Issued by: Ernest J. Babcock, Senior Component Official for Privacy
Approved by: Erika Brown Lee, Chief Privacy and Civil Liberties Officer, U.S. Department of Justice
Date Approved: February 20, 2015

Section 1:  Description of the Information System

The Criminal Justice Information Services (CJIS) Division has provided state-of-the-art fingerprint identification and criminal history services through its Integrated Automated Fingerprint Identification System (IAFIS) for many years. CJIS is replacing IAFIS fingerprint services and providing new and advanced services for other biometrics with the incremental implementation of the Next Generation Identification (NGI). This Privacy Impact Assessment (PIA) describes the retention and searching of noncriminal justice (hereinafter “civil”) fingerprints received by the Federal Bureau of Investigation (FBI) in accordance with federal authority (e.g. federal statute, Presidential Executive Order) or state authority (e.g. state statutes pursuant to Public Law 92-544).  Specifically, this PIA addresses the retention and searching of civil fingerprints submitted by federal agencies, except when expressly precluded by federal law, and the retention and searching of civil fingerprints submitted by state, local, and tribal agencies, when retention is legally permissible and selected by that agency.

For many decades, federal and state agencies and other authorized entities have collected and submitted civil fingerprints to the FBI for criminal background checks for noncriminal justice purposes, such as employment and licensing purposes. Due to technological capacity limitations, IAFIS did not retain most of the civil fingerprints submitted; once processed, the fingerprints were destroyed. IAFIS did retain certain civil fingerprints, such as those associated with military service or immigration benefits, but did not retain the fingerprints of those applying for licensing or employment as permitted under Public Law 92-544.[1]  Moreover, the civil fingerprints that were retained in IAFIS were not readily accessible or searchable. The civil fingerprints that were retained in IAFIS have been transferred to NGI, since IAFIS no longer exists. 

The replacement of IAFIS by NGI was designed to provide technological advancements to better promote the FBI’s overall mission of reducing terrorist and criminal activities by improving and expanding biometric identification and criminal history information sharing services. Importantly, NGI’s mission includes ensuring that persons applying for positions of public trust meet the requirements to be chosen for, and to remain in, those positions of trust. In addition, mandates for the FBI to retain civil fingerprints have become broader in recent years under several statutes, such as the USA Patriot Act, the Security Clearance Act, and the National Child Protection Act (more specifically described below under Section 3.2). Accordingly, the FBI developed NGI to retain civil fingerprints when authorized by the submitting agency, and to consolidate those civil fingerprint submissions, along with accompanying biographic data into a single identity record.

It is important to note that this retention and searching of civil fingerprints is authorized only for those individuals whose employment, license, or other benefit requires that the individual not commit a prohibited criminal action. Moreover, these individuals are provided with a Privacy Act statement and other actual notices regarding the retention and searching of their fingerprints.

After the individual is provided notice of the collection of the civil fingerprints, the process begins with the submission of the fingerprints to the FBI by an authorized agency. When an authorized submitting agency, such as state or local law enforcement, selects the retention feature, NGI retains the civil fingerprints after completion of the noncriminal justice background check. The fingerprints are retained regardless of whether there is any match to criminal history information. When the civil fingerprints are submitted for retention in NGI, the fingerprints are searched against the existing civil, criminal, and unsolved latent files. Latent fingerprints are fingerprints collected from locations or property associated with criminal or national security investigations. Likewise, once civil fingerprints are retained in NGI, all incoming civil and criminal fingerprints will cascade against those fingerprints, and latent fingerprint contributors may choose to have their latent fingerprints cascade as well. NGI will remove the retained civil fingerprints should the submitting agency request removal, or removal is required by court order.

This retention and searching of the civil fingerprints provides, in effect, an “ongoing” background check that permits employers, licensors, and other authorized entities to learn of criminal conduct by a trusted individual, unless the contributor does not subscribe to a rap back service.[2] It eliminates the need for periodic rescreening of the individual and the resubmission of fingerprints. 

Section 2: Information in the System

2.1  Indicate below what information is collected, maintained, or disseminated. (Check all that apply.)

2.2 Indicate sources of the information in the system. (Check all that apply.)

2.3  Analysis: Now that you have identified the information collected and the sources of the information, please identify and evaluate any potential threats to privacy that exist in light of the information collected or the sources from which the information is collected.  Please describe the choices that the component made with regard to the type or quantity of information collected and the sources providing the information in order to prevent or mitigate threats to privacy. (For example: If a decision was made to collect less data, include a discussion of this decision; if it is necessary to obtain information from sources other than the individual, explain why.)

The increased retention and searching of civil fingerprints by NGI presents a privacy risk that the fingerprints will be searched and used for purposes unknown to the individual being fingerprinted.  This risk will be mitigated by the revision of the Privacy Act statement located on the FBI Applicant Fingerprint Card (FD-258) and on all electronic fingerprint devices. The Privacy Act statement will make clear that retained civil fingerprints will now be searched by, and against, other civil fingerprints and latent fingerprints, in addition to the criminal fingerprint file. The increased retention and searching of civil fingerprints also creates a risk that the fingerprints will be disseminated for unauthorized purposes, or to unauthorized recipients. However, none of the IAFIS system security requirements and user rules regarding access and dissemination have changed with the replacement to NGI. In the event that an authorized criminal justice user submits fingerprints that match civil fingerprints retained in NGI, the criminal justice user will receive only limited biographic information associated with the individual, such as name and date of birth.

Another privacy risk could be the improper access to the data or misuse of information in the system, such as unauthorized electronic searching of the civil fingerprints. This risk is mitigated through training and by the periodic audits conducted by the FBI to ensure that system searches are necessary and relevant to the person’s official duties. CJIS has an established Audit Unit that regularly visits entities that are authorized to collect and submit civil fingerprints in an effort to ensure all legislative and agency policy protections are being implemented. Allegations of misuse of CJIS systems, including NGI, are generally referred to the appropriate CJIS Systems Officer (CSO) of the jurisdiction where the misuse occurred and the FBI responds to all such allegations. In the event that records maintained in NGI are wrongfully accessed or disseminated, both the CJIS Advisory Policy Board (APB) and the National Crime Prevention and Privacy Compact Council have established Sanction Committees to address the possible misuse. The system stores information regarding the dissemination of civil information and related data in audit logs. Dissemination of information is linked to the authorized user and the agency that requested the information.

The privacy risk of maintaining erroneous civil fingerprint data is mitigated because the FBI has a substantial interest in ensuring the accuracy of information in the system, and in taking action to correct any erroneous information of which it may become aware. The FBI has a substantial interest in ensuring the accuracy of the information because the FBI is the primary federal law enforcement agency and its mission includes ensuring that criminals are not placed in positions of public trust, do not receive security clearances, are not threatening the disabled, children, and other vulnerable populations, and are not compromising homeland security by entering our military or receiving immigration benefits. The steps to ensure accuracy of information are described in Sections 4.2 and 6.1 of this PIA.

Additionally, the risk is mitigated because the maintenance and dissemination of information must comply with the provisions of any applicable law, regulation, or policy, including the Privacy Act. Among other requirements, the Privacy Act obligates the FBI to make reasonable efforts to ensure the information that it disseminates to non-federal agencies is accurate, complete, timely, and relevant. This risk is further mitigated to the extent that an agency that contributes information to NGI has a process in place for access to, or correction of, the contributing agency’s source records.

The retention of additional civil fingerprints also presents a correspondingly increased risk that the FBI will be maintaining more information that is subject to loss or unauthorized use. The risk of loss/unauthorized use is mitigated by the strong system, user, site, and technical security features present in NGI and described in later sections of this PIA.

Section 3: Purpose and Use of the System

3.1  Indicate why the information in the system is being collected, maintained, or disseminated.  (Check all that apply.)

3.2  Analysis: Provide an explanation of how the component specifically will use the information to accomplish the checked purpose(s). Describe why the information that is collected, maintained, or disseminated is necessary to accomplish the checked purpose(s) and to further the component’s and/or the Department’s mission.

As listed below, the FBI has statutory authority to collect, preserve, and exchange biographic and biometric information for criminal, civil, and national security purposes. In line with that authority, the NGI Program Office’s mission is to reduce terrorist and criminal activities by improving and expanding biometric identification and criminal history information sharing services. Importantly, part of that mission is to ensure that persons applying for positions of public trust meet the requirements to be chosen for, and to remain in, those positions. Although civil fingerprints have been collected by the FBI for several decades, the mandate for the FBI to retain civil fingerprints has become broader in recent years. For example, terrorism prevention statutes, such as the USA PATRIOT Act, have required fingerprint-based background checks of applicants for an expanded number of employment positions. The Security Clearance Information Act permits certain federal agencies to conduct fingerprint-based background checks to assist with determining eligibility for access to classified information and national security duties. Likewise, other federal legislation, such as the National Child Protection Act, provides state and local governments with the authority to conduct fingerprint-based background checks of those who work with vulnerable populations, such as children, the elderly, and the disabled.

3.3  Indicate the legal authorities, policies, or agreements that authorize collection of the information in the system.  (Check all that apply)

3.4  Indicate how long the information will be retained to accomplish the intended purpose, and how it will be disposed of at the end of the retention period. (Reference the applicable retention schedule approved by the National Archives and Records Administration, if available.)  

The NGI data will be retained in accordance with the applicable retention schedules approved by the National Archives and Records Administration (NARA). NARA has approved the destruction of fingerprint cards and corresponding indices when criminal and civil subjects attain 110 years of age or seven years after notification of death with biometric confirmation. NARA has determined automated FBI criminal history record information and NGI transaction logs are to be permanently retained. Biometrics and associated biographic information may be removed from the NGI system earlier than the standard NARA retention period pursuant to a request by the submitting agency or the order of a court of competent jurisdiction.  

3.5  Analysis: Describe any potential threats to privacy as a result of the component’s use of the information, and controls that the component has put into place to ensure that the information is handled, retained, and disposed appropriately. (For example:  mandatory training for system users regarding appropriate handling of information, automatic purging of information in accordance with the retention schedule, etc.)

NGI has maintained the same level of quality control standards that were established by IAFIS. Access to NGI is controlled through extensive, long-standing user identification and authentication procedures. Stringent processes are in place to ensure that only authorized users have access to the system and the information is verified through audit logs detailing an authorized user or agency’s search and retrieval of the biometric data. The CJIS Audit Unit conducts internal and external on‑site audits of user agencies to assess and evaluate compliance with the CJIS Division Security Policy and applicable laws. Agencies requesting and receiving biometric identifications will be trained by the CJIS Systems Agency, which has overall responsibility for the administration and usage of the CJIS programs that operate in a particular state. Records will be purged from the system upon request of the submitting agency or as a result of a court order.

Section 4:  Information Sharing

4.1  Indicate with whom the component intends to share the information in the system and how the information will be shared, such as on a case-by-case basis, bulk transfer, or direct access.

4.2  Analysis: Disclosure or sharing of information necessarily increases risks to privacy.  Describe controls that the component has put into place in order to prevent or mitigate threats to privacy in connection with the disclosure of information. (For example: measures taken to reduce the risk of unauthorized disclosure, data breach, or receipt by an unauthorized recipient; terms in applicable MOUs, contracts, or agreements that address safeguards to be implemented by the recipient to ensure appropriate use of the information–training, access controls, and security measures; etc.)

The civil fingerprint records contained in NGI are only available to Department of Justice (DOJ) components when there is a need for the information in order to perform official duties, pursuant to 28 U.S.C. § 534 and 5 U.S.C.§ 552a(b)(1). For example, the FBI shares information with the National Security Division and Criminal Division within DOJ, as well as other internal DOJ components such as the United States Marshals Service, the Drug Enforcement Administration, the Bureau of Prisons, and the Bureau of Alcohol, Tobacco, Firearms, and Explosives. Information is disclosed only to those DOJ users who have been authorized for access to the information in the NGI system.

Civil fingerprint data within NGI will also be shared with federal, local, state, and tribal agencies as permitted by applicable federal and state statutes, federal and state executive orders, or regulation or order by the Attorney General. Information is shared with authorized noncriminal justice agencies and entities for employment suitability checks, permits, identity verification, and licensing in accordance with applicable laws, regulations and policies.

Privacy protection is also provided by 28 U.S.C. § 534, which provides that the dissemination of information under FBI’s authority is subject to cancellation if it is disclosed outside the receiving or related agencies. 28 CFR § 20.33 provides supplemental guidance regarding the dissemination of criminal history record information, including identification of authorized recipients and potential sanctions for unauthorized disclosures. These restrictions are, in turn, reflected in long-standing and extensive system security standards and operating policies applicable to all system users. In addition, authorized users must comply with applicable security and privacy protocols addressed in the CJIS Security Policy. CJIS User Agreements and Outsourcing Standards also define parameters to information sharing. Federal and state audits are performed to ensure compliance. NGI will maintain data provided only by authorized agencies, which are responsible for ensuring that accurate and complete biographic and biometric information is submitted in the first instance, in accordance with CJIS data quality standards and operating policies. Noncriminal justice agencies must comply with user agreements and the CJIS security policy. The CJIS System Officer (CSO) is responsible for implementing and ensuring compliance with the CJIS Security Policy.

The main method for the transmission of biometric submissions is electronically, via the CJIS Wide Area Network (WAN), a telecommunications infrastructure that connects authorized agencies to the CJIS host computer systems. The purpose of the CJIS WAN is to provide a secure transport mechanism for CJIS criminal history record information and biometric-related information. The WAN provides direct and indirect electronic access to FBI identification services and data for numerous federal, state, and local law enforcement and authorized non-law enforcement agencies in all fifty states. Agencies transmit and, in turn, CJIS responds via the CJIS WAN.  The CJIS WAN transmission hardware is configured by FBI personnel, transmission data to and from CJIS is encrypted, and firewalls are mandated and in place. Electronically, the civil fingerprints will be supported through the Electronic Biometric Transmission Specification (EBTS), which currently supports fingerprint, palm print, and latent submissions. The EBTS provides proper methods for external users to communicate with the CJIS systems for the transmission of biographic and biometric information for purposes of criminal or civil identification. Other means of transmission for fingerprints and palm prints may include CD, DVD, Hard Disk Drive, or Secure File Transfer.

CJIS provides training assistance and up-to-date materials to each CSO and periodically issues informational letters to notify authorized users of administrative changes affecting the system. CSOs at the State and Federal level are responsible for the role-based training, testing, and proficiency affirmation of authorized users within their respective state/federal agencies. All users must be trained within six months of employment and biennially retested thereafter. Access to NGI is provided to the same users who had access to IAFIS; this initiative does not change the procedures that are used to determine which users are already authorized to access the system.

Authorized users will have the ability to directly enroll biometrics into, or delete biometrics from, existing files within NGI based on their roles. The systems are not available to users unless there has been an application for, and assignment of, an Originating Agency Identifier (ORI) unique to each using entity. Each using entity may only access the types of information for the purposes that have been authorized for its ORI. Such access is strictly controlled and audited by CJIS. State and federal CSOs must apply to the CJIS Division for the assignment of ORIs, and CJIS staff evaluates these requests to ensure the agency or entity meets the criteria for the particular type of ORI requested.  CJIS maintains an index of ORIs. All disseminations of identification records are logged to the applicable ORI.  Full access ORIs are provided to criminal justice agencies and other agencies as directed by federal legislation for criminal justice purposes. Limited access ORIs are provided to noncriminal justice agencies requiring access to FBI-maintained records for official and authorized purposes. Most noncriminal justice agencies and entities have been assigned limited access ORIs and are entitled to criminal history information after first submitting fingerprints and identifying the authority for such submissions.

Like IAFIS, the NGI System Design Document includes requirements to maintain chronological transaction audit logs for authorized purposes. All users are subject to periodic on-site audits conducted by both a user’s own oversight entity and the FBI CJIS Division Audit Unit. The audits assess and evaluate users’ compliance with CJIS technical security policies, regulations, and laws applicable to the criminal identification and criminal history information, and terms of the applicable user agreements or contracts. Deficiencies identified during audits are reported to the CJIS Division Advisory Policy Board (APB) and Compact Council Sanctions Committees. The CJIS APB is set up pursuant to the Federal Advisory Committees Act and is comprised of representatives from federal, state, and local criminal justice agencies who advise the Director of the FBI in the development of policies concerning criminal history record information (CHRI). The Compact Council was created pursuant to the National Crime Prevention and Privacy Compact Act of 1998.  It facilitates the sharing of CHRI for noncriminal justice purposes.

Access may be terminated for improper access, use, or dissemination of system records. In addition, each Information System Security Officer (ISSO) is responsible for ensuring that operational security is maintained on a day-to-day basis. Adherence to roles and rules is tested as part of the security certification and accreditation process.

Internal users of the system—all FBI employees and contractor personnel—must complete annual information security and privacy training. The training addresses the roles and responsibilities of the users of FBI systems, and raises awareness of the sensitivity of the information contained therein and how it must be handled to protect privacy and civil liberties.

Section 5:  Notice, Consent, and Redress

5.1 Indicate whether individuals will be notified if their information is collected, maintained, or disseminated by the system.  (Check all that apply.)

5.2 Indicate whether and how individuals have the opportunity to decline to provide information.  

5.3 Indicate whether and how individuals have the opportunity to consent to particular uses of the information. 

5.4 Analysis: Clear and conspicuous notice and the opportunity to consent to the collection and use of individuals’ information provides transparency and allows individuals to understand how their information will be handled. Describe how notice for the system was crafted with these principles in mind, or if notice is not provided, explain why not. If individuals are not provided the opportunity to consent to collection or use of the information, explain why not.

With civil fingerprint submissions, specific notice is typically the responsibility of the authorized agency collecting the fingerprints. Civil information is often collected on the FBI Applicant Fingerprint Card (FD-258) or an equivalent paper or electronic consent form. It is anticipated that most civil fingerprints will be collected via livescan devices in the near future. The Privacy Act statement on the FD-258 has been revised to notify the applicants of the retention and searching of civil fingerprints in NGI. The FBI is revising this notice to further clarify the retention and searching of civil fingerprints with the implementation of NGI.  

Civil applicants may be legislatively required to submit fingerprints as a condition for employment, licensing, security clearances, positions of public trust, volunteer positions, and other relevant benefits.  Inasmuch as the choice to apply for employment and licensing is voluntary, the individual may choose to not apply for positions that require the submission of fingerprints. The privacy risks associated with lack of notice to affected individuals about the collection, maintenance, and use of civil fingerprints also are mitigated by the general notice to the public via the system of records notice (SORN) published in the Federal Register and the NGI PIAs available on www.fbi.gov.  

Title 28 C.F.R. part 16, subpart A, provides general guidance on access to information in FBI files pursuant to the Freedom of Information Act, and 28 C.F.R. part 16, subpart D, provides general guidance regarding access to, and amendment of, information in FBI files pursuant to the Privacy Act.

Section 6: Information Security

6.1 Indicate all that apply.

6.2 Describe how access and security controls were utilized to protect privacy and reduce the risk of unauthorized access and disclosure.

Please see Section 4.2 for specific access and security control descriptions.  In addition, the NGI system NIST 800-53 security control baseline is at the HIGH impact level of assurance.  Security controls are continually assessed during the development life cycle for compliance and to ensure appropriate mitigation strategies have been implemented commensurate with the HIGH impact level of assurance.                    

Section 7:  Privacy Act

7.1  Indicate whether a system of records is being created under the Privacy Act, 5 U.S.C. § 552a. (Check the applicable block below and add the supplementary information requested.)

7.2  Analysis:  Describe how information in the system about United States citizens and/or lawfully admitted permanent resident aliens is or will be retrieved.

Information pertaining to United States citizens and permanent resident aliens will be retrieved by fingerprints, as explained above in Section 1, Description of the Information System. For purposes of access and retrieval, NGI will make no distinctions based on an individual’s citizenship or residence.

End Notes

[1] Public Law 92-554 permits the FBI to exchange criminal history record information with officials of state and local governments if the state employment and licensing statutes meet certain criteria and are approved by the Attorney General, whose approval authority has been delegated to the FBI pursuant to 28 C.F.R. §0.85.

[2] The FBI will be publishing a subsequent PIA that addresses the “Rap Back” feature of NGI wherein authorized users may enroll the retained civil fingerprints to receive notifications of subsequent criminal events.