72 FR 56793

72 FR 56793 / 10-04-07

Summary: Pursuant to the Privacy Act of 1974 (5 U.S.C. 552a) and Office of Management and Budget (OMB) Circular A-130, notice is hereby given that the Department of Justice, Federal Bureau of Investigation (FBI), proposes to establish a new system of records entitled "Law Enforcement National Data Exchange (N-DEx)," DOJ/FBI-020.

Supplementary Information: The Department of Justice (DOJ) and its component agency, the FBI, have identified improved information sharing with the entire law enforcement community as a key goal and the focus of the Department's Law Enforcement Information Sharing Program (LEISP). The Law Enforcement National Data Exchange (N-DEx) Program is at the heart of the LEISP and will improve information sharing for law enforcement purposes. The N-DEx, operated under the aegis of the FBI's Criminal Justice Information Services (CJIS) Division, is a scalable information sharing network that will provide the capability to make potential linkages between crime incidents, criminal investigations, arrests, bookings, incarcerations, and parole and/or probation information in order to help solve, deter and prevent crimes and, in the process, enhance homeland security.

The N-DEx will be populated by data that is already collected by law enforcement agencies at the Federal, State, local and tribal levels in fulfilling their functions, such as incident, offense and case reports. The N-DEx, however, will facilitate the combination of this data in one secure repository in order to be reviewed for connections, trends or similarities that will help facilitate the deterrence, prevention and resolution of crimes. Each data contributor will provide information subject to conditions elaborated in a memorandum of understanding or based on Federal law that are expected to reserve ultimate control and disposition of the data to the contributing agencies. Although the N-DEx will facilitate comparisons of seemingly disparate data, the information may not be used as a basis for action or disseminated beyond the recipient without that recipient first obtaining permission of the record owner/contributor. This permission policy, which may be waived only where there is an actual or potential threat of terrorism, immediate danger of death or serious physical injury to any person or imminent harm to national security, will help ensure that information maintained in the system is verified and updated as necessary. These rules will be enforced through strong and consistent audit procedures.

All data contributors will be responsible for ensuring that information they share is relevant, timely, complete, and accurate and periodic updates will be required in order to enhance data and system integrity.

System access will be based on a user's job function in his or her respective agency and will also be conditioned on access limits prescribed by the data contributor, which can range from unrestricted sharing to highly restricted access.

Because the N-DEx contains criminal law enforcement information, the Attorney General is proposing to exempt this system from certain portions of the Privacy Act, as permitted by law, to protect sensitive information contained in this system and to prevent the compromise of ongoing law enforcement investigations and sources and methods. As required by the Privacy Act, a proposed rule is being published concurrently with this notice to seek public comment on the proposal to exempt this system.

In addition, in accordance with Privacy Act requirements (5 U.S.C. 552a(r)), the Department of Justice has provided a report on this new system of records to OMB and the Congress. A description of the N-DEx system of records appears below.


System Name: Law Enforcement National Data Exchange (N-DEx)

Security Classification: Sensitive But Unclassified.

System Location: Records will be located at the Federal Bureau of Investigation (FBI), Criminal Justice Information Services (CJIS) Division, 1000 Custer Hollow Road, Clarksburg, WV 26306, and at appropriate locations for system back-up and continuity of operations purposes.

Categories of Individuals Covered by the System: The N-DEx will cover any individual who is identified in a law enforcement report concerning a crime incident or criminal investigation. These individuals include, but are not limited to: Subjects; suspects; associates; victims; persons of interest; witnesses; and/or any individual named in an arrest, booking, parole and/or probation report.

Categories of Records in the System: The N-DEx will contain information collected by criminal justice agencies that is needed for the performance of their legally authorized, required function. The records in the system consist of incident, offense and case reports as well as arrest, booking, incarceration, and parole and/or probation information from Federal, State, local and tribal law enforcement entities. Identifying information in this system will include, but not be limited to: Name(s); sex; race; citizenship; date and place of birth; address(es); telephone number(s); social security number(s) or other unique identifiers; physical description (including height, weight, hair color, eye color, gender); occupation and vehicle identifiers. Data from the FBI's CJIS Division, including the National Crime Information Center (NCIC), the Interstate Identification Index (III), and Integrated Automated Fingerprint Identification System (IAFIS), will be made available to the system for queries, but the N-DEx will not contain copies of these databases.

The information contributed by Federal, State, local and tribal law enforcement entities will be formatted using the National Information Exchange Model (NIEM), a single standard Extensible Markup Language (XML) foundation for exchanging information between agencies, in order to facilitate information sharing.

Authority for Maintenance of the System: The system is established and maintained in accordance with 28 U.S.C. 533, 534; 28 CFR 0.85 and 28 CFR part 20.

Purpose(s): The purpose of the N-DEx system is to enhance the interconnectivity of criminal justice databases in order to improve the sharing of multiple levels of criminal justice data to further criminal justice objectives for crime analysis, law enforcement administration, and strategic/tactical operations in investigating, reporting, solving, and preventing crime, and, thereby, improving homeland security. The N-DEx system will allow Federal, State, local and tribal law enforcement agencies to compare and/or link criminal incidents and/or investigations occurring in their own jurisdictions with those in other jurisdictions throughout the country.

Routine Uses of Records Maintained in the System, Including categories of Users and the Purposes of Such Uses: In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed outside the FBI as a routine use pursuant to 5 U.S.C. 552a(b)(3), to the extent such disclosures are compatible with the purpose for which the information was collected, in accordance with any blanket routine uses established for FBI record systems. For current blanket routine uses, see Blanket Routine Uses (BRU) Applicable to More Than One FBI Privacy Act System of Records, Justice/FBI-BRU, published in the Federal Register at 66 FR 33558 (June 22, 2001) and amended at 70 FR 7513 (Feb. 14, 2005). Routine uses are not meant to be mutually exclusive and may overlap in some cases. In addition, the FBI may disclose relevant system records as follows:

A) To any criminal, civil, or regulatory law enforcement authority (whether Federal, State, local, territorial, tribal, or foreign) where the information is relevant to the recipient entity's law enforcement or homeland security responsibilities.
B) To a Federal, State, local, joint, tribal, foreign, international, or other public agency/organization, or to any person or entity in either the public or private sector, domestic or foreign, where such disclosure may facilitate the apprehension of fugitives, the location of missing persons, the location and/or return of stolen property or similar criminal justice objectives.
C) To any person or entity in either the public or private sector, domestic or foreign, if deemed by the FBI to be reasonably necessary to elicit information or cooperation from the recipient for use in furthering the purposes of the system.
D) To appropriate agencies, entities, and persons when (1) The Department of Justice suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; (2) the Department of Justice has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft, or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by the Department or another agency or entity) that rely upon the compromised information; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Department of Justice's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm.
E) To those agencies, entities and persons the FBI may consider necessary or appropriate incident to the ensuring the continuity of government functions in the event of any actual or potential significant disruption of normal operations.

Disclosure to Consumer Reporting Agencies: Not Applicable.

Policies and Practices for Storing, Retrieving, Accessing, Retaining and Disposing of Records in the System:
Storage: Most information is maintained in electronic form and stored in computer memory, on disk storage, on computer tape, or other computer media. However, some information may also be maintained by the contributing agency in hard copy (paper) or other form.

Retrievability: Information will be retrieved by linkages based on identifying data collected on involved persons, places and things, and other non- specific descriptions of circumstances to identify events with a common modus operandi. This could include individual names or other personal identifiers.

Safeguards: System records are maintained in limited access space in FBI controlled facilities and offices. Computerized data is password protected. All FBI personnel are required to pass an extensive background investigation. The information is accessed only by authorized DOJ personnel or by non-DOJ personnel properly authorized to assist in the conduct of an agency function related to these records. Authorized system users will have adequate physical security and built in controls to protect against unauthorized personnel gaining access to the equipment and/or the information stored in it.

Retention and Disposal: The information within the N-DEx system will be contributed by Federal, State, local, and tribal law enforcement entities. All entities will be responsible for ensuring the relevance and currency of the information they contribute to the system and will have control and responsibility for the disposition of their own records through a process that will be documented by a memorandum of understanding or based upon Federal law. Those portions of the N-DEx that constitute Federal records will be subject to retention schedules for those documents that have been approved by the National Archives and Records Administration (NARA). In addition, N-DEx, itself, will result in the creation of metadata or an audit log that reflects any correlation between any of the submitted records, as well as information about user activity. A schedule for disposition of this metadata will be submitted to NARA for approval.

System Managers(s) and Address: Director, Federal Bureau of Investigation, 935 Pennsylvania Ave., NW., Washington, DC 20535-0001.

Notification Procedures: Same as Record Access Procedures.

Record Access Procedures: Because this system contains law enforcement records, the records in this system have been exempted from notification, access, and amendment to the extent permitted by subsection (j) of the Privacy Act. An individual who is the subject of one or more records in this system may be notified of records that are not exempt from notification and, accordingly, may access those records that are not exempt from disclosure. A request for access to a non-exempt record shall be made in writing with the envelope and the letter clearly marked "Privacy Act Request." Requests should include full name and complete address and be signed. To verify the signature it must be notarized or submitted under 28 U.S.C. 1746, a law that permits statements to be made under penalty of perjury as a substitute for notarization. Other identifying data that will assist in making a proper search of the system may also be submitted. Requests for access must be addressed to the Record/Information Dissemination Section, Federal Bureau of Investigation, 935 Pennsylvania Avenue, NW., Washington, DC 20535-0001.

A determination on notification and access, in the sole prerogative of the FBI, will be made at the time a request is received.

Contesting Record Procedures: To contest or amend information maintained in the system, an individual should direct his/her request to the address provided above, stating clearly and concisely what information is being contested, the reasons for contesting it, and the proposed amendment to the information sought.

Some information may be exempt from contesting record procedures as described in the section titled "Exemptions Claimed for the System." An individual who is the subject of one or more records in this system may contest and pursue amendment of those records that are not exempt. A determination whether a record may be subject to amendment will be made at the time a request is received.

Record Source Categories: Information contained in the N-DEx system is obtained from Federal, State, local, and tribal criminal justice agencies.

Exemptions Claimed for the System: The Attorney General has exempted this system from subsection (c)(3) and (4); (d)(1), (2), (3) and (4); (e)(1), (2), (3), (5) and (8); and (g) of the Privacy Act pursuant to 5 U.S.C. 552a(j)(2). Rules have been promulgated in accordance with the requirements of 5 U.S.C. 553(b), (c), and (e), and are published in today's Federal Register.

September 25, 2007