Audit Policy Reference
Audit Policy Reference
1. The CSO or designee shall ensure an N-DEx agency coordinator (NAC) is designated within each agency which accesses N-DEx. The NAC serves as the POC for the CSO at the local agency for matters relating to N-DEx. The NAC administers N-DEx within the local agency and oversees the agency’s compliance with N-DEx system policies. (Law Enforcement National Data Exchange Policy and Operating Manual, Version 1.1, 1.6.4)
2. N-DEx contains criminal justice information obtained by criminal justice agencies in connection with their official duties administering criminal justice, and N-DEx system access is restricted to criminal justice agencies and agencies performing the administration of criminal justice. Only the following agencies are authorized to access N-DEx based on the agency type originating agency identifier (ORI) value as indicated by the ninth character:
- Law Enforcement Agencies
- Law enforcement agencies possessing the ninth character ORIs of 0-9 (numeric values) e.g., police, sheriff.
- Criminal Justice Agencies
- Prosecuting Attorney’s Offices—ORIs end in an A. This includes District Attorney’s Offices, Attorney General’s Offices, etc.
- Pretrial service agencies and pretrial release agencies—ORIs end in a B.
- Correctional Institutions—ORIs end in a C. This includes jails, prisons, detention centers, etc.
- Non-governmental railroad or campus police departments qualifying for access to III—ORIs end in an E.
- Probation and Parole Offices—ORIs end in a G
- INTERPOL—ORIs end in an I. As a foreign criminal justice agency, INTERPOL shall be a limited system participant. Local, state, and tribal criminal justice agency data shall not be shareable with limited system participants.
- Courts and Magistrates Offices—ORIs end in a J.
- Custodial facilities in medical or psychiatric institutions and some medical examiners’ offices which are criminal justice in function—ORIs end in an M.
- Regional dispatch centers that are criminal justice agencies or non-criminal justice governmental agencies performing criminal justice dispatching functions for criminal justice agencies—ORIs end in an ”.
- Local, county, state, or federal agencies that are classified as criminal justice agencies by statute but do not fall into one of the aforementioned categories—ORIs end in a Y.
- (Law Enforcement National Data Exchange Policy and Operating Manual, Version 1.1, 1.3.3; 184.108.40.206; 220.127.116.11)
3. A CSA may delegate responsibilities, including user management, to the NAC of subordinate agencies as outlined in the CJIS Security Policy. (Law Enforcement National Data Exchange Policy and Operating Manual, Version 1.1, 18.104.22.168)
To verify identification, a state of residency and national fingerprint-based record checks shall be conducted within 30 days of assignment for all personnel who have direct access to CJI and those who have direct responsibility to configure and maintain computer systems and networks with direct access to CJI. (CJIS Security Policy, Version 5.0, 22.214.171.124)
4. Acceptable Use of N-DEx: Personnel engaged in the following investigative activities may be granted access by the CSA consistent with state laws:
- Law enforcement investigations, i.e., to further investigations of criminal behavior based on prior identification of specific criminal activity by an agency with statutory ability to perform arrest functions.
- Pretrial release investigation, i.e., to obtain information about recently arrested defendants for use in deciding whether conditions are to be set for defendants’ release prior to trial, monitor a defendant’s compliance with his/her conditions of release during pretrial period, and identify offenses pending adjudication.
- Intake investigation, i.e., to conduct prisoner classification and offender risk assessments to safely manage the correction population
- Correctional institution investigation, i.e., to identify and suppress criminal suspects and criminal enterprise organizations operating within correctional systems, prepare for the prosecution of crimes committed within a correctional institution, conduct criminal apprehension efforts of prison escapees, ensure inmates cannot continue their criminal activities through misuse of visitation or communication privileges, monitor out source supervision and treatment progress, conduct offender travel permit investigations, prepare for prisoner transfer, and conduct pre-release investigation to determine reentry requirements and facilitate release notification.
- Pre-sentence investigation, i.e., to identify the risk of reoffense, flight, community, officer and victim safety, identify law enforcement contact not resulting in arrest, identify offenses pending adjudication, and ensure illicit income is not used for bail, bond, or criminal defense.
- Supervision investigation, i.e., to identify incident information (i.e. personal conduct, contact with LEAs, offenses, gang affiliations, known associates, employment, etc.) constituting a violation of release or supervision conditions, prepare and investigate interstate transfer of adult offenders, facilitate concurrent supervision, conduct risk and needs assessments, facilitate apprehension of absconders, and identify offenses pending adjudication.
- Data administration/management, i.e., to perform administrative role responsibilities and conduct searches of record owner contributed data as a part of internal review by a record owner. Responses for this purpose may not be disseminated for any other reason and are limited to that agency’s portion of N-DEx contributed records.
- Training, i.e., to educate users on the policies, services and capabilities of the N-DEx system utilizing authentic criminal justice information submitted to N-DEx by criminal justice agencies. (Law Enforcement National Data Exchange Policy and Operating Manual, Version 1.1, 1.3.4; 126.96.36.199 - 188.8.131.52)
5.a. Advanced Permission Requirement: Terms of N-DEx information use must be obtained from the record-owning agency prior to reliance or action upon, or secondary dissemination. N-DEx information may only be relied or acted upon, or secondarily disseminated within the limitations specified by the record-owning agency. Reliance or action upon, or secondary dissemination of N-DEx information beyond the original terms requires further permission from the record owning agency. The use or inclusion of N-DEx information in the publication or preparation of charts, presentations, official files, analytical products or other documentation, to include, use in the judicial, legal, administrative, or other criminal justice process, etc., specifically requires advanced permission. (Law Enforcement National Data Exchange Policy and Operating Manual, Version 1.1, 1.3.7)
5.b. Verification Requirement: N-DEx information must be verified with the record-owning agency for completeness, timeliness, accuracy, and relevancy prior to reliance upon, action, or secondary dissemination. (Law Enforcement National Data Exchange Policy and Operating Manual, Version 1.1, 1.3.8)
6. If CHRI is released to another authorized agency, and that agency was not part of the releasing agency’s primary information exchange agreement(s), the releasing agency shall log such dissemination. (CJIS Security Policy, Version 5.0, 5.1.3)
III Maintenance and Disposal
7. When CHRI is stored, agencies shall establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of the information. These records shall be stored for extended periods only when they are key elements for the integrity and/or utility of case files and/or criminal record files. (CJIS Security Policy, Version 5.0, 4.2.3)
8. Physical media shall be securely disposed of when no longer required, using formal procedures. Formal procedures for the secure disposal or destruction of physical media shall minimize the risk of sensitive information compromise by unauthorized individuals. Physical media shall be destroyed by shredding or incineration. Agencies shall ensure the disposal or destruction is witnessed or carried out by authorized personnel. (CJIS Security Policy, Version 5.0, 5.8.4)
NCIC Hit Confirmation
9. Any agency which receives a record(s) in response to an NCIC 2000 inquiry must confirm the hit on any record(s) which appears to have been entered for the person or property inquired upon taking any of the following actions based upon the hit NCIC record: 1) arresting wanted person, 2) detaining the missing person, 3) seizing the stolen property, or 4) charging the subject with violating a protection order. Additionally, an agency detaining an individual on local charges where the individual appears identical to the subject of the wanted person record and is within the geographical area of extradition must confirm the hit. (NCIC 2000 Operating Manual, Introduction, Section 3.5.1)
Confirming a hit means to contact the agency that entered the record to: ensure that the person or property inquired upon is identical to the person or property identified in the record; ensure that the warrant, missing person report, protection order, or theft report is still outstanding; and obtain a decision regarding 1) the extradition of a wanted person when applicable, 2) information regarding the return of the missing person to the appropriate authorities, 3) information regarding the return of stolen property to its rightful owner, or 4) information regarding the terms, conditions, and service of a protection order.
Note: the source documents used for hit confirmation may be electronic if the local agency has implemented the controls required by the CTA for electronic documents supporting NCIC records. (NCIC 2000 Operating Manual, Introduction, Section 3.5, 1, 1-3)
10. Every agency, upon taking a person into custody, identifying a missing person, or acquiring property, after confirming the hit, must place a locate on the corresponding NCIC record(s).
Exception: If the missing person has been positively identified by partial body parts, the locating agency should determine if the entering agency wants the record to be located. The record may remain in NCIC for future positive identification in the event additional body parts are subsequently recovered (NCIC 2000 Operating Manual, Introduction, Section 3.5, 3, 5)
11. Prior to accessing N-DEx, CSAs shall ensure, directly or through local delegation, that users are trained on N-DEx policy matters, emphasizing data use rules. Every two years, train users on N-DEx policy matters, emphasizing data use rules. (Law Enforcement National Data Exchange Policy and Operating Manual, Version 1.1, 2.4.2, 2.4.5)
12. Basic security awareness training shall be required within six months of initial assignment and biennially thereafter, for all personnel who have access to CJI. (Law Enforcement National Data Exchange Policy and Operating Manual, Version 1.1, 2.4.3)
13. Train N-DEx users granted access to leveraged CJIS System of Services system(s) in accordance with individual leveraged system training requirements. (Law Enforcement National Data Exchange Policy and Operating Manual, Version 1.1, 2.4.4)
14. CSA shall ensure that all individuals with physical and logical access to N-DEx information are trained on N-DEx data use. (Law Enforcement National Data Exchange Policy and Operating Manual, Version 1.1, 2.4.6)
15. Maintain records of all training and proficiency affirmation. (Law Enforcement National Data Exchange Policy and Operating Manual, Version 1.1, 2.4.7)
16. Any criminal justice Agency receiving access to FBI CJIS data shall enter into a signed written agreement with the appropriate signatory authority of the CSA providing the access. The written agreement shall specify the FBI CJIS systems and services to which the agency will have access, and the FBI CJIS Division policies to which the agency must adhere. (CJIS Security Policy, Version 5.0, 5.1.3)
Immediate Use of N-DEx Information
Immediate use of N-DEx information can be made without the advanced permission of the record owning agency if there is an exigent circumstance—an emergency situation requiring swift action to prevent imminent danger to life or serious damage to property, or to forestall the imminent escape of a suspect, or destruction of evidence. Users failing to obtain advanced permission and perform verification due to exigent circumstances may subject themselves to liability for their actions. The record-owning agency shall be immediately notified of any dissemination made as a result of exigent circumstances. (Law Enforcement National Data Exchange Policy and Operating Manual, Version 1.1, 1.3.10)
Documenting Authorization Requests and Concurrences
Participating agencies are encouraged to consider how they may wish to account for use authorization requests and concurrences. While N-DEx does not systematically support nor require a log to be maintained, agencies are encouraged to consider how the advanced permission, verification, and data provision may be documented within their own organization. (Law Enforcement National Data Exchange Policy and Operating Manual, Version 1.1, 1.3.11)
The CJIS Security Policy, Version 5.0 and the Law Enforcement National Data Exchange Policy and Operating Manual, Version 1.1, are available from the N-DEx Special Interest Group on Law Enforcement Online at www.leo.gov.