What is 28 CFR Part 23?
Who needs to comply with 28 CFR Part 23?
What impact is 28 CFR Part 23 having on the development and implementation of state and local criminal intelligence systems?
Considering the increased public awareness, how should the law enforcement community respond to privacy concerns?
What is the purpose of 28 CFR Part 23?
When does 28 CFR Part 23 apply to law enforcement practices?
Do an agency’s case management database, records management system, or similar databases have to comply with 28 CFR Part 23?
What are a “criminal intelligence system” and a “criminal intelligence project”?
What is “criminal intelligence”?
What is “reasonable suspicion”?
Can nonintelligence databases or sources be stored on the same server as criminal intelligence databases? Do the nonintelligence databases have to comply with 28 CFR Part 23?
Who is responsible for compliance with 28 CFR Part 23?
Who is allowed to participate in a criminal intelligence system, and what are their responsibilities?
When a submission to a criminal intelligence system is made, what information must be maintained by the submitting agency to comply with 28 CFR Part 23?
When an investigator makes a submission, 28 CFR Part 23 requires that it be labeled for level of sensitivity and level of confidence. What do these terms mean?
Should an investigator enter every known or suspected crime with which he or she comes in contact?
Can the names of individuals or organizations not reasonably suspected of involvement in criminal activity be included in a criminal intelligence database?
When can an investigator query a criminal intelligence system?
If there is a hit on an inquiry and criminal intelligence is disseminated, what are the responsibilities of the recipient?
What is an audit trail?
How long can a file stay in a criminal intelligence system, and what happens at the end of any designated time frame?
Can prison inmates and registered sex offenders be submitted to and maintained in a criminal intelligence database based on their status as a convicted criminal or a registered sex offender?
Are there specific requirements in the regulation relating to system security?
1. What is 28 CFR Part 23?
28 Code of Federal Regulations (CFR) Part 23 (28 CFR Part 23) is a regulation that governs interjurisdictional and multijurisdictional criminal intelligence systems that are operated by or on behalf of state and local law enforcement agencies and that are funded with certain federal funds (see next question). 28 CFR Part 23 is a federal regulation that was issued by the U.S. Department of Justice in 1980, revised in 1993, and clarified in 1998 to address circumstances that evolved with changing technologies and law enforcement needs. 28 CFR Part 23 is applicable to “criminal intelligence systems,” offering guidance on the collection, storage, and dissemination of criminal intelligence information. See www.iir.com/28CFR_Program/Resources for further information.
2. Who needs to comply with 28 CFR Part 23?
28 CFR Part 23 applies to any state or local law enforcement agency that operates a criminal intelligence system supported by funding from the Omnibus Crime Control and Safe Streets Act of 1968, as amended. Consequently, 28 CFR Part 23 applies to a very small number of criminal intelligence systems. The six Regional Information Sharing Systems (RISS) Centers are the best-known examples of programs that meet this requirement. The vast majority of agencies complying with 28 CFR Part 23 have voluntarily adopted the regulation.
28 CFR Part 23 has become the de facto national standard for sharing criminal intelligence information. This has happened over the last several years for a variety of reasons. The primary reason is that the regulation has been in place since 1980, with only minor revision and clarification to address emerging technology, providing clear and succinct guidance to hundreds of intelligence systems. Also, a recent impetus is that the National Criminal Intelligence Sharing Plan (NCISP) recommends the use of the regulation in order to ensure that the collection/submission, access or storage, and dissemination of criminal intelligence information by law enforcement agencies conform to the privacy and constitutional rights of individuals, groups, and organizations. The NCISP recommends that this occur regardless of whether or not an intelligence system is Crime Control Act-funded and therefore subject to the regulation. The adoption of 28 CFR Part 23 as a guideline allows agencies to demonstrate a good-faith effort toward protecting individuals’ rights, thereby protecting agencies from potential civil liability.
3. What impact is 28 CFR Part 23 having on the development and implementation of state and local criminal intelligence systems?
The impact of 28 CFR Part 23 has been the development and implementation of criminal intelligence system policies that address privacy and constitutional rights. 28 CFR Part 23, spurred by its adoption in the National Criminal Intelligence Sharing Plan (NCISP), has helped law enforcement focus on the need to incorporate sound policies into their criminal intelligence operations. The NCISP and the Fusion Center Guidelines, issued jointly by the U.S. Department of Justice (DOJ), DOJ’s Global Justice Information Sharing Initiative, and the U.S. Department of Homeland Security, call for the adoption of 28 CFR Part 23 as the minimum governing principles for criminal intelligence systems. The NCISP also recommends that law enforcement agencies adopt a sharing plan that respects and protects individuals’ privacy and civil rights.
The following are resources that can assist you in the information/intelligence field.
Global Privacy, Civil Rights, and Civil Liberties Policy Development Guide for State, Local, and Tribal Justice Entities
Law Enforcement Intelligence: A Guide for State, Local, and Tribal Law Enforcement Agencies
4. Considering the increased public awareness, how should the law enforcement community respond to privacy concerns?
Law enforcement recognizes that the public is concerned about what types of and how much information is being collected, as well as when and how that information is being used and shared. The events of September 11, 2001, have made the average American aware that law enforcement must collect and share information and intelligence. Conversely, the public is concerned about the scope of collecting and sharing information and its impact on civil liberties and privacy. The National Criminal Intelligence Sharing Plan (NCISP) offers an approach to protecting civil liberties by confining, structuring, and checking discretion through the establishment of sound policies, systematic training, and vigorous oversight. Also, law enforcement agencies should be prepared to answer the public’s questions on law enforcement information practices and be ready to show the public that they are very concerned with the rights of individuals and the need to protect the confidentiality of information.
5. What is the purpose of 28 CFR Part 23?
The purpose of 28 CFR Part 23 is to ensure the constitutional and privacy rights of individuals. Today’s environment of aggressive, proactive information collection and intelligence sharing is very similar to the environment that motivated Congress, in the Justice Systems Improvement Act of 1979, to require the issuance of 28 CFR Part 23 in the first place.
6. When does 28 CFR Part 23 apply to law enforcement practices?
The regulation applies to criminal intelligence systems whose purpose it is to exchange or disseminate criminal intelligence information. The regulation is applicable only to systems that are interjurisdictional or multiagency in nature. However, an agency should consider whether it shares criminal intelligence information by either informal practice or policy. If an agency expects or anticipates sharing criminal intelligence information with other agencies or jurisdictions, having a policy that incorporates the principles of 28 CFR Part 23 will benefit its operation.
7. Do an agency’s case management database, records management system, or similar databases have to comply with 28 CFR Part 23?
No. Case management databases, tips and leads files, records management systems, criminal history records, and other nonintelligence databases used and maintained by an agency are not required to comply with 28 CFR Part 23. The reason is twofold. The purpose of case management databases is different from a criminal intelligence database. Case management databases are designed to assist a law enforcement agency in managing its activities and provide factual information on subjects. Second, the information stored in these nonintelligence databases is not based on a determination of reasonable suspicion that a subject (individual or organization) is currently engaged in criminal activity. Much of the information stored in those databases tends to fall into one of two categories: uncorroborated information (such as tips) or fact-based information (such as arrest or criminal history information).
An investigator, for example, might start the process of developing a criminal case using the information contained in a tips and leads file. Investigating the tips and leads information could produce adequate information that, when analyzed, meets the reasonable suspicion standard. If it meets the reasonable suspicion standard, a record on that subject could be entered into a criminal intelligence database. The information from the tips and leads file, as well as any other investigative information gathered, should be kept as supporting documentation for that record.
8. What are a “criminal intelligence system” and a “criminal intelligence project”?
A criminal intelligence system provides a way to receive, store, and share or exchange criminal intelligence. According to 28 CFR Part 23, a criminal intelligence system includes the facilities, equipment, agreements, and procedures used for receipt, storage, interagency exchange or dissemination, and analysis of criminal intelligence. Many law enforcement agencies have established an electronic database to store and share criminal intelligence. Others participate in a criminal intelligence project, such as one of the six Regional Information Sharing Systems (RISS) Centers, that operates a criminal intelligence database. The regulation defines a criminal intelligence project as either "the unit within an agency or an organization on behalf of a group of agencies who operate a criminal intelligence system." The project typically manages the criminal intelligence system. Most criminal intelligence databases are “pointer index” systems containing subject and crime identification information (structured), while others are narrative or report-based (unstructured) criminal intelligence databases. 28 CFR Part 23 applies to both types of databases.
9. What is “criminal intelligence”?
Criminal intelligence is data that has been evaluated (analyzed) to determine that it (1) is relevant to the identification of and the criminal activity engaged in by an individual who or organization that is reasonably suspected of involvement in criminal activity and (2) meets criminal intelligence system submission criteria. It is information that is developed from data gathered by investigators and analysts. Criminal intelligence, because it has undergone some form of evaluation or analysis, indicates to law enforcement that the subject is likely to be involved in some definable criminal activity. It is more than separate pieces of information that by themselves mean nothing but, taken together, show an investigator or analyst something about the subject’s criminal involvement.
For example, when an investigator analyzes information and determines that there is “reasonable suspicion” that a subject (whether an individual, organization, gang business, etc.) is reasonably suspected of being involved in a definable criminal activity or enterprise, then that information qualifies as criminal intelligence and may be stored in a criminal intelligence database and disseminated as criminal intelligence information.
10. What is “reasonable suspicion”?
Reasonable suspicion, also referred to as criminal predicate, is established when information exists that establishes sufficient facts to give a trained law enforcement officer, investigator, or analyst a basis to believe that there is a reasonable possibility that an individual or organization is involved in a definable criminal activity or enterprise. Reasonable suspicion is the minimum threshold necessary for submission of a criminal intelligence record to a criminal intelligence database that complies with 28 CFR Part 23.
11. Can nonintelligence databases or sources be stored on the same server as criminal intelligence databases? Do the nonintelligence databases have to comply with 28 CFR Part 23?
Yes/No. The 1998 Policy Clarification (see www.iir.com/28CFR_Program/28CFR_Resources) states that criminal intelligence databases and nonintelligence databases and sources can be stored on the same server or computer system, provided sufficient precautions are in place to separate the different types of information and to make it clear to users that different types of data are being accessed. The security needs to be adequate to prevent unauthorized access to the criminal intelligence system. The clarification goes on to say that cross-database searches are acceptable provided it is clear that different databases are being accessed. Also, the clarification specifically states that nonintelligence systems are not required to meet 28 CFR Part 23.
12. Who is responsible for compliance with 28 CFR Part 23?
28 CFR Part 23 requires that either an organizational unit within an agency or an organization that operates the criminal intelligence system on behalf of multiple organizations or jurisdictions will be ultimately responsible for compliance with the regulation. This unit or organization is referred to as the Intelligence Project. The Project develops operating policies and procedures for the criminal intelligence system. The Project will also conduct audits and inspections to ensure participating agency compliance.
13. Who is allowed to participate in a criminal intelligence system, and what are their responsibilities?
A participating agency may be a local, county, tribal, parish, state, federal, or other governmental unit that exercises law enforcement or criminal investigative authority and that is authorized by the criminal intelligence system’s policy to submit and receive criminal intelligence information from the criminal intelligence system. Participating agencies agree to comply with 28 CFR Part 23 operating policies and procedures as they apply to the submission of information into a database or the receipt of information from a database. In addition, a participating agency agrees to maintain supporting documentation for each of its submissions and to participate in any audit and inspection processes. A written agreement between the criminal intelligence system and the participating agency should be executed to reflect the latter’s agreement to comply with 28 CFR Part 23 operating policies and procedures. Being a participating agency does not require that the agency’s criminal intelligence database comply with the regulation; rather, the compliance is limited to the participation in a criminal intelligence system that is subject to the regulation. Many agencies, including the FBI, are not required to comply with 28 CFR Part 23 as an agency but have agreed to comply in the narrow environment of participation in a project, such as one of the RISS Centers, which are subject to the regulation.
14. When a submission to a criminal intelligence system is made, what information must be maintained by the submitting agency to comply with 28 CFR Part 23?
The submitting agency must keep supporting documentation for each submission. The documentation must be kept while the record is maintained in the criminal intelligence system. The supporting documentation is the information that supports the determination of reasonable suspicion. This information may be from a variety of different sources, such as tips and leads, criminal history record information, information from an informant, or surveillance information. The supporting documentation may be kept in whatever format or manner is authorized by the submitting agency. The supporting documentation may be reviewed as part of the audit and inspection process.
15. When an investigator makes a submission, 28 CFR Part 23 requires that it be labeled for level of sensitivity and level of confidence. What do these terms mean?
The “level of sensitivity” refers to how the intelligence information should be disseminated. Typically, the submitter sets a designation to classify how the information will be released. The following is an example, from the 28 CFR Part 23 Sample Operating Policies and Procedures located on IIR’s Web site, of how a project may opt to set three levels of dissemination based on the sensitivity of the intelligence:
Open—disseminate the criminal intelligence file to the inquirer when there is a hit, with no further action required.
Release Agency Name Only—provide only the controlling agency name and contact information.
Restricted—do not disseminate the criminal intelligence file or even indicate that there has been a hit. Notify the controlling agency.
Projects will develop the levels of sensitivity and train all participating agencies as to the usage of each level.
The “level of confidence” gives the recipient an indication of how the submitter feels about the content of the file. Level of confidence is a two-part process:
“Source reliability” refers to the reliability of the source of the information.
“Content validity” refers to the accuracy or truthfulness of the information.
Most projects will establish a range for source reliability and content validity. The following are examples of those ranges from the Sample Operating Policies and Procedures:
Reliable—the reliability of the source is unquestioned or has been well tested in the past.
Usually Reliable—the source can usually be relied upon.
Unreliable—the reliability of the source has been sporadic in the past.
Unknown—the reliability of the source cannot be judged.
Confirmed—information has been corroborated by an investigator or another reliable source.
Probable—the information is consistent with past accounts.
Doubtful—the information is inconsistent with past accounts.
Cannot be judged—the information cannot be judged.
These codes allow the inquirer to assess the value of the file. For example, if an inquirer gets a hit and reads a file from a RISS Center that has source reliability and content validity codes of 1 or 2, using the above example, then the recipient should deduce this to be very solid intelligence.
It should be noted that a combination of source reliability “unreliable” or “unknown” and content validity “doubtful” or “cannot be judged” would not meet the 28 CFR Part 23 reasonable suspicion standard and the information should not be entered into a criminal intelligence database.
16. Should an investigator enter every known or suspected crime with which he or she comes in contact?
No. 28 CFR Part 23 permits only criminal activity that constitutes a significant and recognized threat to the community. In general, 28 CFR Part 23 views such criminal activity to be multijurisdictional and/or organized criminal activity that involves a significant degree of permanent criminal organization or is undertaken for the purpose of seeking illegal power or profits or poses a threat to the life and property of citizens. This would normally not include traffic or other misdemeanor violations.
17. Can the names of individuals or organizations not reasonably suspected of involvement in criminal activity be included in a criminal intelligence database?
Yes. The 1998 Policy Clarification of 28 CFR Part 23 allows for the inclusion of such information as “noncriminal identifying information” if it is relevant to the identification of a criminal subject or the criminal activity. However, this type of information can be included only under the following circumstances:
Appropriate disclaimers or labels must accompany the information noting that it is strictly identifying information carrying no criminal connotation;
Identifying information may not be used as an independent basis to meet the requirement of reasonable suspicion of involvement in criminal activity necessary to create a record in a criminal intelligence system; and
The individual who is the criminal subject identified by this information must meet all requirements of 28 CFR Part 23.
The noncriminal identifying information may be added to an existing or new record of a criminal subject in the database. Also, note that noncriminal identifying information that pertains to a subject’s political, religious, or social views, associations, or activities can be entered only when it DIRECTLY relates to the criminal activity or involvement that the subject is reasonably suspected of being engaged in.
18. When can an investigator query a criminal intelligence system?
There is no threshold to make an inquiry other than a valid law enforcement purpose. Reasonable suspicion does not need to exist to make an inquiry. The criteria in the regulation is that information shall be disseminated only in response to an inquiry when there is a need to know and a right to know the information in the performance of a law enforcement activity.
19. If there is a hit on an inquiry and criminal intelligence is disseminated, what are the responsibilities of the recipient?
The recipient must agree to treat the disseminated criminal intelligence in a manner consistent with the operating principles established by 28 CFR Part 23.
20. What is an audit trail?
An audit trail is a log of each disseminated record. The audit trail should consist of the record name, the date disseminated, the recipient of the information, and the reason for release. The audit trail, primarily established for security purposes, allows the project to track the file, maintain compliance, and notify recipients if it turns out there is invalid information in a file.
21. How long can a file stay in a criminal intelligence system, and what happens at the end of any designated time frame?
The maximum retention period is five years. A record must be either purged at the end of the established retention period or undergo a review-and-validation process before the end of the retention period. If a record is purged, then it must be removed from the criminal intelligence system. If a record is reviewed and validated, it will receive a new retention period of up to five years. In order for a record to be validated, the submitting agency must determine that the subject is still reasonably suspected of involvement in current criminal activity. In other words, the submitting agency must determine that the record continues to meet the 28 CFR Part 23 submission criteria. A record may be validated at any time during its retention period; however, simply updating the identifying information about the subject during the retention period is not enough, by itself, to indicate the subject is still reasonably suspected of involvement in current criminal activity.
22. Can prison inmates and registered sex offenders be submitted to and maintained in a criminal intelligence database based on their status as a convicted criminal or a registered sex offender?
No. The mere fact that an individual is currently in prison or is a registered sex offender is not sufficient to meet the requirement of reasonable suspicion (specifically definable criminal activity or conduct). However, an existing submission on an individual who is now an inmate or a registered sex offender can be validated if there continues to be reasonable suspicion of current criminal activity. The submitting agency/officer would need to possess sufficient information that an inmate or sex offender is currently involved in some definable criminal activity in order to meet the threshold requirement of reasonable suspicion to validate an existing record, thereby extending its retention period and maintenance in a criminal intelligence database. Such information, for example, might come from prison records that an inmate continues to be engaged in criminal activity while inside the correctional facility.
23. Are there specific requirements in the regulation relating to system security?
Yes. There are six major requirements:
When appropriate, a project must adopt effective and technologically advanced computer software and hardware designs to prevent unauthorized access to the information contained in the system.
The project must restrict access to its facilities, operating environment, and documentation to organizations and personnel authorized by the project.
The project must store information in the system in such a manner that it cannot be modified, destroyed, accessed, or purged without authorization.
The project must institute procedures to protect criminal intelligence information from unauthorized access, theft, sabotage, fire, flood, or other natural or man-made disasters.
The project must promulgate rules and regulations based on good cause for implementing its authority to screen, reject for employment, transfer, or remove personnel authorized to have direct access to the system.
A project may authorize and utilize remote (off-premises) system databases to the extent that they comply with these security requirements.
The manner in which an agency responds and the provisions it employs to address these requirements are a matter of agency policy.