Privacy Impact Assessment for the Fingerprint Identification Records System (FIRS) Integrated Automated Fingerprint Identification System (IAFIS) Outsourcing for Noncriminal Justice Purposes - Channeling
May 5, 2008
Programs Support Section
FBI CJIS Division
Phone: (304) 625-2615
Kenneth P. Mortensen
Acting Chief Privacy and Civil Liberties Officer
Department of Justice
I-1 FBI-maintained Criminal History Record Information (CHRI)
The FBI maintains an automated database that integrates criminal history records, including arrest information and corresponding disposition information, submitted by Federal, State, local, tribal, and certain foreign criminal justice agencies. Each State has a criminal records repository responsible for the collection and maintenance of criminal history records submitted by law enforcement agencies in its State. The State record repositories are the primary source of criminal history records maintained at the FBI. Currently, the FBI maintains criminal history records on more than 56.8 million different individuals, with many of the individuals having multiple entries of separate encounters with the criminal justice system.
The basic Federal authority for the Attorney General to maintain criminal history information is found at 28 United States Code (U.S.C.), § 534, which provides that the Attorney General shall “acquire, collect, classify, and preserve identification, criminal identification, crime, and other records.” That law also provides for the sharing of the information, by requiring that the Attorney General “exchange such records and information with, and for the official use of, authorized officials of the Federal Government, including the United States Sentencing Commission, the States, cities, and penal institutions.” The States are not required to provide this information to the Attorney General, but do so voluntarily in order to gain the mutual benefit of having ready access to criminal history information on individuals who have resided in multiple States.
I-1.2 Definition of CHRI
As defined at 28 Code of Federal Regulations (CFR), § 20.3, CHRI means information collected by criminal justice agencies on individuals consisting of identifiable descriptions and notations of arrests, detentions, indictments, informations, or other formal criminal charges, and any disposition arising therefrom, including acquittal, sentencing, correctional supervision, and release. The term does not include identification information such as fingerprint records if such information does not indicate the individual’s involvement with the criminal justice system. CHRI is considered sensitive but unclassified (SBU) data.
I-2 Fingerprint Identification
I-2.1 The FBI Criminal Justice Information Services (CJIS) Division
Fingerprint identification has been a major responsibility of the FBI since 1924 and fingerprints have been a key part of the FBI’s national criminal history record system. The FBI’s CJIS Division was established in February 1992 to serve as the focal point and central repository for criminal justice information services in the FBI. It is the FBI’s largest division and is responsible for administering several programs, including the Integrated Automated Fingerprint Identification System (IAFIS), the National Crime Information Center (NCIC), (including files of interest to law enforcement, such as those relating to wanted persons, civil protection orders, registered sex offenders, and missing persons), the national criminal history record index known as the Interstate Identification Index (III or “Triple I”), and the National Instant Criminal Background Check System (NICS) (which processes background checks on prospective purchasers of firearms from Federal firearms licensees).
For most of the life of the FBI criminal history record system, record submissions and record requests were supported by ink and paper fingerprints. During the 1980s, however, technology was developed allowing State repositories to collect fingerprints and search against fingerprint databases digitally. To meet the growing demand for fingerprint identification, the FBI developed and implemented IAFIS, which became operational on July 28, 1999. IAFIS integrates fingerprint records that have been sent to the FBI by the States and territories and Federal law enforcement agencies, all of which have established their own Automated Fingerprint Identification Systems (AFIS). IAFIS provides automated fingerprint search capabilities, latent fingerprint searching capability, electronic image storage, and electronic exchange of fingerprints and responses 24 hours a day, 365 days a year. IAFIS currently processes an average of over 63, 000 fingerprint receipts daily, 91% of which are electronic submissions. Over 96% of electronic criminal submissions are completed in less than two hours. IAFIS also processes civil submissions, which are normally completed in less than 24 hours. IAFIS allows for the automated submission and amendment of fingerprint-based criminal history records by the State record repositories, as well as automated fingerprint searches of the records. Paper fingerprint submissions are digitally scanned into the system. A large percentage of fingerprints are now “live-scanned” into the system, which means original fingerprints are captured digitally without the involvement of paper prints.
IAFIS is a component of the FBI Privacy Act system of records “Fingerprint Identification Records System” (FIRS) (Justice/FBI-009) (64 FR 52343, 52347). (The FBI has previously described the III as being a part of the NCIC system of records (Justice/FBI-001) (64 FR 52343), but we are in the process of re-characterizing it as being a part of the FIRS.) Categories of fingerprints currently maintained by the FBI include: persons fingerprinted as a result of arrest, incarceration, or other authorized criminal justice purpose; persons fingerprinted for employment, licensing, security assessments, or other authorized noncriminal justice purpose, such as authorized Federal background check programs and military service; persons fingerprinted for visa, alien registration, immigration, naturalization, or related Department of State or Department of Homeland Security purposes; persons desiring to have their fingerprints placed on record with the FBI for personal identification purposes; individuals fingerprinted for authorized national security purposes; individuals with footprints, palm prints, photographs, or other biometric identifiers that have been taken for authorized purposes enumerated above; and individuals who leave latent fingerprints, palm prints, photographic images, or other biometric indicators at locations or on items associated with criminal activity or otherwise having a lawful investigative or national security interest.
I-2.3 THE III
The III segment of IAFIS is the national system designed to provide automated CHRI. The III is an index‑pointer system that allows for the exchange of criminal history records (“rap sheets”). The III stores the criminal history records of Federal offenders and those offenders submitted by participating and non‑participating III States. All information in the III is supported by fingerprint submissions. Under the III, the FBI maintains an index of persons arrested for felonies or misdemeanors under either State or Federal law. The index includes identification data such as name, birth date, race, and sex. In addition, the index contains FBI and State identification numbers (SID) from each State that has information about an individual. Search queries using names and other identifiers are made by law enforcement agencies throughout the country. The automated name search process takes about two seconds and if a hit occurs, record requests are made using the associated SID or FBI number. Data are automatically retrieved from the appropriate repositories, including State repositories, and forwarded to the requesting agency. As of December 2006, forty‑eight States were participating in III.
I-2.4 Fingerprint-supported Records
Each criminal history record indexed in the III is created through the submission of fingerprint images to IAFIS. The III‑participating States establish and update records within III through the submission of first and subsequent fingerprint images of arrested subjects. The requirement of 10-rolled fingerprints from record subjects for submission and acceptance of the information in the III permits subsequent positive identifications when there are fingerprint matches. IAFIS also allows for the comparison of latent fingerprint impressions obtained from crime scenes for possible leads in criminal investigations.
I-2.5 The National Fingerprint File and Record Decentralization
III-participating States provide requested criminal history records when an electronic inquiry for a State-maintained record is processed by the III System. Each state participating in the III’s National Fingerprint File (NFF) submits only the first arrest fingerprint images on a subject to establish a pointer record within the III. Any subsequent activity related to the person whose fingerprints have been placed in the NFF, such as disposition reports, expungements, or subsequent arrests, are maintained solely at the State level by the NFF participating State. All subsequent criminal history information about that arrest and any subsequent arrests within that state are maintained at the State level and disseminated by that State, rather than the FBI. This record management approach avoids the redundancy of the State keeping records at the State level and also having to update its records at the FBI level. The NFF also has the advantage of allowing a State to share all records that it has on a subject in response to a national record search, some of which were never submitted to or accepted by the FBI. In other words, full participation in the NFF program would enable a national fingerprint check to respond with the records held at the State level by all 50 States.
The National Crime Prevention and Privacy Compact Act of 1998 (Compact) requires the FBI to participate in the NFF. As of September 3, 2006, nine States (Colorado, Florida, New Jersey, North Carolina, Montana, Oklahoma, Oregon, Kansas, and Idaho) are participating in the NFF, and the FBI is working with additional States that intend to participate in the NFF.
I-2.6 Providing CHRI to Contractors for Criminal Justice Purposes.
To maximize the technical capabilities available with IAFIS, regulations were promulgated in 1999 that authorize contractors performing administration of criminal justice functions on behalf of criminal justice agencies access to CHRI if prerequisites are in place to protect the privacy and security of FBI-provided data . The September 28, 1999, FIRS SORN (Justice/FBI-009) provides that identification and CHRI may be provided to private contractors pursuant to specific agreements with criminal justice agencies or noncriminal justice agencies performing criminal justice dispatching functions or data processing/information service for criminal justice agencies when appropriate controls are in place.
I-3 Outsourcing For Noncriminal Justice Purposes - Channeling
This PIA addresses the extension of outsourcing authority to the processing of CHRI inquiries for noncriminal justice purposes. Noncriminal justice fingerprint submissions now exceed the number of fingerprints submitted to the FBI for criminal justice purposes, and the number is expected to grow. Many of these submissions are for Federally authorized initiatives, and State legislatures have the ability to authorize such noncriminal justice checks for licensing and employment purposes. Nongovernmental agencies have on occasion been authorized access to the FIRS for criminal history record checks.
Recognizing the inefficiencies involved in sending fingerprint submissions to the FBI by mail or electronically by entities not authorized to receive the results of criminal history record checks, the Compact Council promulgated the Outsourcing of Noncriminal Justice Administrative Functions Final Rule (Final Rule) whereby authorized recipients would be permitted to send fingerprints to the FBI via pre-approved channelers. In an effort to evaluate and select pre-approved channelers, the FBI published a Request For Proposal, received and evaluated the proposals pursuant to the Federal Acquisition Regulation, and selected 19 contractors to serve as channelers. The Final Rule specifically limits the use of criminal history record check results to the purpose for which it was provided, and such results are provided to channelers merely for dissemination to authorized recipients.
The Compact Council provided for channelers in its Interim Final Rule dated December 16, 2004 (69 FR 75243) (Attachment 2) and the Final Rule dated December 15, 2005 (70 FR 74200) (Attachment 3). The approved Security and Management Control Outsourcing Standard (Outsourcing Standard) was also published December 15, 2005 (70 FR 74373) (Attachment 4) and must be incorporated by reference into every contract between an approved channeler and an authorized recipient [of criminal history record check results].
It is also important to note that channelers do not work for the FBI and their systems are not part of the FBI’s certification and accreditation program. Instead, channelers work as agents for authorized recipients to expedite authorized fingerprint submissions to the CJIS Division for noncriminal justice purposes, to receive the results of the criminal history checks from the FBI, and promptly forward those results to the authorized recipient. (The CJIS Division configures the channeler’s equipment to ensure secure communications with the FBI).
The basic change discussed in this Privacy Impact Assessment relates to authorized recipients of criminal history record checks for noncriminal justice purposes utilizing a channeler to expedite the criminal history record checks. To take advantage of this procedure, an authorized recipient must first contract with an FBI pre-approved channeler that has provided a written proposal containing assurances that it will comply with privacy and security considerations mandated by the Compact Council. The small number of channelers that will have direct access to the CJIS Division Wide Area Network (WAN) for the purpose of expediting criminal history record checks for noncriminal justice purposes is significantly less than the number of contractors having name-based access for criminal justice purposes.
To better explain the term “Channeler,” as used in the FBI’s RFP, the following verbiage was provided in the solicitation: “Channelers will obtain contracts with Authorized Recipients, receive noncriminal justice applicant fingerprint submissions and collect the associated fees, ensure fingerprint submissions are properly and adequately completed, electronically forward fingerprint submissions to the FBI’s CJIS Division for national noncriminal justice criminal history record checks, and receive electronic record check results for dissemination to Authorized Recipients.” A channeler is essentially an “expediter” rather than a user of criminal history record check results.
Section 1.0 The System and the Information Collected and Stored within the System.
The following questions are intended to define the scope of the information in the system, specifically the nature of the information and the sources from which it is obtained:
1.1 What information is to be collected?
Information collected and disseminated is CHRI. (See “Definition of CHRI” at page 2 above).
No additional information is being collected; instead, this initiative involves changes in the way fingerprint submissions are provided to the CJIS Division (by pre-approved channelers) and the way results of criminal history record checks are provided to authorized recipients electing to use this process.
1.2 From whom is the information collected?
Fingerprints, associated descriptive data, and arrest cycles are submitted to the FBI by Federal, State, local, tribal, and some foreign law enforcement agencies, which are maintained by the CJIS Division and considered to be CHRI.
For noncriminal justice purposes, fingerprints are collected from individuals undergoing noncriminal justice criminal history record checks identified in Section 2.1. The noncriminal justice fingerprint submissions are compared against the fingerprints maintained in the FIRS to determine whether there are matches. Results of these comparisons are returned to authorized recipients as permitted by statute, executive order, or regulation or order of the Attorney General of the United States. This initiative does not expand the categories of individuals from whom fingerprints may be submitted to or maintained by the FBI CJIS Division.
Currently, fingerprints are obtained and forwarded to the authorized recipient, who in turn forward the fingerprints to the FBI for a national criminal history background check. Under this initiative, authorized recipients may elect to use pre-approved channelers to electronically submit fingerprints to the CJIS Division.
Section 2.0 The Purpose of the System and the Information Collected and Stored within the System.
The following questions are intended to delineate clearly the purpose for which information is collected in the system:
2.1 Why is the information being collected?
Individuals applying for noncriminal justice benefits (e.g., employment, licensing) are sometimes required to submit fingerprints to the FBI for criminal history record checks when authorized by Federal statute, State statute pursuant to Public Law 92-544, 86 Stat. 1115, Presidential Executive Order, or regulation of the United States Attorney General. (See 28 CFR 20.31 (b)). The FBI compares the fingerprints against FBI-maintained criminal history identification records and appropriate responses are provided to authorized recipients. (E.g., “no record found” or the applicable “rap sheets”).
2.2 What specific legal authorities, arrangements, and/or agreements authorize the collection of information?
The underlying authorities for the FIRS and NCIC include the broad general authority of 28 U.S.C. § 534 and 42 U.S.C.§ 14616. In addition, numerous Federal and State statutes provide specific authorities for particular types of matters.
2.3 Privacy Impact Analysis: Given the amount and type of information collected, as well as the purpose, discuss what privacy risks were identified and how they were mitigated.
Although individual arrest cycles are generally available to the public at police stations or courthouses, the CHRI being provided to authorized recipients via channelers is nonetheless considered to be sensitive information warranting appropriate protection. The CHRI maintained by the CJIS Division is more sensitive because it is a compilation of data from many sources. (See U.S. DOJ v. Reporters Committee For Freedom of the Press, 489 U.S. 749 (1989).)
FIRS has been in existence for decades, initially collecting criminal fingerprints and later collecting civil fingerprints as described in the September 28, 1999, SORN. To mitigate privacy risks, the CJIS Division has quality control standards in place to ensure accuracy of information, individuals are authorized to access their records for review and correction, and the CJIS Division has established an audit unit that is tasked with checking a representative sample of contractors and authorized recipients on a triennial basis. Additionally, both the CJIS Advisory Policy Board (APB) and the Compact Council have Sanction Committees to address alleged misuse of FIRS. Lastly, individuals contact the CJIS Division on occasion to allege misuse of Federal records by governmental agencies. These allegations are generally referred to the appropriate CJIS Systems Officer and the FBI responds to all such allegations.
The Compact Council promulgated a Final Rule for Outsourcing of Noncriminal Justice Administrative Functions on December 15, 2005. The Final Rule and Outsourcing Standard were published on December 15, 2005 (70 FR 74200; 70 FR 74373).
Although channelers have the potential for collecting and disseminating the results of criminal history record checks to other than authorized recipients, each contractor has agreed to abide by the Outsourcing Standard. This Outsourcing Standard’s written goal is to “provide adequate security and integrity for CHRI while under the control or management of an outsourced third party” (e.g., channeler). To achieve this result, each pre-approved channeler has agreed to, inter alia, enter into a CJIS WAN Memorandum of Understanding (MOU), and comply with the CJIS Security Policy, which is incorporated by reference into the Outsourcing Standard.
Channelers are subject to announced and unannounced audits to discover violations of contract provisions, CJIS Security Policy, and the Compact Council’s approved Outsourcing Standard. Violations can result in contract termination for channelers and access termination for other authorized recipients.
Prior to engaging in outsourcing, the authorized recipient shall: (a) Request and receive written permission from the appropriate Compact Officer; (b) provide the Compact Officer copies of the specific authority for the outsourced work, criminal history record check requirements, and/or a copy of the contract as requested; and (c) inquire of the FBI Compact Officer whether a prospective Contractor has any security violations.
The Compact Officer/Chief Administrator may not grant the authorized recipient permission to outsource unless there is an audit program in place to audit a representative sample of Contractors and authorized recipients within one year of contract execution and thereafter on a triennial basis.
Section 3.0 Uses of the System and the Information.
The following questions are intended to clearly delineate the intended uses of the information in the system.
3.1 Describe all uses of the information.
CHRI is used for both criminal and noncriminal justice purposes. There will be no new uses of the information pursuant to this initiative; however, information currently being provided to thousands of authorized recipients through the United States mail or electronically through governmental entities having CJIS Systems User Agreements with the FBI will now be provided electronically via an FBI pre-approved channeler when there are contracts in place that incorporate the “Outsourcing Standard” by reference. The channeler is responsible for ensuring that applicable authorized recipients receive the results of criminal history record checks in an expeditious manner.
3.2 Does the system analyze data to assist users in identifying previously unknown areas of note, concern, or pattern? (Sometimes referred to as data mining.)
No. Civil fingerprint submissions are compared to fingerprints contained in FIRS to determine whether the subject has an existing record. This system of records has been in existence for decades.
3.3 How will the information collected from individuals or derived from the system, including the system itself, be checked for accuracy?
The CJIS Division Audit Unit regularly checks a representative sample of Federal, State, local, and nongovernmental authorized recipients to ensure only authorized fingerprint submissions have been forwarded to the CJIS Division for criminal history record checks. The authorized recipient is responsible to ensure accurate and complete biographical information is included on these submissions and the fingerprints must be of sufficient quality or they will be rejected by the system. This initiative contractually requires the channeler to “ensure fingerprint submissions are properly and adequately completed” prior to submission to the FBI. Authorized recipients are allowed to resubmit fingerprints that are determined to be of insufficient quality at no additional expense.
3.4 What is the retention period for the data in the system? Has the applicable retention schedule been approved by the National Archives and Records Administration (NARA)?
NARA has determined that civil fingerprint submissions are to be destroyed when the individual reaches 75 years of age and criminal fingerprints are to be destroyed when the individual reaches 99 years of age.
3.5 Privacy Impact Analysis: Describe any types of controls that may be in place to ensure that information is handled in accordance with the above described uses.
The FIRS SORN, (See Footnote 3 of the PIA) provides the policies and practices for obtaining, storing, retrieving, accessing, retaining, and disposing of records in the FIRS, which is not being affected by this initiative. The SORN prescribes the retention period for the data in the system (See Section 3.4 of the PIA), which is not being affected by this initiative.
As noted in Section I‑3 of the PIA, the Outsourcing of Noncriminal Justice Administrative Functions Final Rule specifically limits the use of criminal history record check results to the purpose for which it was provided, and such results are provided to channelers merely for dissemination to authorized recipients. In essence, a channeler is an “expediter” rather than a user of criminal history record check results.
Sections H.3.1 and H.3.2.7 of the RFP requires channelers to have a fingerprint‑based criminal history record check conducted on each employee having direct access to CHRI prior to access to FBI CJIS systems, unless escorted by authorized personnel at all times.
Sections 3.3 and 4.4 of this PIA discuss the CJIS Division Audit Unit requirements for the channelers, noting that random audits are conducted to ensure authorized recipients are complying with the terms of the agreements. Also featured in Section 5.6 of the PIA, channelers are subject to announced and unannounced audits by authorized recipients, the State, or the FBI. Section 8.5 of the PIA discusses the established auditing procedures that are in place.
Section 5.1 of the PIA requires that all contracts between channelers and authorized recipients incorporate by reference the Outsourcing Standard. In Section 5.4 of the PIA, a channeler must comply with (1) contract provisions, (2) the Compact Council’s approved Outsourcing Standard, and (3) the CJIS Security Policy. Section 22.214.171.124 of the RFP provides that the Contractor shall ensure that each employee performing work under the contract is aware of the requirements of the Outsourcing Standard and the state and Federal laws governing the security and integrity of CHRI. The Contractor shall confirm that each employee understands the Outsourcing Standard requirements and laws that apply to his/her responsibilities. A non‑disclosure certificate must also be signed by each employee working under this initiative.
Section 5.7 of the PIA identifies sanctions that could be imposed upon a channeler for violating the terms of the contract.
Section I‑3, footnote 7 of the PIA, cites the Congressional authority that is provided to the Compact Council, to include “the authority to promulgate rules and procedures governing the use of the III System....” Also under Section I‑3 of the PIA, an authorized recipient must first contract with an FBI pre‑approved channeler that has provided a written proposal containing assurances that it will comply with privacy and security considerations mandated by the Compact Council. Section 8.8 of this PIA notes that the channelers will be subject to the security standards established by the Compact Council.
As provided in Section 6.4 of the PIA, channelers must comply with the contract, Outsourcing Standard, and the CJIS Security Policy. The Outsourcing Standard: (1) identifies the duties and responsibilities with respect to adequate internal controls within the contractual relationship so that the security and integrity of the III System and CHRI are not compromised; (2) outlines site security, dissemination restrictions, personnel security, system security, and data security; and (3) limits the use of the information to the purposes for which provided, ensures the confidentiality of the information, and provides for training, audits, and sanctions for violating the terms of the contract to include contract termination.
Section 4.0 Internal Sharing and Disclosure of Information within the System.
The following questions are intended to define the scope of sharing both within the Department of Justice and with other recipients.
4.1 With which internal components of the Department is the information shared?
All Departmental components have access to this information for all official criminal justice and noncriminal justice purposes.
4.2 For each recipient component or office, what information is shared and for what purpose?
The results of criminal history record checks conducted for authorized noncriminal justice purposes pursuant to a positive (fingerprint) match against FIRS data is provided to the relevant authorized recipient. The data may be accessed via name-based checks for criminal justice purposes, which is not part of this initiative.
4.3 How is the information transmitted or disclosed?
The results of most checks are returned to Departmental components electronically; however, check results could be mailed.
4.4 Privacy Impact Analysis: Given the internal sharing, discuss what privacy risks were identified and how they were mitigated.
All DOJ components must have access to CHRI in order to perform their official duties. However, to prevent unauthorized access for noncriminal justice purposes, the component must obtain and submit the subject’s fingerprints.
Additionally, those components receiving criminal history record check results electronically must have a CJIS Systems User Agreement Audit - Each agency shall be responsible for complying with all audit requirements for CJIS Systems. Each CSO is responsible for completing a triennial audit of all agencies with access to CJIS Systems through the CSO’s lines.” in place prior to record dissemination. Random audits are conducted to ensure authorized recipients are complying with the terms of those agreements. The particular statute, Federal executive order, or Attorney General order identifies the class of authorized recipients.
We do not anticipate that channelers will be used by DOJ components. However, if channelers should, at some time, be used by DOJ components, the process would be subject to risks and mitigations comparable to those described below.
Section 5.0 External Sharing and Disclosure.
The following questions are intended to define the content, scope, and authority for information sharing external to DOJ which includes foreign, Federal, State and local government, and the private sector.
5.1 With which external (non-DOJ) recipient(s) is the information shared?
The information is shared with thousands of government and private authorized recipients and will be provided to pre-approved channelers which have contracts with authorized recipients. The contract must incorporate the Outsourcing Standard by reference. The results of fingerprint-based criminal history record checks are provided to channelers pursuant to the above referenced Solicitation and subsequent contract for the sole purpose of forwarding criminal history record check results to applicable authorized recipients.
5.2 What information is shared and for what purpose?
Criminal history record check results are shared with criminal justice agencies for criminal justice purposes and with authorized recipients for noncriminal justice purposes as authorized by statute, executive order, or regulation. (See Section 2.1).
The channeling effort does not increase the number of authorized recipients; instead, authorized recipients will have the option of using channelers to electronically submit fingerprints to the CJIS Division for authorized noncriminal justice purposes and to receive the results of authorized criminal history record checks electronically via the channeler.
5.3 How is the information transmitted or disclosed?
Currently, the results of most checks are returned electronically; however, checks are sometimes mailed. Under this initiative, channelers will receive the results electronically.
5.4 Are there any agreements concerning the security and privacy of the data once it is shared?
Yes. Authorized recipients with electronic connectivity must sign CJIS Systems User Agreements and, if a channeler is involved, the channeler must comply with (1) contract provisions, (2) the Compact Council’s approved Outsourcing Standard, and (3) the CJIS Security Policy.
5.5 What type of training is required for users from agencies outside DOJ prior to receiving access to the information?
Channelers must comply with training requirements contained at 3.03 and 3.05 of the Outsourcing Standard. (See Attachment 4)
5.6 Are there any provisions in place for auditing the recipients’ use of the information?
Yes, channelers are subject to announced and unannounced audits by authorized recipients, the State, or the FBI.
5.7 Privacy Impact Analysis: Given the external sharing, what privacy risks were identified and describe how they were mitigated.
The identified privacy risk is that a channeler may violate the terms of the contract, Outsourcing Standard, and/or the CJIS Security Policy. Accordingly, the channeler is subject to announced and unannounced audits by applicable authorized recipients, State auditors, and FBI auditors. Sanctions for violating the terms of the contract include contract termination. In addition, the Privacy Act provides criminal sanctions for anyone who knowingly and willfully requests or obtains any record concerning an individual from a Federal agency under false pretenses. (5 U.S.C. § 552a(i))
Section 6.0 Notice
The following questions are directed at notice to the individual of the scope of information collected, the opportunity to consent to uses of said information, and the opportunity to decline to provide information.
The FIRS SORN was last published September 28, 1999. Additionally, the Compact Council published the Interim Final Rule on December 16, 2004 (69 FR 75243) which provided a comment period. The Final Rule was published on December 15, 2005 (70 FR 74200). The FBI also published in the Federal Register a notice of its intent to publish a RFP for those parties interested in becoming a channeler. (See Attachment 5). The public was informed that channelers would be used as conduits between authorized recipients and the FBI’s CJIS Division and there were no comments objecting to the use of channelers.
6.2 Do individuals have an opportunity and/or right to decline to provide information?
Individuals do not have the opportunity and/or right to decline to provide the underlying CHRI information, since this is obtained from criminal justice subjects incident to criminal justice processes.
However, individuals generally do have the opportunity and/or right to decline to provide their fingerprints for noncriminal justice purposes, since the individuals generally may opt to not pursue a noncriminal justice activity which requires a fingerprint check. Individuals who chose to engage in such a noncriminal justice activity do not have an option and/or right to object to the use of channelers for processing the fingerprint checks.
The use of channelers is left solely to the discretion of the authorized recipients. This initiative merely permits electronic submission of fingerprints to the FBI and the return of criminal history record checks via a pre-approved channeler when there is a contractual relationship between the channeler and the authorized recipient that incorporates the Outsourcing Standard by reference.
6.3 Do individuals have an opportunity to consent to particular uses of the information, and if so, what is the procedure by which an individual would provide such consent?
Individuals do not have the opportunity and/or right to consent to particular uses of the underlying CHRI information, since this is obtained from criminal justice subjects incident to criminal justice processes. However, any such uses must comply with the provisions of any applicable law, including the Privacy Act.
Authorization to collect fingerprint submissions for noncriminal justice purposes is contained in various statutes, Federal executive orders, and regulations. The primary use for such submissions is to check them against CHRI. Individuals generally do have the opportunity and/or right to decline to undergo such a check, since the individuals generally may opt to not pursue the noncriminal justice activity which requires the fingerprint check. Individuals generally do not have the opportunity and/or right to consent to subsequent uses of information provided in noncriminal justice checks. However, any such uses must comply with the provisions of any applicable law, including the Privacy Act. Fingerprint submissions retained in FIRS are available for subsequent purposes as authorized by Federal statute, regulation, or other authority, and the public is provided notice of such uses via the FIRS Privacy Act system of records notices. Individuals thus generally do have the opportunity and/or right to preclude such subsequent uses of their noncriminal justice information, since the individuals generally may opt to not pursue the noncriminal justice activity which requires the fingerprint check.
6.4 Privacy Impact Analysis: Given the notice provided to individuals above, describe what privacy risks were identified and how you mitigated them.
All authorized recipients are subject to provisions contained in the CJIS Security Policy, specific provisions in the CJIS Systems User Agreement, and are subject to access termination for violations of those provisions that are discovered during announced and unannounced audits. As noted in Section 6.1, there were no objections to the potential use of channelers as published in the Federal Register. Channelers must also comply with the contract, Outsourcing Standard, and the CJIS Security Policy which includes audits and sanctions for violating the terms of the contract which includes contract termination.
Section 7.0 Individual Access and Redress
The following questions concern an individual’s ability to ensure the accuracy of the information collected about him/her.
7.1 What are the procedures which allow individuals the opportunity to seek access to or redress of their own information?
Individuals may access CHRI in FIRS by complying with the provisions of 28 CFR § 16.30 - 16.34 and 28 CFR § 50.12.
7.2 How are individuals notified of the procedures for seeking access to or amendment of their information?
See 7.1. above. Additionally, the FBI responds to written and verbal requests for such procedures.
7.3 If no opportunity to seek amendment is provided, are any other redress alternatives available to the individual?
As provided above, there are procedures in place to allow review and correction of FIRS data.
7.4 Privacy Impact Analysis: Discuss any opportunities or procedures by which an individual can contest information contained in this system or actions taken as a result of agency reliance on information in the system.
Such procedures are fully covered in the regulations referenced above at 7.1. Additionally, individuals are encouraged to contact the entering agency to resolve any questions relating to complete, current, and accurate data.
Section 8.0 Technical Access and Security
The following questions are intended to describe technical safeguards and security measures.
8.1. Which user group(s) will have access to the system?
Currently, authorized officials of the Federal Government, including the United States Sentencing Commission, the States, cities, and penal and other institutions may have access to the underlying information in FIRS for criminal justice purposes. Federal, State, local, and tribal agencies and private entities have access to the underlying information in FIRS for noncriminal justice purposes such as employment and licensing where authorized by Federal statute, State statute pursuant to Public Law 92-544, executive order, or regulation or order of the United States Attorney General. See 6.1 for additional references. This PIA does not change such access by the FIRS underlying users. The only new access encompassed by this PIA will be the limited access by channelers as described herein.
8.2 Will contractors to the Department have access to the system? If so, please submit a copy of the contract describing their role with this PIA.
Yes. Department support contractors and support contractors from other criminal justice agencies may have access to the underlying system, and in addition, access may be provided to contractors to whom criminal justice administrative services have been outsourced. (Also see footnotes 9 and 13.) These grandfathered contractors are not encompassed by the PIA.
The channelers encompasses by this PIA are not contractors to the Department, but instead will be contractors to the authorized users who choose to utilize them. However, the FBI has approved the channelers based upon requirements established by the FBI. These requirements are contained in RFP #06212005, released June 29, 2006. (See Attachment 1)
8.3 Does the system use “roles” to assign privileges to users of the system?
Yes. The system is not available to users unless there has been an application for, and assignment of, an Originating Agency Identifier (ORI) Number unique to each using entity. Each using entity may only access the types of information for the purposes as have been authorized for its ORI. Such access is strictly controlled and audited by the CJIS Division.
8.4 What procedures are in place to determine which users may access the system.
The applicable CJIS System Officer or appropriate FBI official must document each request for an ORI and reference the statute, regulation, or order that authorizes such access.
8.5 How are the actual assignments of roles and rules verified according to established security and auditing procedures?
On-site audits of channelers and a representative sample of all authorized recipients are performed by the CJIS audit staff, at a minimum, triennially. Additional audits may be performed if there are reasons to believe channelers or authorized recipients are not complying with applicable rules and standards.
8.6 What auditing measures and technical safeguards are in place to prevent misuse of data?
See 8.5 above. Additionally, recipients of electronic data from the FBI must have their equipment configured by the FBI to protect the security of the data before such data is transferred.
8.7 Describe what privacy training is provided to users either generally or specifically relevant to the functionality of the program or system?
The CJIS Systems User Agreement, the CJIS Security Policy , and the Security and Management Control Outsourcing Standard mandate such training. Verification is available via the triennial audits referenced above.
8.8 Is the data secured in accordance with FISMA requirements? If yes, when was Certification & Accreditation last completed?
Yes. IAFIS was certified and accredited on October 29, 2006. Channelers processing this information will occur outside the IAFIS system. However, the channelers will be subject to the security standards established by the Compact Council.
8.9 Privacy Impact Analysis: Given access and security controls, what privacy risks were identified and describe how they were mitigated?
See Section 2.3 above.
Section 9.0 Technology
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics and other technology.
9.1 Were competing technologies evaluated to assess and compare their ability to effectively achieve system goals?
Yes. System functional and security requirements are pre-established by the FBI prior to the introduction of new technologies. Functional system requirements are derived from end user needs, applicable laws, and established policy and/or guidelines. These requirements may be part of the Certification and Accreditation process.
9.2 Describe how data integrity, privacy, and security were analyzed as part of the decisions made for your system.
The FIRS system was established several decades ago, preceding the Privacy Act of 1974 and implementation of Privacy Impact Assessments as established during the last decade. Accordingly, many of these considerations have been lost due to the passage of time. However, the Certification and Accreditation Process, periodic audits, sanctions for misuse, and input from the CJIS APB substantiate the completeness of data integrity, privacy, and security issues. The CJIS Security Policy, Compact Council approved Outsourcing Standard, and contract provisions are used in concert to ensure full compliance with Privacy Act requirements and Department of Justice policies.
9.3 What design choices were made to enhance privacy?
Implementing an “ORI” process, retaining the right to configure communication equipment prior to electronic data transfer, establishing a triennial audit methodology, and providing for access/contract termination for violation of applicable statutes, rules, and procedures are used to enhance privacy.
Conclusion The concluding section should inform the reader, in summary fashion, how you constructed your system, program, rule, or technology based on privacy risks and mitigation strategies.
Fingerprints are currently submitted to the FBI for noncriminal justice purposes by mail and electronically via the CJIS WAN; however, the results of such CHRI checks must be returned by mail unless a WAN connection has been established. It would be economically impractical to establish such connections with every authorized recipient; accordingly, the Compact Council published a Rule that will allow authorized recipients to contract with an FBI-approved channeler to electronically submit fingerprints to the FBI and to receive the results of the fingerprint checks electronically for return to the authorized recipient. This procedure will utilize existing technology to save money and drastically improve processing time while protecting CHRI.
The preapproval of channelers will expedite receipt of criminal history record checks by authorized recipients. This initiative does not include the addition of records in FIRS, it does not increase the number of authorized recipients, and it does not authorize additional criminal history record checks for noncriminal justice purposes. Instead, this initiative merely utilizes existing technical abilities to ensure fingerprint-supported Federal record checks are provided to authorized recipients in a more timely fashion if the authorized recipients want to take advantage of the process by contracting with FBI pre-approved channelers.
Audits will regularly check to ensure channelers are complying with the CJIS Security Policy, the Outsourcing Standard, the contract, and an MOU with the CJIS Division. Violations of any provisions, policies or other outsourcing related documents can lead to termination of the contract.
Diane Shaffer Date
Approval Signature Page
David C. Larson for Patrick W. Kelley Date
Deputy General Counsel and
FBI Privacy and Civil Liberties Officer
Kenneth P. Mortensen Date
Acting Chief Privacy and Civil Liberties Officer
Department of Justice
See 42 U.S.C. § 14616.
See 28 CFR 20.33, which provides, in pertinent part: (a) CHRI contained in the III System and the FIRS may be made available: . . . . (7) To private contractors pursuant to a specific agreement with an agency identified in paragraphs (a)(1) or (a)(6) of this section and for the purpose of providing services for the administration of criminal justice pursuant to that agreement. The agreement must incorporate a security addendum approved by the Attorney General of the United States, which shall specifically authorize access to CHRI, limit the use of the information to the purposes for which it is provided, ensure the security and confidentiality of the information consistent with these regulations, provide for sanctions, and contain such other provisions as the Attorney General may require. The power and authority of the Attorney General hereunder shall be exercised by the FBI Director (or the Director’s designee). (See 64 FR 52223, dated September 28, 1999.)
64 FR 52343. Additionally, the SORN identifies categories of individuals covered by the system, categories of records in the system, authority for maintenance of the system, purposes for maintaining the system, and routine uses of information in the system. These areas are not being amended via this initiative.
E.g., HAZMAT-endorsed commercial driver licenses, Public Law 107-56; securities industries, Public Law 94-29. Many of these checks are initiated by authorized recipients sending fingerprint submissions directly to the FBI’s CJIS Division rather than through the State’s fingerprint repository. (e.g., Federally chartered or insured banking institutions per Public Law 92-544).
The Compact Council was established via the Compact and comprises 15 Federal, State, and local members who are appointed by the Attorney General. Congress provided the Compact Council with “the authority to promulgate rules and procedures governing the use of the III System for noncriminal justice purposes, not to conflict with FBI administration of the III System for criminal justice purposes.” (See 42 U.S.C. 14616, ARTICLE VI).
The instant initiative parallels the 1999 amendments to 28 CFR 20.33(a)(7) for criminal justice purposes and will allow authorized recipients of criminal history record check results for noncriminal justice purposes to contract with FBI pre-approved channelers to expedite authorized fingerprint submissions to the CJIS Division and receive the results of criminal history record checks more timely. “Channelers” are entities that will not only be able to send fingerprints to the FBI, but will also be able to expedite return of the results of criminal history record checks to the authorized recipient.
In addition to FBI audits, the CJIS Systems Officer’s (CSO’s) responsibilities include:
“Security - Each agency is responsible for appropriate security measures as applicable to physical security of terminals and telecommunication lines; personnel security to include background screening requirements; technical security to protect against unauthorized use; data security to include III use, dissemination, and logging; and actual security of criminal history records. Additionally, each CSO must ensure that all agencies establish an information security structure that provides for an Information Security Officer;” and
The CJIS Security Policy is considered to be Sensitive But Unclassified (SBU) material. This policy shall not be posted to a public website and discretion shall be exercised in sharing the contents of the policy with individuals and entities who are not engaged in law enforcement or the administration of criminal justice.
Section 4.3 provides: “The CSO shall ensure that security awareness training is provided at least once every three years to all personnel who manage or have access to FBI CJIS systems. All new employees who have access to FBI CJIS systems and all appropriate IT personnel shall receive security awareness training within six (6) months of their appointment or assignment. Documentation pertaining to the materials used and those employees which receive security awareness training shall be maintained in a current status.”
Section 3.06 provides: “The Contractor shall make its facilities available for announced and unannounced security inspections performed by the Authorized Recipient, the state, or the FBI on behalf of the Compact Council. Such facilities are also subject to triennial audits by the state and the FBI on behalf of the Compact Council. An audit may also be conducted on a more frequent basis.”
Equipment currently used for this type connection is estimated to cost between $10,000 and $20,000, communication circuits have an additional cost, and there must be an audit of each contractor during the first year of such outsourcing.