Privacy Impact Assessment National Crime Information Center (NCIC) Identity Theft File
September 27, 2004
This PIA is conducted pursuant to the E-Government Act of 2002, P.L. 107-347, and the accompanying guidelines issued by the Office of Management and Budget (OMB) on September 26, 2003. The PIA provides information regarding the collection of personally identifiable information for the purpose of assisting the victims of identity theft.
The FBI has reviewed the NCIC Identity Theft File. The Identity Theft File is being developed in the National Crime Information Center (NCIC) in the Criminal Justice Information Services (CJIS) Division and is scheduled to become operational in April of 2005.1 The file will serve as a means for law enforcement to flag stolen identities and identify imposters encountered by law enforcement personnel.
A. What information is to be collected?
This file will consist of information voluntarily submitted by victims of identity theft. The file will include the victim's name, date of birth, and social security number, the type of identity theft, and a password given to the victim when the police report is filed. Once NCIC develops the capability, a right index fingerprint may be stored. The victim's photograph may also be entered into NCIC. The fingerprint and/or photograph, which will be clearly labeled as that of the victim and not of the offender, could be used as an additional form of identification for the victim. The entry into the Identity Theft File will be made only with the victim's knowledge and consent, as documented in a consent form.2
B. Why is the information being collected?
This information is being collected to assist law enforcement personnel in investigating and identifying identity theft.
C. What is the intended use of the information?
The information will be available to law enforcement agencies having access to enter records into NCIC. These law enforcement personnel will be able to access the file to assist in their investigations into identity theft, similar to any other incident report filed by a member of the public. The file will serve as a means for law enforcement to "flag" stolen identities and identify imposters encountered by law enforcement personnel. The password, fingerprint, and/or photograph will be used to identify the victim, or to distinguish someone who is fraudulently using the victim's identity, during encounters with law enforcement personnel.
D. With whom will the information be shared?
The Identity Theft File will be available to all federal, state, and local criminal justice agencies having access to enter records into NCIC.
E. What notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared?
As this database is composed of information voluntarily submitted by a victim of identity theft, the individual can decline to provide information at any stage. Information is entered into the system when a victim contacts law enforcement to report that someone unauthorized is using the victim's identity. The entry into the Identity Theft File is made only with the victim's knowledge and consent, as documented in a consent form. The individual providing consent may withdraw that consent at any time by making a written request to the entering agency.
F. How will the information be secured?
This database will be part of CJIS' NCIC system, and will be protected by the same security procedures as the larger system. Currently, the CJIS Division uses DOJ Order 2640.2D for certification and accreditation (C&A) testing. This Order states that external network connections shall be managed in accordance with a user agreement that is agreed to by a cognizant DOJ organization and a non-DOJ entity. This agreement shall include requirements for notifying a specified FBI official within four hours of a security incident on the network. Agencies having access to NCIC must implement procedures to make their terminals secure from any unauthorized use. Any departure from this requirement could warrant the removal of NCIC access. Additionally, each agency must ensure that there are security standards, audit standards, and personnel training standards that ensure accurate and up-to-date records and proper secure dissemination of identity theft data.
Consistent with agency requirements under the Federal Information Security Management Act, as part of the C&A process driven by the Security Division, CJIS has affirmed that it is following IT security requirements and procedures required by federal law and policy to ensure that information is appropriately secured; has conducted a risk assessment, identified appropriate security controls to protect against that risk, and implemented those controls; has in place regular monitoring to ensure that controls continue to work properly, safeguarding the information; and is assigned an Information System Security Officer (ISSO) who is the POC for security related matters.
G. Is a system of records being created under section 552a of title 5, United States Code, (commonly referred to as the "Privacy Act")?
The Identity Theft File will be a component of the NCIC System of Records. The NCIC Privacy Act Systems of Records Notice is in the process of being updated accordingly.
The Privacy Act (5 U.S.C. ' 552a) prohibits the disclosure of information from a federal system of records without the written consent of the individual who is the subject of the record. Victims will provide written consent through a consent form.
CJIS must also comply with the Privacy Act requirement that agencies make reasonable efforts to assure that information is accurate, complete, timely, and relevant prior to its disclosure.3
The information will be presumed to be accurate and relevant because it will be obtained from those victims reporting identity theft crimes. In addition, CJIS Systems Agencies (CSAs) are to perform second party checks and validations as required by FBI CJIS policy. Each CSA is to ensure that documentation is available from state and local users accessing NCIC through their communication lines. Furthermore, the FBI helps maintain the integrity of the system through automatic computer edits which reject certain common types of data errors, quality control checks by FBI CJIS Data Integrity staff, and periodically furnishing lists of all records on file for validation by the entering agency.
Information in an NCIC entry comprises both mandatory and optional fields. The data will not be accepted unless all mandatory fields are completed. The victim will be asked to verify information that is to be entered into the Identity Theft File.
Entry, modification, update, and removal of the information is to be completed as soon as information is available to substantiate the transaction. Records may be cancelled by the entering agency if they are no longer timely. In addition, CJIS plans to purge the records after five years unless the victim maintains that his/her identity continues to be fraudulently used at the end of the retention period.
Furthermore, audits are administered to ensure the accuracy, completeness, and timeliness of all information entered into NCIC. Each CSA has established a system to triennially audit every terminal agency that operates workstations, access devices, mobile data terminals, or personal/laptop computers to ensure compliance with state and FBI CJIS policy and regulations. In addition to audits conducted by CSAs, each federal and state CSA is audited at least once every three years by the FBI CJIS audit staff.
This is a voluntary database containing routine investigative information and involving limited use and access; as such, the OMB E-Government Act guidance does not require the more extensive PIA analysis that must accompany the development of IT or major information systems.
Based on the foregoing, the FBI Senior Privacy Official has determined that the proposed database presents no noteworthy privacy concerns. Taking into account the need for this file and the privacy risks and protections discussed herein, the FBI's Senior Privacy Official approves the FBI's use of this file.
1. The NCIC Identity Theft File did become operational as planned in April of 2005.
2. The Consent Form reads as follows:
IDENTITY THEFT FILE CONSENT DOCUMENT
By signing this document, I hereby provide the __________________________ (insert local, state, or federal law enforcement agency name) permission to enter my personal data into the Federal Bureau of Investigation = s (FBI = s) Identity Theft File. This information may include, but is not limited to, physical descriptors and identifying information including my name, date of birth, place of birth, Social Security number, the type of identity theft, and a password provided to me for future identification verification purposes. I am also providing permission to enter my photograph and fingerprints into this file when that capability becomes available.
I understand that this information is being submitted as part of a criminal investigation of a crime of which I was a victim and will be available to entities having access to the FBI = s National Crime Information Center (NCIC) files for any authorized purpose. I am providing this data voluntarily as a means to document my claim of identify theft and to obtain a unique password to be used for future identity verification purposes.
I understand that the FBI intends to remove this information from the NCIC active file no later than five years from the date of entry. I also understand that I may at any time submit a written request to the entering agency to have this information removed from the active file at an earlier date. I further understand that information removed from the active file will not thereafter be accessible via NCIC terminals, but it will be retained by the FBI as a record of the NCIC entry until such time as its deletion may be authorized by the National Archives and Records Administration.
I understand that this is a legally binding document reflecting my intent to have personal data entered into the FBI's Identity Theft File. I declare under penalty of perjury that the foregoing is true and correct. (See Title 28, United States Code [U.S.C.], Section 1746.)
The Privacy Act of 1974 (5 U.S.C. ' ' 552a) requires that local, state, or federal agencies inform individuals whose Social Security number is being requested whether such disclosure is mandatory or voluntary, the basis of authority for such solicitation, and the uses which will be made of it. Accordingly, disclosure of your Social Security number is voluntary; it is being requested pursuant to 28 U.S.C. ' ' 534 and _______________ (add any applicable state authorization, if desired) for the purposes described above. The Social Security number will be used as an identification tool; consequently, failure to provide the number may result in a reduced ability to make such identifications or provide future identity verifications.
3 5 U.S.C. ' 552a(e)(6). This limitation does not apply to disclosures to other Federal agencies.