Privacy Impact Assessment Violent Criminal Apprehension Program (VICAP) July 18, 2003

I. BACKGROUND

This PIA is conducted pursuant to Section 208 of the E-Government Act of 2002, P.L. 107-347, the accompanying guidelines issued by the Office of Management and Budget (OMB) on September 26, 2003, and the FBI's own PIA guidelines.

The FBI's Critical Incident Response Group (CIRG), National Center for the Analysis of Violent Crime (NCAVC), Violent Crime Apprehension Program (VICAP) facilitates communication and coordination between law enforcement agencies that investigate, track, and apprehend violent serial offenders. VICAP maintains a nationwide data information center that collects, collates, and analyzes crimes of violence (i.e., homicide, attempted homicide, missing persons, child abductions, sexual assaults, and unidentified deceased persons). VICAP analysts examine crime data and patterns to identify potential similarities among crimes, create investigative matrices, develop time-lines, and identify homicide and sexual assault trends and patterns.

In 2002, CIRG began developing a state of the art web-enabled software for VICAP. The software will enable non-FBI federal, state, and local VICAP users to directly enter data into the national database located on a server in FBI controlled space. Users will be able to access the system via commercially available service providers and Law Enforcement Online (LEO). Additionally, users will be able to retrieve and analyze cases, query against the national database, and run reports. VICAP records include, but are not limited to, crime scene descriptions, victim and offender descriptive data, laboratory reports, criminal history records, court records, news media references, crime scene photographs and statements. The data consists of cases involving homicides, missing persons, unidentified dead, sexual assaults and other criminal cases.

II. ASSESSMENT

A. What information is to be collected?

VICAP contains crime scene descriptions, victim and offender descriptive data, including name and other personal identifying information, laboratory reports, criminal history records, court records, news media references, crime scene photographs and statements. The data consists of cases involving homicides, missing persons, unidentified dead, sexual assaults and other criminal cases.

B. Why is the information being collected?

The information is being collected to identify and match violent crime cases based upon characteristics, modus operandi, etc.

C. What is the intended use of the information?

The information is used to investigate, track and apprehend violent serial offenders.

D. With whom will the information be shared?

Information is shared with federal, state and local crime law enforcement agencies investigating, tracking and apprehending violent serial offenders.

E. What notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared?

Due to the nature of information in VICAP, individuals are not provided with an opportunity to consent to the collection or use of the information.

F. How will the information be secured?

Agencies granted access to VICAP are required to establish and maintain a system of access controls through administrative, physical, and technological safeguards. In addition, the FBI requires that access be limited to authorized personnel and authorized visitors. Physical security protections include guards and locked facilities requiring badges and passwords for access. Records may only be accessed by authorized government personnel and must be protected by appropriate physical and technological safeguards to prevent unauthorized access.

G. Is a system of records being created under section 552a of title 5, United States Code, (commonly referred to as the "Privacy Act")?

Yes. VICAP does qualify as a system of records for the purposes of the Privacy Act. VICAP records are covered by the Privacy Act System Notice for NCAVC, therefore a new Privacy Act system notice is not required. See 58 Fed. Reg. 51,877-51,878 (10/05/1993).

H. What choices did the FBI make regarding an IT system or collection of information as a result of performing the PIA?

As a result of conducting the PIA, to protect the personal privacy of individuals, CIRG must ensure that any contracts with outside entities specify that contractors are subject to the requirements of the Privacy Act as provided in 5 U.S.C. 552a(m). Additionally, CIRG must ensure that contractors execute Non-Disclosure Agreements.

III. APPROVAL

The FBI's Senior Privacy Official has reviewed VICAP, and taking into account the need for this system and the privacy risks and protections discussed herein, approves the FBI's use of this database.