Home FBI Records/FOIA Privacy Impact Assessments Interstate Photo System

Interstate Photo System

Privacy Impact Assessment (PIA)
for the
Next Generation Identification (NGI)
Interstate Photo System (IPS)
June 9, 2008

I. Introduction

I.1. Background

Pursuant to the authority provided by 28 U.S.C. ' 534, the FBI, a component of the Department of Justice (DOJ), acquires, collects, classifies and maintains identification, criminal identification, crime, and other records. Pursuant to the same authority the FBI exchanges such records and information with authorized officials of local, joint, tribal, State, Federal, foreign, and international criminal and noncriminal justice agencies, or to an agency, organization, person, or entity in either the public or private sector, domestic or foreign, where such disclosure may promote, assist, or otherwise serve law enforcement and other legislatively recognized interests. These responsibilities date back to the initiation of FBI fingerprint identification services in 1924.

The FBI’s Criminal Justice Information Services (CJIS) Division was established in February 1992 to serve as the focal point and central repository for criminal justice information services in the FBI. It is the FBI's largest division and uses a family of automated systems and infrastructure in a "System of Services" (SoS) to provide identification, verification, information, investigation, notification, and data management services to its authorized users. These systems include the Integrated Automated Fingerprint Identification System (IAFIS), the National Crime Information Center (NCIC), and the national criminal history record index known as the Interstate Identification Index (III, or "Triple I").

This Privacy Impact Assessment (PIA) addresses enhancements to existing FBI photographic information services provided by the IAFIS Interstate Photo System (IPS), including the increased capacity to retain photographic images, additional opportunities for agencies to submit photographic images, and additional search capabilities, including automated searches via the NCIC.

I.2. The Integrated Automated Fingerprint Identification System (IAFIS)

For most of the FBI's criminal justice information management history, record submissions and record requests were supported by ink and paper fingerprints. During the 1980s, however, technology was developed allowing State repositories to collect fingerprints and search against fingerprint databases digitally. To meet the growing demand for automated fingerprint identification, the FBI developed and implemented the IAFIS, which became operational in 1999. The IAFIS houses the largest collection of digital representations of fingerprint images, features from the digital fingerprint images, and criminal history information in the world. Collectively, this data comprises the biometrics, content, format and units of measurement for the electronic exchange of information that may be used in the fingerprint (or other biometric) identification of a person. Categories of fingerprints currently maintained by the FBI include: persons fingerprinted as a result of arrest, incarceration, or other authorized criminal justice purpose; persons fingerprinted for employment, licensing, security assessments, or other authorized noncriminal justice purpose, such as authorized Federal background check programs and military service; persons fingerprinted for visa, alien registration, immigration, naturalization, or related Department of State or Department of Homeland Security purposes; persons desiring to have their fingerprints placed on record with the FBI for personal identification purposes; individuals fingerprinted for authorized national security purposes (including military detainees and known and suspected terrorists); individuals with footprints, palm prints, photographs, or other biometric identifiers that have been taken for authorized purposes enumerated above; and individuals who leave latent fingerprints, palm prints, photographic images, or other biometric indicators at locations or on items associated with criminal activity or otherwise having a lawful investigative or national security interest.

The IAFIS provides automated fingerprint search capabilities, latent print search capabilities, electronic image storage, and electronic exchange of fingerprints, criminal history, and associated mug shots across jurisdictional boundaries 24 hours a day, 365 days a year, in support of thousands of law enforcement organizations and of employment suitability checks for hundreds of civil agencies. The IAFIS provides three major services to its customers. First, it provides positive identification of subjects based on ten-print fingerprint submissions and provides a ranked candidate list for latent fingerprint submissions. The system checks submitted fingerprints against all known criminals in relevant portions of the database, normally within two hours of an electronic ten-print criminal request and within 24 hours of an electronic civil fingerprint submission. Second, the IAFIS is a repository of criminal history information, fingerprints, criminal subject photographs, as well as information regarding military, civilian Federal employees and other individuals as authorized or permitted by Congress, the President, or other lawful authority. Third, the IAFIS provides candidate lists based on descriptive information queries using combinations of text-based parameters such as names, dates of birth, social security numbers, distinctive body markings, and identification numbers. These primary functions provide the FBI a fully automated fingerprint identification system, criminal history reporting system, and photograph repository that has improved fingerprint and investigative services for the law enforcement community.

IAFIS is a component of the FBI Privacy Act system of records titled "Fingerprint Identification Records System" (FIRS) (JUSTICE/FBI-009) (64 FR 52343, 52347; 66 FR 33558; 70 FR 7513, 7517; 72 FR 3410).

I.3. The Interstate Identification Index (III, or "Triple I")

The III is a component of IAFIS comprising a cooperative Federal-State national network that functions as an index-pointer system connecting the criminal history repositories of the FBI and of participating States to facilitate the exchange of automated criminal history record information (CHRI, or "rap sheets") via functionalities for subject search and criminal photo storage and retrieval. See 20 CFR 20.3(m). (The FBI has previously described the III as being a part of the NCIC, but we are in the process of re-characterizing it as being a part of IAFIS/FIRS, to be reflected in upcoming revisions to the FIRS and NCIC system of records notices and the CFR.) All information in the III is supported by fingerprint submissions. Under the III, the FBI maintains an index of persons arrested for felonies or misdemeanors under either State or Federal law. The index includes identification data such as name, birth date, race, sex, aliases, physical descriptors, distinctive body markings, fingerprint classifications, and the names of the agencies maintaining the criminal history information. In addition, the index contains FBI Numbers (FNUs) and State Identification Numbers (SIDs) from each State that has information about an individual. Each FNU and SID is tied to a single person positively identified by fingerprints (or occasionally by some other unique biometric, such as palm prints or iris scans). There may be both an FNU and SID for the same person (and a single person may have different SIDs from different States). The FBI is in the process of developing a Universal Control Number (UCN) that will serve as a common identifying number that will tie together all other identifying numbers (both civil and criminal) for a particular person.

III inquiries using names and other identifiers are made by law enforcement agencies throughout the country. Data are automatically retrieved from the appropriate repositories, including State repositories, and forwarded to the requesting agency via the following process. An inquiry message searches the index by name and numeric identifiers to determine if a person has a criminal history record on file. This takes about two seconds and if a match or potential match occurs, III sends a positive response containing additional identifying data (FNU, or UCN once implemented) to associate the record with the subject of the inquiry (and may return responses for multiple subjects, if more than one person may match the search parameters). The requesting agency may then make a subsequent request for the records using the associated FNU (or UCN) to generate criminal history reports from all locations maintaining files on the subject. The FBI directly provides records for persons arrested by Federal agencies and States not currently participating in III. Participating States furnish records from their files using the NLETS (International Justice and Public Safety Information Sharing Network, previously referred to as the National Law Enforcement Telecommunications System). When a photo(s) is available for a subject of an inquiry, the requesting agency is apprised "PHOTO AVAILABLE."

I.4. The IAFIS Interstate Photo System (IPS)

The IAFIS currently only allows criminal justice agencies to submit photos ("mug shots") with arrests and only allows for the retrieval of photos by specifying the individual whose phot is desired. These photos reside in the IAFIS component called the Interstate Photo System (IPS). IPS can accept four photos with each criminal (arrest) fingerprint submission, which is referred to as a photo set. The IPS currently allows up to ten photo sets per IAFIS FBI record. When a "PHOTO AVAILABLE" appears on the FBI record, authorized requesters can then request the photo(s) of the specified individual (using the individual's unique FNU) via a "Criminal Photo Request" (CPR) to CJIS on the CJIS WAN. CJIS must manually process such requests and responses. If the date of arrest is supplied, then the photo set that matches the arrest data is returned; otherwise the latest photo set is returned.

I.5. The CJIS Wide Area Network (WAN)

The CJIS WAN is telecommunications infrastructure connecting authorized user agencies to the FBI’s host computer systems, via a collection of Virtual Private Network (VPN) links and near point-to-point T-1 and higher class data lines connecting the CJIS Data Center in West Virginia to selected points throughout the United States.

I.6. The National Crime Information Center (NCIC)

The NCIC is a computerized information system containing documented criminal justice information that is accessed by name and other descriptive data. The FBI established the NCIC system in 1967 as a service to facilitate the sharing of law enforcement information. and participation now encompasses criminal and noncriminal justice agencies located in the 50 states, the District of Columbia, U.S. territories and possessions, and selected foreign countries. The NCIC computer stores vast amounts of criminal justice information that can be directly accessed by and furnished to any authorized user terminal. NCIC contains a variety of files of interest to law enforcement, including wanted persons, civil protection orders, registered sex offenders, gang and terrorist organization members, and missing persons. NCIC records are contributed by participating criminal justice agencies. Agencies that enter records are responsible for their accuracy, timeliness, and completeness. Requirements concerning which agencies can make entries and what kinds of data are required for specific entries vary according to the nature of the file. An NCIC user may access the NCIC through a regional and/or State computer system or, in some cases, through a direct line to the NCIC System.

Since implementation of NCIC-2000 in 1999, NCIC can also maintain images associated with NCIC records to assist users in identifying persons and property items in the NCIC. NCIC records relating to persons can include one mug shot, one fingerprint, one signature, and up to ten other identifying images (scars, marks, tattoos (SMTs)). The NCIC images are entered, maintained, and accessed independently of IAFIS IPS images; thus while it is possible that NCIC may include copies of mug shots that are also in the IAFIS IPS, the NCIC may also contain mug shots (and SMTs) that have not been entered in the IAFIS IPS. Like the current limitations on IAFIS IPS searches, NCIC images are only retrievable incident to retrieval of an NCIC record for a specified individual. However, NCIC images (like all NCIC records) may be retrieved directly by an authorized user without the need for manual processing by CJIS.

The FBI has established a separate Privacy Act system of records for the NCIC (JUSTICE/FBI-001) (64 FR 52343; 66 FR 33558; 70 FR 7513, 7517; 72 FR 3410).

I.7. Next Generation Identification (NGI): IPS Enhancements

The FBI's Next Generation Identification (NGI) Program (formerly referred to as Next Generation IAFIS) recognizes that although the IAFIS is compliant with existing uniform biometric standards, the future of identification services is rapidly advancing beyond existing capabilities. Identification needs of the law enforcement community have progressed beyond the dependency on a unimodal biometric identifier (e.g., fingerprints) towards multimodal biometric identifiers (e.g., voice, iris, facial, palm). The NGI Program has identified IAFIS initiatives that would provide desirable benefits during system upgrades and has also contacted the user and law enforcement communities for their input on desired changes, enhancements, and new initiatives for the system.

From September 2005 through March 2006, over 190 groups representing 1,000 users were canvassed for ideas regarding the IAFIS upgrade. These groups included State identification bureaus and crime labs, numerous criminal and noncriminal justice State and Federal agencies, as well as community of interest groups (e.g., The National Consortium for Justice Information and Statistics (SEARCH)). These groups identified multiple enhancements and identified new initiatives for biometric standards to support multimodal biometrics and interoperability with existing systems.

With input from the Executive Committee of the CJIS Division Advisory Policy Board (APB) and with representation from the National Crime Prevention and Privacy Compact Council (Compact Council) and from the Department of Homeland Security, the IAFIS Interface Evaluation Task Force (IIETF) has analyzed and categorized the suggested enhancements that encompass the IAFIS initiatives. Multiple suggestions recommended the expansion of existing capabilities or the development of new functionality to support future multimodal identification technology for the Interstate Photo System (IPS). The APB reviewed the IIETF recommendations and deemed the recommendations pertaining to the NGI IPS initiative as feasible for implementation.

The foregoing reviews indicated a lack of participation in the IAFIS IPS, attributed to the following primary reasons:

  • The IPS service is significantly under-populated due to the current policy restrictions limiting the number of photos that can be maintained per FBI record, limiting the type of photo submissions to facial (i.e., mug shots), prohibiting bulk photo submissions from existing contributor databases, requiring photo set submissions be accompanied by “ten-print” arrest cards (containing prints of all ten fingers), and prohibiting photo submissions with civil fingerprint submissions; and
  • The IPS service is under-utilized because it is difficult to search and retrieve photographs from the system. Currently, IAFIS users desiring photographs from the IPS must make a special CPR request to obtain such photographs, which must be manually processed by CJIS. Additionally, system search capabilities are minimal; searches can only be made by name or other identifying number, and cannot be made by entering precise physical descriptors or by using facial recognition technology.

In order to improve support to the law enforcement community and effectively overcome the aforementioned shortcomings, the NGI Program has identified the following NGI IPS (formerly IAFIS IPS) enhancements for implementation:

  • Eliminate the current policy restriction of ten photo sets per FBI record;
  • Allow submission of photos with all arrests that are supported by any number of fingerprints or a quoted FBI number (FNU) (or a quoted Universal Control Number (UCN), once implemented);
  • Allow bulk submission of photos that are linked with FNUs/UCNs at the time of submission;
  • Allow submission of photos with civil types of transactions (TOTs);
  • Allow submission of photos other than facial, that are compliant with the Electronic Biometric Transmission Specification (EBTS) (e.g., scars, marks, tattoos (SMTs);
  • Allow direct user retrieval of IPS photos via the NCIC;
  • Allow investigative search of photos using biographical criteria, including SMT descriptors; and
  • Provide an automated facial recognition search capability for investigative purposes.

Although photos are already currently part of the IAFIS IPS, the above enhancements will allow more photos to be retained in the system, will allow searches using better physical-descriptor algorithms and facial recognition technology, and will allow more direct retrieval of such photos by an authorized requestor.

Section 1.0
The System and the Information Collected and Stored within the System

1.1 What information is to be collected?

1.1.1 Identify and list all of the types of information in identifiable form that are collected and stored in the system that either directly identify an individual (such as name, address, social security number, telephone number, e-mail address, biometric identifiers, photograph, or other unique identifying number, code, or characteristic) or that when combined, indirectly identify an individual (such as a combination of gender, race, birth date, geographic indicator, license number, vehicle identifier including license plate, and other descriptors).

Identifying information that is already maintained in the IAFIS includes names, addresses, social security numbers, telephone numbers, e-mail addresses, biometric identifiers, unique identifying numbers, gender, race, dates of birth, geographic indicators, license numbers, vehicle identifiers including license plates and other descriptors and information collected as a result of an arrest or incarceration. (Although IAFIS descriptors can include information about distinctive body markings, the information is very general, e.g., "tattoo on right arm.") Existing IAFIS IPS functionality allows criminal justice agencies to submit criminal fingerprints and associated information with up to ten mug shot photos (frontal facial).

New information that will be collected for the NGI IPS will be a greater number of mug shots, as well as photos and biometric identifiers from civil fingerprint submissions, facial features for facial recognition technology, and photos of scars, marks, tattoos (SMTs).

IAFIS currently can collect and retain latent fingerprints from as yet unidentified individuals associated with criminal activity or otherwise having a lawful investigative or national security interest (such as fingerprints lifted from a crime scene). NGI IPS will also add an analogous functionality to collect and retain other images (such as those obtained from crime scene security cameras). Even though such images may not initially suffice to identify the particular individual in question, the images may later serve to directly or indirectly identify the individual if supplemental identifying information is located.

Additionally, the system will store information regarding the dissemination of photos and related data for audit logs. Dissemination of information will be linked to the authorized NGI IPS user and the agency that requested the photo.

1.2 From whom is the information collected?

1.2.1 List the individual, entity, or entities providing the specific information identified above. For example, is the information collected directly from the individual, as in the case of an investigator taking a statement from a suspect, or is it collected from other sources, such as commercial data aggregators?

Photos related to criminal justice matters will be submitted from all levels of law enforcement, correctional facilities, and other criminal justice agencies. Many of these photos (e.g., mug shots, SMT photos) will be directly taken by the submitting criminal justice agency itself, while others may be obtained by the submitting agency from other sources (such as security cameras, friends, family). In some instances (such as those from crime scene security cameras), the subjects may not have been aware of being photographed., and their identities may not yet be known or established. Typically the source of such photos will make them available to the cognizant law enforcement agency in the course of an investigation, and the law enforcement agency will in turn submit the photos to the IPS. Photos which upon submission cannot be sufficiently linked to a particular identity will be maintained in a common photo file, though they may later be associated with an identified individual's file if determined to be related.

In the great majority of cases, the photos in question will be generated directly from the subject by photographic means. In some cases, however, the photos may be generated indirectly (e.g., by artist or computer rendition based on descriptions from victims and witnesses).

Authorized noncriminal justice agencies and entities will be permitted to submit civil photographs along with civil fingerprint submissions that were collected for noncriminal purposes. These photos may either be provided to the submitting agency by the individual or taken directly by the submitting agency. Civil photos will supplement the biographical information and narrative physical descriptions that are already provided under existing practices.

Selected foreign and international agencies may similarly contribute criminal and civil photo submissions for retention in the NGI IPS.

The IAFIS does not collect related information from commercial data aggregators. (However, it is possible that submitters may have independently obtained some of their information from such sources.)

1.2.2 Describe why information from sources other than the individual are required. For example, if a program is systematically incorporating databases of information in identifiable form that are purchased or obtained from a commercial aggregator of information or if information needs to be collected from third parties in an ongoing investigation, state the fact that this is where the information is coming from and then in 2.1 indicate why the program is using this source of data.

This portion is generally not applicable because as described above the information is taken directly from the individual and submitted via authorized agencies pursuant to the authority provided by 28 U.S.C. 534. Although this initiative does encompass the option of bulk submissions of photos from repositories maintained by contributing agencies, each of the individual photos in such repositories would have initially been taken directly from the individual as discussed above, and reliability is furthered by the requirement that any bulk submissions must be linked with FNUs/UCNs at the time of submission.

Although photos related to criminal or national security matters may be taken without an individual's knowledge or consent, obtaining consent of subjects involved in illegal activities is generally impracticable and unwarranted. The photos will only be submitted by an authorized participating agency incident to its lawful activities.

Section 2.0
The Purpose of the System and the Information Collected and Stored within the System

2.1 Why is the information being collected?

2.1.1 In responding to this question, you should include:

2.1.1.1 A statement of why this PARTICULAR information in identifiable form that is collected and stored in the system is necessary to the component's or to the Department's mission. Merely stating the general purpose of the system without explaining why particular types of information in identifiable form should be collected and stored is not an adequate response to this question.

The NGI IPS enhancements will support DOJ and FBI strategic goals, including: promoting the nation’s security, including preventing terrorism and foreign intelligence operations; assisting local, joint, tribal, State, Federal, foreign, and international efforts to prevent and reduce crime and violence; and continuing to upgrade advanced identification technology.

The NGI Program Office’s mission is to reduce terrorist and criminal activities by improving and expanding biometric identification and criminal history information services through research, evaluation, and implementation of advanced technology within the IAFIS environment. With the successful implementation of technology, the NGI IPS will have a direct impact on the law enforcement community by assisting in the disruption and deterrence of criminal activity and terrorism by more effectively conducting investigations and improving identification options.

Expanding the number of photos and the types of photos (such as SMTs) will enhance the verbal physical descriptions already present in IAFIS. One picture can indeed be worth a thousand words, and even under human visual reviews photos will provide more positive identifications while also helping prevent misidentifications.

Expanding the photo capability within the NGI IPS will also expand the searchable photos that are currently maintained in the repository. This will allow law enforcement to quickly obtain photographs and conduct searches with facial recognition technologies that will utilize facial features to generate candidate lists of subjects when searching for wanted persons and suspects, develop photo lineups, or perform visual comparisons of individuals in custody.

2.2. What specific legal authorities, arrangements, and/or agreements authorize the collection of information?

Since 1921, a series of Federal statutes have granted the Attorney General broad authority to collect and preserve general identification records, criminal identification records, and other records, and to exchange these records and information with, and for the official use of, authorized officials of the Federal Government, including the United States Sentencing Commission, the States, cities, and penal and other institutions. Current statutory authority is primarily codified at 28 U.S.C. § 534. Supporting authority includes Pub. L. 92-544, Pub. L. 107-56, and Pub. L. 108-458. Supplemental regulatory authority includes 28 CFR 0.85, part 20, and 50.12.

The FBI is also authorized to conduct investigative activities under 28 U.S.C. § 533, which would include the collection, retention, and dissemination of identification information in reasonable furtherance of these activities.

The Federal Records Act (FRA), codified at 44 U.S.C. § 3301 et seq., provides another general statutory basis for the FBI to retain and preserve materials submitted for FBI checks and/or obtained by the FBI in the course of authorized investigative activities to ensure adequate and proper documentation of FBI activities.

The Attorney General has delegated the responsibilities set forth in Public Law No. 92-544 and 28 U.S.C. § 534 to the Director of the FBI. The Director of the FBI has further delegated regulatory responsibility for executing the FBI’s authority under these statutes to the FBI CJIS Division.

2.3 Privacy Impact Analysis: Given the amount and type of information collected, as well as the purpose, discuss what privacy risks were identified and how they were mitigated?

Pursuant to its statutory authorities, the FBI has for many decades been collecting, preserving, and exchanging biographical and biometric information, including photos (for criminal files). The IPS thus does not constitute a new collection type or collection purpose for criminal files. Instead, the IPS provides enhancements to existing FBI photographic information services.

The FBI has also long been collecting and retaining civil fingerprints and associated biometric identifiers and biographical data for such noncriminal justice reasons as employment suitability checks, permits, identity verification, and licensing. To date, however, these civil files have not encompassed photos. The addition of photos to civil files will thus constitute an expansion of the type of personal information retained in civil files. However, including photos in civil files will not constitute an expansion of the purposes for which the information is already being collected, and will merely augment text-based descriptors that are often already present (such as descriptors of a person's race, gender, age). Accordingly, merely adding photos to civil files is not considered to be a substantial expansion of the existing civil files, so long as the photos will only be retrieved incident to the authorized retrieval of the underlying record of a specified individual using the individual's name or other personal identifier.

These enhancements will, however, result in collection and retention of a greater number of photographic images. Increased collection and retention of personally identifiable information (PII) presents a correspondingly increased risk that the FBI will then be maintaining more information that might potentially be subject to loss or unauthorized use. This risk is mitigated by the strong security features and robust audit processes already present in IAFIS (which are addressed in more detail in Section 8 below). In addition, the system will begin to store information regarding the dissemination of photos and related data for audit logs. Dissemination of information will be linked to the authorized NGI IPS user and the agency that requested the photo. This information will be incorporated in the audit processes and provide an enhanced capability for ensuring the information is being appropriately used and disseminated. Agencies requesting and receiving results of fingerprint identifications will be subject to training and audit requirements by the applicable CJIS Systems Agency (CSA) and periodic FBI audits.

There is a further risk in that, under the new process, photographs may now be submitted without accompanying ten-print fingerprints. Accompanying ten-print fingerprints serve to tie a photo to the single identity positively confirmed by the fingerprints. Under the new process, photos may be submitted accompanied by some lesser number of fingerprints and/or include reference to an existing FBI Number (FNU) (or Universal Control Number (UCN), once implemented--see section I.3 above). Regarding identification based on a lesser number of fingerprints, the FBI considers that the system's fingerprint technology and technical capacity has sufficiently progressed to permit positive association with an existing record based on comparison with an existing ten-print set already associated with the record. Regarding identification based on FNU (or UCN, once implemented), each FNU/UCN is tied to a single identity positively identified by fingerprints. Conceivably, however, the submitting agency may be in error as to the correct FNU/UCN for the subject of the photograph, or the wrong FNU/UCN may be submitted due to typographical, clerical, or other error. If the FBI receives an erroneous FNU/UCN, the accompanying photo may be associated with the wrong identity. To mitigate this risk, the FBI intends to execute Memorandums of Understanding (MOUs) with submitters of photos without accompanying ten-prints. The MOU will require that a submitter verify that fingerprint identifications were performed at the State or agency level prior to submission of the photos to the CJIS Division. The FBI also intends to further reduce this risk via aggressive training, and by both State and Federal audits to ensure accuracy. The FBI therefore considers that such situations will be rare, and that prior to the taking of any adverse action against a person, any such erroneous association would be discovered and corrected via comparisons with text-based descriptors, comparisons with other photos of the subject, or, ultimately, positive fingerprint corroboration. Moreover, the additional photos can also provide a privacy benefit by affording more accurate and timely visual information reflecting changes that result from aging or elective style changes and helping to reduce instances of mistaken identities.

An additional privacy impact is raised by the new capabilities to be developed for electronic searching of criminal justice images using biographical criteria, more precise SMT descriptors, and facial recognition technology. Although these images will already have been lawfully acquired and accessible to authorized IAFIS users, currently the images may be functionally obscure due to current limitations which provide access only via a person's name or individual identifying number (perhaps filtered by a general body marking parameter, e.g., "tattoo on right arm"). IPS will thus provide an increased ability to locate potentially related photos (and other records associated with the photos) that might not otherwise be discovered as quickly or efficiently, or might never be discovered at all. However, this additional privacy impact is outweighed by the advantages of being able to better locate responsive information--within information already lawfully acquired by the FBI--permitting better personal identifications and more complete and timely investigative analysis, including more effective and efficient identification of perpetrators and generation of leads to potential suspects. These advantages can also include a privacy advantage, as photographic comparisons can provide a means to eliminate misidentifications.

Electronic searching of criminal justice images also entails the risk that the electronic search process may not be sufficiently reliable to accurately locate other photos of the same identity, resulting in an unacceptable percentage of misidentifications. Although facial recognition technology has been under development since the 1960s, the FBI recognizes that it is not yet perfect. At the present, unlike fingerprint technology, there is no common standard for facial recognition. Multiple approaches using low resolution two-dimensional images have existed for several years. Recently there have been major advancements in facial recognition using high resolution two and three-dimensional images. The U.S. Government has performed multiple evaluations of facial recognition technology, and preliminary results from the most recent evaluation demonstrate that facial recognition accuracy has greatly improved. The FBI thus considers that incorporation of this technology into IAFIS promises to provide substantial benefits to law enforcement and national security, but that at the same time any facial recognition capability must be carefully assessed and tested prior to implementation to ensure that is sufficiently reliable to provide the desired benefits and minimize erroneous identifications. Accordingly, the FBI will develop and implement this initiative incrementally. For each phase, critical performance parameters will be analyzed and specified through functional and system requirements analysis. The FBI will review existing facial recognition systems in place with other agencies, to include the Department of State, and the lessons learned will be adopted in this initiative. At the completion of the requirements study phase, user requirements shall be translated into quantifiable terms that attempt to show how effective and efficient this system should be. User effectiveness and system effectiveness shall be developed for end-to-end measurement combined with entry and exit criteria to ensure effective business process flow of the system. Effectiveness factors shall be developed, monitored, and measured throughout the system life cycle. In further mitigation of this risk, this technology will only be employed as an investigative aid and not as a means of positive identification. The FBI will promulgate policies and procedures to emphasize that photographic matches are not to be considered "positive" identifications, and searches of the photographs will merely result in a ranked listing of candidates. Users will be trained on system limitations, and to recognize that the aging process and intentional lifestyle choices will reduce the effectiveness of image searching, and to understand that the search capability is to be used only as an investigative tool that is to be used with other investigative aids and information.

Currently, IAFIS civil files are not generally encompassed in IAFIS bulk checks for investigative purposes. Thus, for example, IAFIS does not typically check incoming ten-print criminal submissions for possible matches among the IAFIS universe of civil files, and latent print searches (such as prints lifted from a crime scene) are not typically run against the IAFIS universe of civil prints. Accordingly, electronic bulk searching of civil file images (such as via facial recognition technology) would constitute a significant new privacy consideration, and such searching is not encompassed by this PIA. (The FBI does believe that electronic bulk searching of civil records may be desirable, but we will address and assess this in a separate PIA.)

Section 3.0
Uses of the System and the Information

The following questions are intended to clearly delineate the intended uses of the information in the system.

3.1 Describe all uses of the information.

3.1.1 Identify and list each intended use (internal and external to the Department) of the information collected or maintained.

Internally, the FBI CJIS Division employees will have the ability to retrieve and print photos. This will enable the CJIS Division to provide better service to individuals requesting their own records pursuant to 28 CFR 16.30-16.34. Additionally, new technology will allow the CJIS Division to search facial features and generate candidate lists for visual comparisons, humanitarian reasons, unknown deceased, and disaster recovery efforts. In addition, authorized internal users will be able to make the same uses as external users described below.

Externally, the enhancements will provide improved access to the NGI IPS by local, State, tribal and Federal law enforcement agencies. The existing and new information maintained in the NGI IPS will be utilized by all levels of law enforcement to solve crimes by quickly obtaining photographs of subjects when searching for wanted persons and suspects or when developing photo lineups to perform visual comparisons of individuals in custody. Authorized external users will also be able to use the information to supplement existing civil uses, such as employment suitability, permits, and licensing functions.

3.1.2 If a SORN is being or has been published for the system, the routine uses from the SORN should be listed in this section. (A copy of the notice or its Register citation may be provided in order to meet this requirement.) In addition, list the uses internal to the Department since the routine uses listed in the SORN are limited to disclosures made outside of the Department.

Sections I.2 and I.6 above identify the SORNs for FIRS and NCIC, including applicable routine uses for these systems. (The FBI is in the process of revising these SORNs to reflect the changes encompassed by this PIA.)

In addition to routine use disclosures, this information may also be disclosed under other circumstances authorized by the Privacy Act, including disclosures to those DOJ personnel who have a need for the information in the performance of their duties.

3.2 Does the system analyze data to assist users in identifying previously unknown areas of note, concern, or pattern? (Sometimes referred to as data mining.)

3.2.1 Many systems sift through large amounts of information in response to a user inquiry or programmed functions. This is loosely known as data mining.

Although the fingerprint identification process within the FBI is an automated process, it is not part of a “data mining” process looking for previously unknown or predictive patterns. Instead, the identification process uses algorithms to locate and rank potential-match candidates from predicated subject-based queries. When the identification process score is higher than an established threshold, the comparison is considered to be a match and is verified by a trained examiner as required. The same will be true for IPS image searches.

3.2.2 When these systems sift through information they make determinations and, sometimes, conclusions based upon the information they analyze. If the system being analyzed in the PIA conducts such preliminary and conclusory functions, please provide greater detail on what type of determinations the system makes.

As indicated above, the fingerprint identification process within the FBI is an automated process, but these changes do not involve a “data mining” process looking for previously unknown or predictive patterns. The IAFIS makes an automatic comparison of fingerprints to determine whether or not the various physical characteristics of the fingerprint identify to a fingerprint maintained in the IAFIS. The fingerprints maintained in IAFIS may include the subject’s biometric identifiers, criminal history record, and mug shot photographs. If the fingerprint submission does not meet the threshold for automatic identification, a fingerprint examiner makes the final determination of whether or not the fingerprints match. If a query is submitted to IAFIS based upon submitted biographical information, the IAFIS produces a candidate list of possible identifications.

As discussed in section I.4 above, currently a criminal justice agency may retrieve photos by submitting a CPR with the subject's FNU via the CJIS WAN. If the date of arrest is supplied, then the photo set that matches the arrest data is returned, otherwise the latest photo set is retrieved. This current IAFIS functionality will be expanded to include analogous comparisons of criminal justice images meeting Electronic Biometric Transmission Specification (EBTS) standards using biographic descriptors and/or facial recognition technologies. As discussed in section 2.3 above, these comparisons will generate ranked candidate lists of potential subjects, which will only be employed as an investigative aid and not as a means of positive identification. Users will be trained on system limitations, and to recognize that the aging process and intentional lifestyle choices will reduce the effectiveness of image searching, and to understand that the search capability is to be used only as an investigative tool that is to be used with other investigative aids and information.

3.2.3 If the system creates or makes available new or previously unavailable information about an individual, state/explain what will be done with the newly derived information. Will it be placed in the individual’s existing record? Will a new record be created? Will any action be taken against or for the individual identified because of the newly derived data? If a new record is created, will the newly created information be accessible to government employees who make determinations about the individual? If so, explain fully under what circumstances that information will be used and by whom.

As indicated above, the fingerprint identification process within the FBI is an automated process, but these changes do not involve a “data mining” process looking for previously unknown or predictive patterns. As discussed above, these system changes will result in the inclusion of additional images in existing criminal files of identified individuals. Criminal-file images of identified individuals will also be subject to searches for investigative purposes to identify potential matches to as yet unidentified individuals using biographic descriptors and/or facial recognition technologies.

In addition, these system changes will add new functionality to collect and retain images of as yet unidentified individuals associated with activities having a lawful investigative or national security interest (such as photos obtained from crime scene security cameras). Such unidentified images may be used investigatively to attempt to identify the individuals in the photos or to identify possible links to other matters of investigative or national security interest. At such time as a potential identity or link is identified, the new information may be associated with the relevant existing records relating to the individual and/or the matter.

These changes will also result in the inclusion of images in existing civil files of identified individuals (which previously did not contain any images), if requested by the authorized submitting agency. These images will be available for review when the file of a specified individual is accessed by an authorized user of the file for an authorized purpose. E.g., authorized noncriminal justice agencies may be provided photos incident to employment suitability checks, permits, identity verification, and licensing, thus helping to confirm identity of the individual in question.

3.3 How will the information collected from individuals or derived from the system, including the system itself be checked for accuracy?

3.3.1 Explain whether information in the system is checked against any other source of information (within or outside your organization) before the information is used to make determinations about an individual. If not, explain whether your organization has any other rules or procedures in place to reduce the instances in which inaccurate data is stored in the system.

Currently, photographic images for IAFIS are only submitted for criminal justice purposes, and all submissions must be accompanied by ten-print fingerprints. IAFIS compares the fingerprints to determine whether or not the submission matches criminal fingerprints already maintained in the IAFIS, and a match serves to tie a photo to the single identity positively confirmed by the fingerprints. Under the new process, however, criminal photos may be submitted accompanied by some lesser number of fingerprints and/or include reference to an existing FBI Number (FNU) (or Universal Control Number (UCN), once implemented--see section I.3 above). Regarding identification based on a lesser number of fingerprints, the FBI considers that the system's fingerprint technology and technical capacity has sufficiently progressed to permit positive association with an existing record based on comparison with an existing ten-print set already associated with the record. Regarding identification based on FNU (or UCN, once implemented), each FNU/UCN is tied to a single identity positively identified by fingerprints. Conceivably, however, the submitting agency may be in error as to the correct FNU/UCN for the subject of the photograph, or the wrong FNU/UCN may be submitted due to typographical, clerical, or other error. If the FBI receives an erroneous FNU/UCN, the accompanying photo may be associated with the wrong identity. To mitigate this risk, the FBI intends to execute Memorandums of Understanding (MOUs) with submitters of photos without accompanying ten-prints. The MOU will require that a submitter verify that criminal fingerprint identifications were performed at the State or agency level prior to submission of the photos to the CJIS Division. The FBI also intends to further reduce this risk via aggressive training, and by both State and Federal audits to ensure accuracy.

Once the NGI IPS enhancements are implemented, civil photographs will also be accepted and retained incident to a civil submission. Civil submissions are accompanied by ten-print fingerprints, which IAFIS compares with criminal fingerprints already maintained in the IAFIS, and a match will serve to tie the individual to the single identity positively confirmed by the fingerprints. However, conceivably the submitting agency might submit the photo of some other person due to typographical, clerical, or other error. As in the case of criminal submissions, to mitigate this risk, the FBI intends to execute Memorandums of Understanding (MOUs) with submitters of civil photos requiring implementation of quality assurance procedures, and to further reduce this risk via aggressive training and via both State and Federal audits to ensure accuracy.

3.3.2 If the system checks for accuracy by accessing a commercial aggregator of information, describe this process and the levels of accuracy required by the contract.

Not applicable.

3.4 What is the retention period for the data in the system? Has the applicable retention schedule been approved by the National Archives and Records Administration ( NARA)?

Upon implementation of the NGI IPS enhancements, IPS images will be retained in accordance with the applicable retention schedules approved by the National Archives and Records Administration (NARA). The current schedule for criminal identification records provides for deletion when FBI records indicate the individual has attained 99 years of age; the current schedule for civil identification records provides for deletion when FBI records indicate the individual has attained 75 years of age. Images may be removed from general access earlier than scheduled upon request by the submitting agency or pursuant to an order from a court of competent jurisdiction specifically stating that photo(s) be removed. (Although photographs may exist within transaction logs and/or archival files after such removal, the photos will not be generally accessible nor readily searchable.)

3.5 Privacy Impact Analysis: Describe any types of controls that may be in place to ensure that information is handled in accordance with the above described uses.

Access to the IAFIS, III, and NCIC is already controlled through extensive, long-standing user identification and authentication procedures. The CJIS Division Audit Unit conducts periodic internal and external on-site audits of user agencies to assess and evaluate compliance with the CJIS Division Security Policies. Audits are also conducted by State oversight agencies. The same methodology will apply to civil fingerprints, photo submissions, and associated data.

Section 4.0
Internal Sharing and Disclosure of Information within the System

The following questions are intended to define the scope of sharing both within the DOJ and with other recipients.

4.1 With which internal components of the Department is the information shared?

4.1.1 Identify and list the name(s) of any components, offices, and any other organizations within the Department with which the information is shared. All DOJ components, offices, and organizations may be authorized to receive IAFIS data pursuant to 28 U.S.C. § 534 and 5 U.S.C. 552a(b)(1). Accordingly, this information may be disclosed to those DOJ personnel who have a need for the information in the performance of their duties.

4.2 For each recipient component or office, what information is shared and for what purpose?

4.2.1. If you have specific authority to share the information, please provide a citation to such authority.

Please refer to the answers provided for questions 2.2 and 4.1.1.

4.2.2 Identify the specific information that is shared with the specific component office or organization within the Department and the purpose served by such sharing.

All identification, criminal identification, photographs, crime and other record information collected by the NGI IPS may be shared with any DOJ component pursuant to that component’s legally authorized criminal justice, national security, or other lawful purpose.

4.3 How is the information transmitted or disclosed?

4.3.1 Is the information shared in bulk, on a case by case basis, or does the sharing partner have direct access to the information?

4.3.2 Describe how the information is transmitted to each component or office and any other organization within the Department. For example is the information transmitted electronically, by paper, or by some other means?

Authorized users may directly access the information in accordance with CJIS Division policy. Typically, the information would be transmitted electronically or via mail to the authorized agency or entity that made the information request, depending upon the established business practice and connectivity with the respective agency. Transactions can be performed via live-scan electronic devices or rolled-paper fingerprint card submissions. Compact Disc (CD) or Machine Readable Data Tapes would qualify as other means of transmission.

Currently, when an authorized agency submits a criminal or civil fingerprint transaction to IAFIS, the system responds to the requesting entity. When a positive match is found in the IAFIS, and that record has an associated photograph(s), the requesting agency is notified. The agency must then make a separate request for the pertinent photos. Additionally, the current IPS is not accessible via the NCIC.

Upon the implementation of the NGI IPS enhancements, authorized NGI IPS users may have direct electronic access to the system via existing communications channels. (See section I.2-I.6 above.)

Another NGI IPS enhancement will allow bulk submission of photographs, if accompanied by FBI Numbers (FNUs) (or Universal Control Numbers (UCNs), once implemented--see section I.3 above). Incoming bulk submissions will likely consist of information submitted on CD or Machine Readable Data tapes.

4.4 Privacy Impact Analysis: Considering the extent of internal information sharing, discuss what privacy risks were identified and how they were mitigated. For example, if another Departmental component, office, or organization has access to the system that your office controls, discuss how access controls have been implemented and whether audit logs are regularly reviewed to ensure appropriate sharing of information.

Please refer to the answers provided for questions 2.3 & 5.6.

Section 5.0
External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOJ which includes foreign, Federal, State and local government, and the private sector.

5.1 With which external (non-DOJ) recipient(s) is the information shared?

5.1.1 Identify and list the name or names of the foreign, Federal, State, or local government agencies, private sector organizations, or individuals with which/whom the information is shared.

Information in the NGI IPS may be disclosed to Federal, State, or local law enforcement agencies, or agencies/organizations directly engaged in the administration of criminal justice functions (including the police, prosecution, penal, probation/parole, and the judiciary). Also, access may be provided to foreign or international agencies/organizations consistent with treaties/agreements or where such disclosure may assist the agency in the performance of a law enforcement function or otherwise further the best interests of the United States; to a Federal, State, or local agency/organization for a compatible civil law enforcement function; or where such disclosure may promote, assist, or otherwise serve the mutual criminal law enforcement efforts of the law enforcement community, administrative or adjudicative bodies, as provided by 5 U.S.C. ' 9101 and 28 U.S.C. ' 534, or in other situations as indicated in applicable routine uses for the systems involved.

Records may also be disclosed to the National Archives and Records Administration for the purpose of records management and inspections conducted under authorization of 44 U.S.C. '' 2904 and 2906.

Information in the NGI IPS may be shared with authorized noncriminal justice agencies and entities for employment suitability checks, permits, identity verification, and licensing in accordance with applicable laws, regulations, and policies. (See section 2.2 above.)

In addition, sections I.2 and I.6 above identify the SORNs for FIRS and NCIC, including applicable routine uses for these systems. (The FBI is in the process of revising these SORNs to reflect the changes encompassed by this PIA.).

5.2 What information is shared and for what purpose?

5.2.1 Identify the specific information that is shared with each specific recipient and the purpose served by such sharing. For example, the Federal Bureau of Investigation (FBI) may share its information on an individual with Customs and Border Protection. If you provided a list of routine uses in response to Question 3.1, please reference that fact. You do not need to list them again here.

Please refer to the answer provided for question 3.1.

5.2.2 Where you have a specific authority to share the information, please provide a citation to or copy of the authority.

Please refer to the answers provided for questions 2.2.

5.3 How is the information transmitted or disclosed?

5.3.1 Is the information shared in bulk, on a case by case basis, or does the sharing partner have direct access to the information?

Authorized users may directly access the information provided by IAFIS in accordance with CJIS Division policy. Typically, the information would be transmitted electronically or via mail to the authorized agency or entity that made the information request, depending upon the established business practice and whether electronic connectivity with the respective agency/entity has occurred. Transactions can be performed via live scan electronic devices or paper-fingerprint card submission. CD’s or Machine Readable Data Tapes would qualify as other means of transmission.

Currently, when an authorized agency submits a criminal or civil fingerprint transaction to IAFIS, the system responds to the requesting entity with either a “positive” match or “not positive” match. When a positive match is made and that record has a photograph(s), the requesting agency is so notified. The agency must then make a separate request for the pertinent photos.

Upon the implementation of the NGI IPS enhancements, authorized NGI IPS users may have direct access to the system via the existing CJIS communications channels to perform expanded searches on photographs.

Another NGI IPS enhancement will be to allow the bulk submission of photographs maintained in existing local, State, and tribal systems if accompanied by FNUs. Bulk submissions most likely will consist of information submitted on CD or Machine Readable Data tapes.

(For more detailed discussion, see sections I.2-I.6.)

5.3.2 Describe how the information is transmitted to entities external to the Department and whether it is transmitted electronically, by paper, or some other means.

Please refer to the answer provided for question 5.3.1.

5.4 Are there any agreements concerning the security and privacy of the data once it is shared?

Title 28 U.S.C. § 534 and 28 CFR 20.33 and 50.12 require that disseminated records only be used for authorized purposes and that a user's access is subject to cancellation if shared information is further shared improperly. In addition, security and privacy protocols are addressed in the CJIS Division Security Policy, Version 4.3, Section 8, to which all users must adhere.

5.5 What type of training is required for users from agencies outside DOJ prior to receiving access to the information?

CJIS Division System Officers at the State level are responsible for the role based training, testing, and proficiency affirmation of authorized IAFIS users within their State. “Inquiry” and “full” are the two levels of access. All users must be trained within 6 months of employment and biennially retested thereafter.

5.6 Are there any provisions in place for auditing the recipients’ use of the information?

Yes. To ensure security policies are fully implemented, the CJIS Division Audit Unit visits authorized recipients on a recurring basis and reports deficiencies to the CJIS Division Advisory Board’s and Compact Council’s Sanctions Committees. Access may be terminated for improper access, use, and dissemination of records obtained from the system of records.

The CJIS Division Audit Unit ensures that authorized agencies adhere to the criteria currently in place. On-site audits of a representative sample or authorized recipients are conducted on a triennial bases.

Audits are also conducted by State oversight agencies.

5.7 Privacy Impact Analysis: Given the external sharing, what privacy risks were identified and describe how they were mitigated.

Please refer to the answer provided for question 2.3, 5.4, 5.5, and 5.6.

Section 6.0
Notice

The following questions are directed at notice to the individual of the scope of information collected, the opportunity to consent to uses of said information, and the opportunity to decline to provide information.

6.1 Was any form of notice provided to the individual prior to collection of information?

6.1.1. If yes, identify the form of such notice. Was there a posted privacy policy, a Privacy Act notice on forms, or a System of Records Notice published in the Federal Register? If so please provide copies or citations of such. If no form of notice was provided, explain why not.

General notice has been provided to the public at large via the FIRS SORN and the NCIC SORN. (See sections I.2 and I.5 above.)

To the extent that collection of information relates to an individual's possible involvement in criminal activities, individuals may not be provided direct notice of collection of information incident to law enforcement response to those activities. Persons engaging in criminal activities may be presumed to be on notice as a consequence of engaging in such activities.

Regarding civil checks, specific notice is typically provided by the program agency relevant to the particular program for which the FBI check is being made. See 28 CFR 50.12(b).

In addition, collection of photos for civil purposes is invariably accompanied by the taking of fingerprints. The fingerprint card used for civil purposes in the FBI Applicant card (FD-258), which is being revised to include a Privacy Act statement including the following provisions:

  • Authority: The FBI's acquisition, preservation, and exchange of information requested by this form is generally authorized under 28 U.S.C. 534. Depending on the nature of your application, supplemental authorities include numerous Federal statutes, hundreds of State statutes pursuant to Pub.L. 92-544, Presidential executive orders, regulations and/or orders of the Attorney General of the United States, or other authorized authorities. Examples include, but are not limited to: 5 U.S.C. 9101; Pub.L. 94-29; Pub.L. 101-604; and Executive Orders 10450 and 12968. Providing the requested information is voluntary; however, failure to furnish the information may affect timely completion or approval of your application.
  • Principal Purpose: Certain determinations, such as employment, security, licensing, and adoption, may be predicated on fingerprint-based checks. Your fingerprints and other information contained on this form may be submitted to the requesting agency, the agency conducting the application investigation, and/or FBI for the purposes of comparing the submitted information to available records in order to identify other information that may be pertinent to the application. The FBI may also retain the submitted information in the FBI's collection of fingerprints and related information against which other fingerprint submissions may be compared. Depending on the nature of your application, the requesting agency and/or the agency conducting the application investigation may also retain the fingerprints and other information contained on this form for other authorized purposes of such agency(ies).
  • Routine Uses: The fingerprints and information reported on this form may be disclosed pursuant to your consent, and may also be disclosed by the FBI without your consent as permitted by the Federal Privacy Act of 1974 (5 USC 552a(b)) and all applicable routine uses as may be published at any time in the Federal Register, including the routine uses for the FBI Fingerprint Identification Records System (Justice/FBI-009) and the FBI's Blanket Routine Uses (Justice/FBI-BRU). Routine uses include, but are not limited to, disclosures to: appropriate governmental authorities responsible for civil or criminal law enforcement, counterintelligence, national security or public safety matters to which the information may be relevant; to State and local governmental agencies and nongovernmental entities for application processing as authorized by Federal and State legislation, executive order, or regulation, including employment, security, licensing, and adoption checks; and as otherwise authorized by law, treaty, executive order, regulation, or other lawful authority. If other agencies are involved in processing this application, they may have additional routine uses.
  • Additional Information: The requesting agency and/or the agency conducting the application-investigation will provide you additional information pertinent to the specific circumstances of this application, which may include identification of other authorities, purposes, uses, and consequences of not providing requested information. In addition, any such agency in the Federal Executive Branch has also published notice in the Federal Register describing any system(s) of records in which that agency may also maintain your records, including the authorities, purposes, and routine uses for the system(s).

    6.1.2 Was the person aware that his or her information was being collected?

In some instances (such as those from crime scene security cameras), the subjects may not have been aware of being photographed, but persons engaging in criminal activities may be presumed to be on notice as a consequence of engaging in such activities. In most cases, however, persons who are the subjects of criminal checks will be aware that their photos have been taken incident to their criminal justice processing (such as "booking"). Persons who are subjects of civil checks will be aware that their photos have been collected, since such persons either voluntarily contribute their photos or consent to being photographed by the processing agency.

6.2 Do individuals have an opportunity and/or right to decline to provide information?

6.2.1Can the person from or about whom information is collected decline to provide the information and if so, is there any penalty or denial of service that is the consequence of declining to provide the information?

Criminal submissions: A person under arrest or the subject of criminal action generally has no opportunity nor right to refuse the collection of the images encompassed by this PIA.

Civil submissions: Individuals generally do have the opportunity and/or right to decline to provide photos for noncriminal justice purposes, since the individuals generally may opt to not pursue a noncriminal justice activity which requires an FBI check. Declining to provide or submit to a photo may have an adverse impact regarding the benefit requested, depending on the laws and policies governing the program for which the FBI check is being made.

6.3 Do individuals have an opportunity to consent to particular uses of the information, and if so, what is the procedure by which an individual would provide such consent?

Criminal submissions: Individuals generally do not have the opportunity and/or right to consent to particular uses of the information, since this is obtained from criminal justice subjects incident to criminal justice processes. However, any such uses must comply with the provisions of any applicable law, including the Privacy Act.

Civil submissions: Individuals generally do have the opportunity and/or right to decline to undergo civil checks, since the individuals generally may opt to not pursue the noncriminal justice activity which requires an FBI check. Typically such individuals will also provide the program agency express consent to conduct such checks, under procedures applicable to the particular program. Individuals generally do not have the opportunity and/or right to consent to subsequent uses of information provided in noncriminal justice checks. However, any such uses must comply with the provisions of any applicable law, including the Privacy Act.

6.4 Privacy Impact Analysis: Conspicuous and transparent notice allows individuals to understand how their information will be used and disclosed. Describe how notice for the system was crafted with these principles in mind or if notice is not provided, what was the basis for this decision.

As discussed above, notice is generally provided to the public at large vias the FIRS and NCIC SORNs. (See sections I.2 and I.5 above.) Specific additional information is typically provided by the program agency relevant to the particular program for which the FBI check is being made. See 28 CFR 50.12.

Section 7.0
Individual Access and Redress

The following questions concern an individual’s ability to ensure the accuracy of the information collected about him/her.

7.1 What are the procedures which allow individuals the opportunity to seek access to or redress of their own information?

7.1.1 Cite any procedures or regulations (other than the Department’s FOIA/Privacy Act regulations) that your component has in place that allow an individual to seek access to or amendment of his/her information. For example, if your component has a customer service or outreach unit, that information, along with phone and email contact information, should be listed in this section in addition to the Department’s procedures.

7.1.2 If the system is exempt from the access or amendment provisions of the Privacy Act, explain the basis for the exemption or cite the regulation implementing the exemption.

The IAFIS is part of the Fingerprint Identification Records System, certain records of which are exempt from access and amendment under the Privacy Act. See 28 CFR 16.96 (e) and (f) for explanation.

However, 28 CFR § 16.30-16.34 establishes alternative procedures for the subject of an FBI identification record to obtain a copy of his or her own record for review and correction. Record requests are to be submitted to the FBI CJIS Division, 1000 Custer Hollow Road, Clarksburg, West Virginia 26306. Individuals must submit a signed cover letter requesting his or her record, along with proof of identity on a standard fingerprint form (FD-258), including name, date and place of birth, and $18 U.S. dollars in the form of a money order or certified check made payment to the Treasury of the United States, or payable by a credit card.

7.2 How are individuals notified of the procedures for seeking access to or amendment of their information?

Procedures for accessing criminal history record information are available to the public at 28 CFR § 16.34, by accessing www.fbi.gov, by writing the CJIS Division at 1000 Custer Hollow Road, Clarksburg, WV 26306, or by calling (304) 625-5590.

7.3 If no opportunity to seek amendment is provided, are any other redress alternatives available to the individual?

Please refer to the answer provided for question 7.1 above.

7.4 Privacy Impact Analysis: Discuss any opportunities or procedures by which an individual can contest information contained in this system or actions taken as a result of agency reliance on information in the system.

Since the FBI’s CJIS Division is not the source of the data appearing on Identification Records and that it obtains all data thereon from fingerprint submissions or related identification forms submitted to the FBI by local, State and Federal agencies, the responsibility for authentication and correction of such data appropriately rests upon the contributing agencies.  28 CFR § 50.12 provides, in pertinent part, that:

Officials at the governmental institutions and other entities authorized to submit fingerprints and receive FBI identification records under this authority must notify the individuals fingerprinted that the fingerprints will be used to check the criminal history records of the FBI. The officials making the determination of suitability for licensing or employment shall provide the applicants the opportunity to complete, or challenge the accuracy of, the information contained in the FBI identification record. These officials also must advise the applicants that procedures for obtaining a change, correction, or updating of an FBI identification record are set forth in 28 CFR 16.34.

Therefore, the subject may inform the FBI or notify the original contributing agency. The FBI is not authorized to modify the record without written authorization from the appropriate criminal justice agency; therefore, all allegations of incorrect or incomplete data will be forwarded to the contributing agency for resolution.

Section 8.0
Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

8.1 Which user group(s) will have access to the system?

8.1.1 Identify and list the types of users. For example: managers, system administrators, contractors, and developers may have access to the system.

User group access to the IPS will be the same users who currently have access to information in the FIRS and the NCIC. See sections I.2-I.5 and 3.1.2 above.

8.2 Will contractors to the Department have access to the system?

8.2.1 If so, please submit a copy of the contract describing their role with this PIA.

Contractors have access to CJIS systems, including IAFIS, III, and NCIC. However, this PIA does not address established and grand-fathered contracts and contractor support for these systems; therefore these existing contracts are not within the scope of this PIA and are not attached. It should be noted that these existing contracts contain appropriate security requirements and are subject to extensive privacy protections built into existing infrastructure and policies, such as limited access, secure location, audits, and Privacy Act clauses provided by Federal Acquisition Regulation 24.103 and 52.224-1 and -2.

Any new contracts for the implementation of the NGI IPS will comply with pertinent security requirements and include similar security clauses as appropriate.

8.3 Does the system use “roles” to assign privileges to users of the system?

8.3.1 Describe the different roles in general terms that have been created to provide access to the system. For example, certain users may have “read-only” access while others may be able to make certain amendments or changes to the information.

Yes. These systems (including IPS) are not available to users unless there has been an application for, and assignment of, an Originating Agency Identifier (ORI) Number unique to each using entity. Each using entity may only access the types of information for the purposes as have been authorized for its ORI. Such access is strictly controlled and audited by the CJIS Division. In general, criminal justice agencies have name-based terminal access to the CJIS systems, which may include the ability to make changes or amendments to the system. (E.g., criminal justice agencies may provide direct input to NCIC files.) Name-based access has a concomitant responsibility for training and certification as noted at 2.3, 3.5, and 5.5 above.

Noncriminal justice agencies and nongovernmental entities may have direct read-only access to selected portions of FBI CJIS systems as authorized by Federal statute, (e.g., Adam Walsh Child Protection and Safety Act 2006). Limiting ORIs are assigned by the FBI after the applicable State CJIS Systems Officer (CSO) verifies training and background checks have been competed for individuals accessing the system.

In regard to the NGI IPS proposals encompassed by this PIA, within roles authorized for their ORIs, authorized users will have the ability to add images to existing criminal or civil files, (both individually and in bulk) based on the image subject's FBI number (FNU) (or Universal Control Number (UCN), once implemented). (See I.3 above.) Authorized users will also have the ability to delete images previously submitted by the user.

8.4 What procedures are in place to determine which users may access the system and are they documented?

Please refer to the answer provided for question 3.5. Additionally, State and Federal CJIS Systems Officers (CSOs) must apply, in writing, to the CJIS Division for the assignment of Originating Agency Identifiers (ORIs). The CJIS Division evaluates these requests to ensure the agency or entity meets the criteria of ORI assignment. The CJIS Division maintains an index of ORIs, and each dissemination of criminal history record records the applicable ORI number. Full access ORIs are provided to criminal justice agencies and other agencies as directed by Federal legislation. Limited access ORIs are provided to noncriminal justice agencies requiring access to FBI maintained records for official purposes. Most noncriminal justice agencies and entities have been assigned limited access ORIs and are entitled to criminal history information by first submitting fingerprints and identifying the authority for such submissions.

8.5 How are the actual assignments of roles and rules verified according to established security and auditing procedures?

The CJIS Division Audit Unit conducts periodic external audits to assess and evaluate compliance with the terms of the applicable user agreements or contract. Internally, an Information System Security Officer (ISSO) is assigned to the system (IAFIS). The ISSO is responsible for ensuring that operational security is maintained on a day-to-day basis. The roles and rules are tested as part of the security certification and accreditation process. Additionally, all users are required to sign Rules of Behavior forms on an annual basis as part of security awareness training.

8.6 What auditing measures and technical safeguards are in place to prevent misuse of data?

Externally, all Federal, State, and local users are subject to periodic audits conducted by both the State and the CJIS Division Audit Unit. The CJIS Division Audit assesses and evaluates compliance with CJIS Division Policies, regulations and laws applicable to the criminal identification and criminal history information in IAFIS. Internally, the ISSO is responsible for ensuring that auditing measures are in place as dictated by the FBI security requirements, in accordance with the FBI Certification and Accreditation Handbook. Additionally, the CJIS Computer Security Incident Response Capability (CSIRC) defines processes and procedures for responding to, and handling, computer and data misuse.

8.7 Describe what privacy training is provided to users either generally or specifically relevant to the functionality of the program or system?

Please refer to the answer provided for question 5.5.

8.8 Is the data secured in accordance with FISMA requirements? If yes, when was Certification & Accreditation last completed?

Yes. IAFIS Certification & Accreditation was most recently completed in May 2006. NGI will fall under the IAFIS Certification & Accreditation boundaries.

8.9 Privacy Impact Analysis: Given access and security controls, what privacy risks were identified and describe how they were mitigated.

No additional privacy risks in the area of Technical Access and Security were identified as a result of the May 2006 Certification and Accreditation process. Previously identified risks have been focused on potential misuse of the system, and this risk has been addressed via training, audits, and sanctions.

Section 9.0
Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics and other technology.

9.1 Were competing technologies evaluated to assess and compare their ability to effectively achieve system goals?

The NGI Program is currently in the Study Phase which includes development of functional and system requirements. Once this phase is completed, the acquisition process will begin. That stage will include evaluation of technologies to assess effectiveness and assist in determining contract award for development.

9.2 Describe how data integrity, privacy, and security were analyzed as part of the decisions made for your system.

The data integrity, privacy, and security will remain a significant part of the enhanced system and the NGI contract. The developer will be required to follow all CJIS Division guidelines, appropriate regulations, and specific statutes. Those agencies and entities with electronic connectivity must comply with, inter alia, requirements contained in the CJIS Division’s Security Policy.

9.3 What design choices were made to enhance privacy?

The NGI Program Office chose to enhance the IAFIS system by utilizing existing channels and established security measures instead of developing an entirely new system. With continued input from the CJIS Advisory Policy Board (APB) and participating agencies, the enhancements were designed to comply with the already extensive privacy protection built into the existing infrastructure such as, established policies, procedures, access controls, physical security measures that are ensured by audits, etc.

Conclusion

IAFIS contains identification data, criminal identification data, and other records as authorized by statute. Privacy considerations have been built into the system during the past several decades and have been memorialized in the CJIS Division Security Policy. To ensure security policies are fully implemented, the CJIS Division Audit Unit visits authorized recipients on a recurring basis and reports deficiencies to the CJIS Division Advisory Board’s and Compact Council’s Sanctions Committees. Access may be terminated for improper access, use, and dissemination of records obtained from the system of records.

As discussed in section I.6, in consultation with its user community, the FBI identified enhancements to the current IPS that will provide additional functionality to further law enforcement needs and keep pace with emerging technologies. These enhancements will allow more photos to be retained in the system, will allow searches using better physical-descriptor algorithms and facial recognition technology, and will allow more direct retrieval of such photos by an authorized requestor.

As previously discussed (see especially section 2.3 above), these enhancements do present certain privacy risks. However, these risks can be appropriately mitigated. Mitigation elements include the long-standing technology protections already present in the legacy FBI systems (IAFIS, III, and NCIC), the existing eligibility limitations and careful vetting of system users, and the existing access policies, training requirements, and audits. Mitigation elements also include recognition that facial recognition technology must be carefully assessed and tested prior to implementation to ensure that is sufficiently reliable to provide the desired benefits and minimize erroneous identifications, coupled with only employing facial recognition technology as an investigative aid and not as a means of positive identification.

As appropriately mitigated, any additional privacy impact is outweighed by the advantages of being able to better locate responsive information--within information already lawfully acquired by the FBI--permitting better personal identifications and more complete and timely investigative analysis, including more effective and efficient identification of perpetrators and generation of leads to potential suspects. These advantages can also include a privacy advantage, as photographic comparisons can provide a means to help reduce instances of mistaken identities.

The FBI has previously described the III as being a part of the NCIC, but we are in the process of re-characterizing it as being a part of IAFIS/FIRS., to be reflected in upcoming revisions to the FIRS and NCIC system of records notices and the CFR.