implementation and regular review of appropriate security requirements and policies, including the following:

* * *

(h) * * * Criminal intelligence information retained in an intelligence system must be reviewed and validated for continuing compliance with system submission criteria before the expiration of the information's retention period, which in no event shall be longer than ten (10) years. The retention period relating to a subject shall be tolled while the subject is incarcerated.

(i)(1) A project shall have in place security policies and procedures to ensure that remote access to intelligence information be available only to authorized system users; and

(2) A project shall undertake no major modifications to system design without prior grantor agency approval.

* * * * * 6. Section 23.30 is amended as follows: a. In paragraph (a), remove ``investigatory or'' and add

``investigatory,'' in its place and after ``prosecutorial'' add ``, or counterterrorism''. b. In paragraph (b) introductory text, remove ``activity'' and add

``activities'' in its place and remove ``areas of''. c. In paragraph (b)(1), remove ``of citizens''. d. Revise paragraphs (c) and (d) and add a new paragraph (f), to read as follows:

Sec. 23.30 Funding guidelines.

* * * * *

(c) Control and supervision of information collection and dissemination by an intelligence system shall be retained by the head of a government agency or an individual with general policy making authority who has been expressly delegated such control by the agency head. This official shall certify in writing that he takes full responsibility for the system's compliance with this part.

(d) (1) Official responsibility and accountability for actions taken by an inter-jurisdictional criminal intelligence system shall be assumed by the head of the governmental agency exercising control and supervision over the operation of the system or by an individual with general policy making authority who has been expressly delegated such control or supervision by the agency head. This official shall certify in writing that he takes full responsibility for the inter- jurisdictional system's compliance with this part.

(2) The principles set forth in Sec. 23.20 shall be made part of the by-laws or operating procedures for the inter-jurisdictional system. Each participating agency, as a condition of access, must affirmatively accept those principles that govern the collection, maintenance, and dissemination of information included as part of the interjurisdictional system.

* * * * *

(f) The project has in place, or will establish within timeframes specified in grant-making or other guidance by BJA, a written privacy policy specifying the operational steps being followed to comply with

Sec. 23.20 principles.

Dated: July 16, 2008.

Jeffrey L. Sedgwick,

Acting Assistant Attorney General, Office of Justice Programs.

FR Doc. E8-17519 Filed 7-30-08; 8:45 am

BILLING CODE 4410-18-P

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT