memorandum of understanding south bay information sharing ... · memorandum of understanding south...

Memorandum of UnderstandingSouth Bay Information Sharing System (SBISS)

SOUTH BAY REGION NODE

This Memorandum of Understanding ("MOU") is made and entered into on this __day of 2009 by and between the parties below and all future signers ofthis Agreement, known collectively as "Member Agencies" or individually as a "MemberAgency."

The following Member Agencies hereby create the South Bay Information SharingSystem (SBISS) SOUTH BAY REGION NODE (Node): The following agencies arecollectively known as the "Original Member Agencies."

Santa Clara County:

• Campbell Police Department

• Gilroy Police Department

• Los Altos Police Department

• Los Gatos-Monte Sereno PoliceDepartment

• Milpitas Police Department

• Morgan Hill Police Department

• Mountain View PoliceDepartment

Santa Cruz County:

• Capitola Police Department

• Santa Cruz Police Department

Monterey County:

• Carmel Police Department

• Del Rey Oaks Police Department

• Gonzales Police Department

• Greenfield Police Department

• King City Police Department

• Marina Police Department

• Monterey Police Department

• Palo Alto Police Department

• San Jose Police Department

• Santa Clara County Sheriff's Office

• Santa Clara Police Department

• Sunnyvale Department of PublicSafety

• Santa Cruz County Sheriff's Office

• Watsonville Police Department

• Monterey County Sheriff's Office

• Pacific Grove Police Department

• Salinas Police Department

• Sand City Police Department

• Seaside Police Department

• Soledad Police Department

DRAFT--Contact the Office of the City Clerk at (408) 535-1260 or [email protected] for final document.

San Benito Clara County:

• Hollister Police Department • San Benito County SheriffsOffice

This regional law enforcement information-sharing system shall be known as theSBISS South Bay Region Node. The purpose of this agreement is to create theSouth Bay Region Node, to outline the duties and responsibilities of eachMember Agency, to define the working relationships and lines of authority forMember Agencies in the SBISS South Bay Region Node, and to provide for theaddition of other eligible entities in the data-sharing p~ogram created by thisMOU. Member Agencies shall work cooperatively to establish an integratedsystem of information technology that maximizes the sharing of data andcommunication between the Member Agencies while maintaining theconfidentiality of privileged or otherwise protected information shared through thesystem. The Member Agencies shall work cooperatively in a variety of ways tofacilitate sharing data in an effort to improve the information sharing efforts oftheir respective Agency and Node.

Santa Clara County Police Chiefs and Sheriff, through a grant from the Office ofHomeland Security, have identified the Cities, Counties, and other Agencieswithin Santa Clara, Santa Cruz, Monterey, and San Benito Counties, includingany departments or divisions of such agencies, that should enter into anagreement to share data among such agencies.

1.1 South Bay Information Sharing System: "SBISS" shall mean thecollective group of law enforcement and justice agencies, withinSanta Clara, Santa Cruz, Monterey, and San Benito Countieswho are signatories on a regional law enforcement information-sharing agreement.

1.2 South Bay Region Node: "Node" shall mean the collectiveinformational infrastructure of the data warehouse operated forthe benefit of the Member Agencies, within the central region ofSBISS bound by the terms of this Agreement.

1.3 South Bay Region Node Board of Directors: "Board" shall meanthe Board of Directors which is the governing body of the SouthBay Information Sharing System.


1.4 COPLlNK: shall mean the information sharing and analysissoftware licensed to the Fiscal Agent on behalf of MemberAgencies by Knowledge Computing Corporation (KCC) under thename COPLINK.

1.5 Criminal Justice Practitioners: those personnel from the MemberAgencies that have the appropriate clearance and authority toutilize and access the Data as a function of their employment, orthose agencies that have been approved for read onlyparticipation by a majority vote of the Board Members.

1.6 Data: shall mean facts, detailed information, or other materialprovided by a Member Agency.

1.7 Data Set is a specific grouping of data included in systems likerecords management or jail management systems. For example,typical data sets within a records management system include,but are not limited to, Crime Reports, Field Investigations,Citations, Mug shots, and Arrest Reports.

1.8 Data Records refers to a unique record associated with anincident or person. For example, this refers to a single report thatincludes a variety of data.

1.9 Fiscal Agent: shall mean the Santa Clara County Office of theSheriff as approved and directed by the Urban Areas SecurityInitiative (UASI) to handle and account for funds collected for thebenefit of all Member Agencies.

1.10 Host: shall mean the Santa Clara County Office of the Sheriff asthe entity providing the facilities used to host the Node asdetermined by the Urban Areas Security Initiative (UASI).

1.11 Knowledge Computing Corporation: "Kee" shall mean acorporation with its principal place of business at 6601 E. GrantRoad, Suite 201, Tucson, Arizona 85615, and the owner anddeveloper of the software known as COPLINK.

2.1 Effective Date: The effective date of this MOU is the date notedabove and/or the date each subsequent agency executes thisAgreement.


2.2 Term: This MOU shall remain in effect and shall be reviewed andrenewed every three years. It can only be terminated as providedherein.

3.1 The South Bay Region Node Board of Directors: shall becomprised of eleven (11) Directors and their respective alternates.Alternates shall serve as Directors in the absence of theirrespective Directors and shall exercise all rights and privilegesthereof.

3.1.1.1 One Director shall be the Santa Clara CountySheriff.

3.1.1.2 One Director shall be the Chief of the San JosePolice Department.

3.1.1.3 One Director shall be appointed by the SantaClara County Police Chiefs Association from itsmembership.

3.1.1.4 One Director shall be the Santa Cruz CountySheriff.

3.1.1.5 One Director shall be the Chief of the Santa CruzPolice Department.

3.1.1.6 One Director shall be appointed by the SantaCruz County Police Chiefs Association from itsmembership.

3.1.1.7 One Director shall be the Monterey CountySheriff.

3.1.1.8 One Director shall be the Chief of the SalinasPolice Department.

3.1.1.9 One Director shall be appointed by the MontereyCounty Police Chiefs Association from itsmembership.

3.1.1.10 One Director shall be the San Benito CountySheriff.

3.1.1.11 One Director shall be the Chief of the HollisterPolice Department.

3.1.2 Each member of the Board shall have one vote. Amajority of the members of the entire Board shallconstitute a quorum for the transaction of business.Except where a supermajority is required by statute, thisMOU or a resolution of the Board, actions by the Board


shall require the affirmative vote of a majority of the entireBoard (Le. six (6) affirmative votes).

3.1.3 Every year the Board shall elect a Chair from among itsmembership to preside at meetings and shall select aSecretary who may, but need not, be one of the elevenDirectors.

3.1.4 The Board shall establish and adopt bylaws and agovernance process and will set policy for the use of theSBISS South Bay Region Node.

3.1.5 Meetings: The Board shall hold at least two regularmeetings each year and may schedule additional orspecial meetings as necessary.

4.1 South Bay Region Node Technology Committee: The Board ofDirectors shall appoint a representative from each MemberAgency to serve on the Technology Committee. The TechnologyCommittee Members will serve at the sole discretion of the Boardof Directors. The Technology Committee will develop policiesrelating to data set information sharing. The TechnologyCommittee will meet at least once per year to address systemoperations, upgrades, enhancements and any other matters ofconcern to Member Agencies.

4.2 South Bay Region Node Working Groups: The Board isempowered to create, dissolve, or reconstitute working groups,appoint representatives, and perform other actions as deemednecessary to fulfill the purposes stated herein, including thecreation of such groups as an implementation, sustainment orother groups necessary to further law enforcement informationsharing efforts.

5.1 Data Access: Access to Member Agencies' Data will be providedutilizing a secure network maintained by the Host Node. TheSanta Clara County Sheriff's Office will be responsible for themaintenance and care of the secure network. Query capabilitiesshall be provided to Member Agencies and Authorized Usersutilizing any secure network configuration that is acceptable to the


Host Node. The information residing in the Data Repositoriesshall generally be available. Member Agencies agree to informother Member Agencies in advance, whenever possible, ofscheduled down times of specific data feeds. All MemberAgencies will be required to sign the Coplink System UseAgreement prior to gaining access.

5.2 Data Sharing: All Member Agencies agree to share data withother Member Agencies who have a need to know and a right toknow, with comprehensive, timely, accurate information about asuspect or offender to include, but not limited to, identity, prioragency contacts, citations, arrests, investigations, criminal history,and current justice status. Each agency will be required to haveeach employee sign an Employee Statement form agreeing not tomisuse the information contained in Cop link. Each agency willhave the prerogative of not sharing those items of data that itdeems sensitive or confidential. Nothing in this MOU shall beconstrued to mean that any Member Agency must share any typeof data. The South Bay Region Node Technology Committee willdevelop a Guideline Document that will make a recommendationfor the type of data to be shared by each agency. This documentwill be a guideline only and will not be binding. The data to beshared, will be the data that the Member Agency already has in itsown database and no agency will be required to collect any datathat it does not collect in the normal course of business.

The South Bay Region Node Technology Committee will set thecriteria for the minimum number of data sets (Le. Crime Reports,Citations, Field Investigations, Mugs, Arrests Reports, etc.) thatmember agencies must provide to be a member agency. Inaddition, the Technology Committee will adopt guidelines foragencies to withhold or suppress certain documents based onspecific criteria. Based on these guidelines, each MemberAgency shall determine, in the exercise of its sole discretion,which data records are shared within the system and shallmaintain the databases to share the information that has beenagreed upon in advance. Each Agency shall strive to identify andachieve common interests to enhance public safety and dueprocess while maintaining individual privacy rights.

5.3 Security Requirements: Member Agencies agree to maintain andenforce security requirements for the system. Each MemberAgency is responsible for the internal agency security of theirrecords and any technical support necessary to insure propersecurity. Member Agencies agree to confirm that their network


meets current DOJ security requirements as set forth in the mostcurrent Policies, Practices and Procedures Document provided bythe Department of Justice, and that it will continue to meet thosestandards.

5.3.1 Liability and Indemnification: Each Member Agency takeslegal and financial responsibility for the actions of theiremployees, officers, agents, representatives and volunteers.Member Agencies agree to indemnify, defend and holdharmless other Member Agencies to the fullest extentpermitted by law from and against any and all demands,claims, actions, liabilities, losses, damages, and costs,including reasonable attorney's fees arising out of orresulting from this MOU, and that each agency shall bear theproportionate cost of any damage attributable to the fault ofthat agency, its governing body, officers, agents, employeesand volunteers. It is the intention of the Member Agenciesthat, where fault is determined to have been contributory,principles of comparative fault will be followed.

5.3.2 Background and Fingerprint Requirements: All personsincluding non-criminal justice and volunteer personnel whohave access to the SBISS South Bay Region Node arerequired to undergo background and fingerprint check. EachAgency will determine, based on their internal policies andthe CLETS Policies, Practices, and Procedures, whenSBISS access will not be granted to an employee. The finalresponsibility for maintaining the security and confidentialityof SBISS information rests with the Member Agency head oradministrator.

5.3.3 User Access: Each employee/volunteer is required to signan employee statement form prior to operating or havingSBISS access. Each employee/volunteer shall sign anemployee statement on a biennial basis. Additionalrequirements may be required at the discretion of anagency. A sample form is included as Exhibit A, herein.

When a person with access to SBISS is no longer employedor no longer accessing SBISS on behalf of the MemberAgency, the Agency is responsible for removing all relatedpasswords and security authorizations from the system.

No person with access to SBISS shall release anyinformation or records located in SBISS without expresspermission of the Original Agency who provided the data.


No person with access to SBISS shall release anyinformation contained in SBISS either by Court Order or inresponse to a Public Records Act request unless they arethe originating agency of such data. All requests of thisnature should be referred back to the originating agency.

5.3.4 Insurance: Each Member Agency, at its sole cost andexpense, shall carry insurance -or self-insure - its activities inconnection with this MOU, and obtain, keep in force andmaintain, insurance or equivalent programs of self-insurance, for general liability, workers compensation, andbusiness automobile liability adequate to cover its potentialliabilities hereunder.

5.4 Connecting with other COPLINK Nodes: The Board willcontinually work to expand the connectivity of the SBISS SouthBay Region Node and will actively pursue opportunities to signMOU agreements with other COPLINK nodes under theguidelines outlined in this agreement.

5.5 SBISS Node Cooperation: Participating agencies understand thatthe South Bay Region Node Board of Directors will sign MOUagreements with other Coplink nodes for the purpose ofexpanding the Coplink network.

6.1 Ownership and Release Constraints: Member Agencies shallretain control of and remain the official custodian of all informationthey contribute to the South Bay Region Node. All requests forinformation, California Public Records Act or Freedom ofInformation Act, will be referred to the Member Agency that is theowner of the requested data, and the Member Agency that is theowner of the requested data will be responsible for responding tothe request for information.

6.2 Information Utilization: Any Data present in the COPLINK systemis the proprietary information of the Member Agency contributingthat Data. Each Member Agency has an affirmative obligation toassure that all Data complies with 28 CFR Part 23. 28 CFR Part23 is attached herein as Exhibit C. Member Agencies andAuthorized Users may use the Data for Law Enforcementpurposes only. The Member Agency responsible for contributingthe Data shall have sole discretion regarding release of thatinformation.


6.3 Information Accuracy: Member Agencies and Authorized Usersacknowledge that Data maintained in the South Bay Region Nodeconsists of information that mayor may not be accurate. EachMember Agency agrees to do an internal audit of their own Dataannually in order to review the Data for accuracy. A randomsampling of different types of Data shall be selected by eachagency to review and compare their Records System Data withthe same data in the Coplink system. Each Member Agencyagrees to maintain a copy of their internal audit form for a periodof no less than three years for review by the Board of Directors onrequest. A sample form is attached herein as Exhibit B and canbe used to help facilitate this audit.

6.4 Audit Trail: An Audit Trail will be maintained for a period of no lessthan three years to determine who has accessed the dataincluding the date and time when the data was accessed.

6.5 Data Errors: It will be the responsibility of the Member Agency tocorrect data errors that have been identified at that Member's solecost within a reasonable time, but no later than ninety-days (90)from the date of notification.

7.1 Node Costs: Costs for the creation, initial three (3) years ofmaintenance and the expansion of the Node shall be paid for asset forth in the SBISS South Bay Region Node Share of CostAgreement included herein (Attachment A) and as may beamended from time to time.

7.2 Payment Administration: The Fiscal Agent shall administerpayments to vendors and invoice Member Agencies for theirshare of cost.

7.3 Financial Responsibility: Initially, the hardware and softwarerequired at each Node will be paid for with Grant funding. If anyagency elects to join after the initial start-up of the Node, that newMember Agency is responsible for the expense of acquiring andmaintaining the hardware, software, and data communicationequipment and services needed by their Agency to connect to theNode. It is understood that as the system ages, there may becertain upgrades or maintenance required on the hardware ateach of the Member Agencies. These upgrades or requiredmaintenance will be the sole responsibility of the Member Agency.


Nothing included in this MOU requires any Agency to fund theactivities of any other Member Agency. Future upgrades to theServers and Core Infrastructure of the System will be sharedbetween Member Agencies as indicated in the SBISS South BayRegion Node Share of Cost Agreement. In the event thathardware or software upgrades are required to facilitate theproper functioning of the system, the Board of Directors will notifythe Member Agency in writing at least ninety (90) days inadvance of the funding requirement.

7.4 Grant Funding: Grant funding provided by the California Office ofHomeland Security will be used to offset the start-up costs for theNode. The primary use of these funds will focus on infrastructureand paying for data integration fees for the Original MemberAgencies. The Fiscal Agent will manage all aspects of paymentand reporting for grant funding.

7.5 Future Grant Funding: Member Agencies that apply individuallyfor grant funding for this system should notify the South BayRegion Node Board of Directors to avoid duplicative efforts andrequests for funding. Any grant funding which may result fromsuch applications will be considered to be outside of this MOU.The Member Agencies may choose to apply jointly for grantfunding and upon the written agreement of the Member Agencies;such monies shall fall under the jurisdiction of this MOU.

7.6 Member Agency Employees: Employees of a MemberAgencyworking for the benefit of the Node remain the employees of thatMember Agency.

8.1 Addition of new Member Agencies: If additional agencies chooseto become Member Agencies after this MOU is executed, thisAgreement shall be amended to include those agencies assignatories.

8.2 This MOU may be modified by presentation of the proposedchanges and an affirmative majority vote of the Board.

8.3 All approved amendments must be in writing and approved by theBoard.


9.1 MOU Termination: This MOU may be terminated by mutualagreement of all Member Agencies.

9.2 Member Agency Termination: Any Member Agency mayterminate its participation in this MOU with or without cause uponthirty-day (30) prior written notice to the Board, unless suchtermination is prohibited by a grant condition or unless theMember Agency is a Host Node. If the Member Agency wishes toremove Data from the Node after terminating its participation, thatMember Agency will be responsible for any costs associated withremoving their Data from the Node.

Other Termination: The Board may exercise its authority to terminate therelationships established under this MOU if the majority members of theBoard determine that a Member Agency is not complying with the termsand conditions of this MOU, the Cost Sharing Agreement (Attachment A);and/or the System Use Policy (Attachment B), .

10.1 This MOU is intended to provide for a strategic plan to promotedata sharing and should be amended as necessary to accomplishthe goal of fully integrating the Member Agencies, future agenciesand potential future data sources.


ATTACHMENT ASHARE OF COST AGREEMENT

South Bay Information Sharing System (sBlss)SOUTH BAY REGION NODE

Purpose and BackgroundThe Santa Clara County Sheriffs Office and Member Agencies agree to theterms and conditions set forth in the South Bay Information Sharing System(SBISS). SBISS is overseen by the South Bay Information Sharing SystemBoard of Directors. Agencies enter into this cost sharing agreement to participatein the information-sharing system known as COPLINK via the South Bay RegionNode. This agreement outlines the financial working relationship and cost-sharing contract for South Bay Region Node member agencies.

1.1 South Bay Information Sharing System (sBlss) is the name ofthe information sharing system node hosted by the Santa ClaraCounty Office of the Sheriff.

1.2 South Bay Information Sharing System (sBlss) Board ofDirectors is the governing body of the South Bay InformationSharing System.

1.3 Data shall mean electronic facts, detailed information, or othermaterial provided by a Member Agency.

1.4 Data Repository shall mean the computer equipment used tostore, connect and disseminate COPLINK information to MemberAgencies.

1.5 The Santa Clara County Office of the Sheriff is the fiscal agentfor the South Bay Region Node of SBISS and will handle andaccount for funds collected by the Node for the benefit of allMember Agencies.

1.6 South Bay Region Node shall mean the collective signatory lawenforcement and justice agencies, within Santa Clara, Santa Cruz,Monterey, and San Benito Counties who have agreed to workwithin the parameters of this Agreement.


1.7 South Bay Region Node is the collective group of agencies thathave entered into a MOU agreement to participate in the SBISSSouth Bay Region Node for law enforcement information-sharing.

1.8 Member Agency shall mean law enforcement agenciescontributing data to the South Bay Region Node SBISS andallowed access to data of other member agencies and otherCOPLINK nodes.

1.9 Knowledge Computing Corporation (KCC) shall mean acorporation with its principal place of business at 6601 E. GrantRoad, Suite 201, Tucson, Arizona 85615, and the owner anddeveloper of COPLINK.

1.10 COPLINK shall mean the information sharing and analysis softwarelicensed to the member agencies by KCC under the nameCOPLINK.

2.1 To participate in the South Bay Region Node, Member Agenciesagree to share costs based on their system and service usage andthat until sufficient data is available regarding member usage,member population is an acceptable guideline for determining initialusage.

2.2 To participate in the South Bay Region Node, Member Agenciesagree to contribute data from their Records Management System(RMS) as defined by the South Bay Region Node TechnologyCommittee.

2.3 To participate in the South Bay Region Node, Member Agenciesagree to continue participation for three (3) years after the initialGrant Funding is exhausted in 2011.

3.1 Node Costs: After the initial Grant Funding is exhausted in 2011,Member Agencies shall pay a proportional share of softwarepurchase costs, software maintenance, implementation, network,hardware, and operational costs, as approved by the South BayRegion Node as approved by the SBISS Board of Directors.


3.2 Annual Budget Each year the Santa Clara County Office of theSheriff shall prepare an annual budget for approval by the Board ofDirectors that identifies the expenses each Member Agency will berequired to contribute for the year.

3.3 Annual Report At least once a year the Santa Clara County Officeof the Sheriff shall report to the SBISS Board of Directors on allfunds collected and expended by the South Bay Region Node insupport of the COPLINK project.

3.4 Payment Administration The Santa Clara County Office of theSheriff shall administer payments to all vendors and invoiceMember Agencies for their share of this cost.

3.5 Financial Responsibility The Santa Clara County Office of theSheriff will be responsible for paying for the expenses associatedwith connecting to the SBISS Node data repository, which mayinclude acquiring hardware, software, data communicationequipment and/or other required services. For any expensesincurred before 2011, the Santa Clara County Sheriff's Office willuse the funds received from the the 2008 grant awarded by theOffice of Homeland Security. After 2011, the Member Agenciesshall be responsible for paying for those costs related tomaintenance and upgrades to the system. No Member Agencyshall be responsible for funding the activities of any other MemberAgency.

4.1 Homeland Security Grant Program: The 2008 grant from theOffice of Homeland Security will pay for the necessary hardwareinfrastructure for the South Bay Region Node, 100% of the dataintegration costs for each Member Agency, the enterprise softwarelicense fee, and three years of maintenance. The following chartoutlines the initial and ongoing maintenance costs for MemberAgencies to participate in the SBISS Node including thoseexpenses not covered by the grant. These maintenance costs aresubject to review and additional assessment by the SBISS SouthBay Regional Node Board of Directors.


.":.' ..... :.:.',.

Total annualmaintenance all

"/: .,"--~

$102,981.43


-'

Total Software &Integration AnnualCosts - All Counties


4.2 Agency annual maintenance costs for items not covered by thegrant will begin in 2010 with the full cost allocation applied in 2012.Each year the fiscal agent will invoice each Member Agency for themaintenance costs. The member Agency shall pay the annualpayment within 30 days of receipt. If payment or paymentarrangements have not been agreed to by the payment due date,services will be terminated.

4.3 Each Member shall pay a share of the Annual Maintenance Costsbased on the principle that Members shall share the systemsmaintenance costs based on the system and service usage andthat until sufficient data is available regarding Member usage,Member population is an acceptable guideline for determiningusage.

Member Agency population is based on the 2008 U. S. Census.

Cost allocations for each police department and Sheriffs Office willreflect the 2008 U. S. Census data with the exception that LosGatos-Monte Sereno Police Department will be assessed thecombined population allocations for the City of Los Gatos and theCity of Monte Sereno and the assessment for the Santa ClaraCounty Office of the Sheriff will be the combined populationallocations for the unincorporated Santa Clara County, the City ofCupertino, the City of Saratoga, and the City of Los Altos Hills.

4.4 In the event of a violation of the terms and conditions of the CostShare Agreement, the Board will be responsible for analyzing anyviolation of the Agreement and will determine what action, if anyshall be taken against the Member Agency for said violation.

The parties hereto execute this MOU as of the Effective Date.11/


Santa Clara County Agencies:

City of Campbell

Daniel RichCity ManagerCity of Campbell

Greg FinchChief of PoliceCity of Campbell

Thomas J. HaglundCity ManagerCity of Gilroy

Denise J. TurnerChief of PoliceCity of Gilroy


City of Los Altos

Douglas J. SchmitzCity ManagerCity of Los Altos

Tuck YounisPolice ChiefCity of Los Altos

Town of Los Gatos

Greg LarsonTown ManagerTown of Los Gatos

Scott SeamanPolice ChiefTown of Los Gatos


City of Milpitas

Thomas C. WilliamsCity ManagerCity of Milpitas

Dennis GrahamPolice ChiefCity of Milpitas

City of Morgan Hill

J. Edward TewesCity ManagerCity of Morgan Hill

Bruce C. CummingPolice ChiefCity of Morgan Hill


City of Mountain View

Kevin C. DugganCity ManagerCity of Mountain View

Scott S.G. VermeerPolice ChiefCity of Mountain View

City of Palo Alto

Jim KeeneCity ManagerCity of Palo Alto

Dennis BurnsPolice ChiefCity of Palo Alto


City of San Jose

Debra FigoneCity ManagerCity of San Jose

Rob DavisPolice ChiefCity of San Jose

City of Santa Clara

Jennifer SparacinoCity ManagerCity of Santa Clara

Stephen D. LodgePolice ChiefCity of Santa Clara


County of Santa Clara

Jeffrey Smith M.D.County ExecutiveCounty of Santa Clara

Laurie SmithSheriffCounty of Santa Clara

City of Sunnyvale

Gary LuebbersCity ManagerCity of Sunnyvale

Don JohnsonDirector of Public SafetyCity of Sunnyvale


Santa Cruz County Agencies:

City of Capitola

Richard HillCity ManagerCity of Capitola

Richard Ehle, JrChief of PoliceCity of Capitola

Richard C. WilsonCity ManagerCity of Santa Cruz

Howard SkerryChief of PoliceCity of Santa Cruz


Susan A. MaurielloCounty Administrative OfficerCounty of Santa Cruz

PhilWowakSheriff-CoronerCounty of Santa Cruz

City of Watsonville

Carlos PalaciosCity ManagerCity of Watsonville

Terry MedinaPolice ChiefCity of Watsonville


Monterey County Agencies:

City of Carmel

Rich GuillenCity AdministratorCity of Carmel

George RawsonPublic Safety DirectorCity of Carmel

City of Del Rey Oaks

Daniel LawsonCity ManagerCity of Del Rey Oaks

Ronald J. LangfordChief of PoliceCity of Del Rey Oaks


City of Gonzales

Rene MendezCity ManagerCity of Gonzales

Paul D. MillerPolice ChiefCity of Gonzales

City of Greenfield

Roger WongCity ManagerCity of Greenfield

Joseph GrebmeierPolice ChiefCity of Greenfield


City of King City

Michael PowersCity ManagerCity of King City

Nick BaldiviezPolice ChiefCity of King City

Anthony J. AltfeldCity ManagerCity of Marina

Edmundo RodriquezChief of PoliceCity of Marina


Fred MeurerCity ManagerCity of Monterey

Timothy ShelbyChief of PoliceCity of Monterey

City of Pacific Grove

Jim ColangeloCity ManagerCity of Pacific Grove

Darius E. EnglesPolice ChiefCity of Pacific Grove


City of Salinas

Artie FieldsCity ManagerCity of Salinas

Louis FetherolfPolice ChiefCity of Salinas

City of Sand City

Steve MatarazzoCity AdministratorCity of Sand City

Michael KleinPolice ChiefCity of Sand City


City of Seaside

Ray CorpuzCity ManagerCity of Seaside

Stephen CerconePolice ChiefCity of Seaside

County of Monterey

Lew C. BaumanCounty Administrative OfficerCounty of Monterey

Mike KanalakisSheriffCounty of Monterey


Adela P. GonzalezCity ManagerCity of Soledad

Richard CoxChief of PoliceCity of Soledad

San Benito County Agencies:

City of Hollister

Clint QuilterCity ManagerCity of Hollisters

Jeff MillerPolice ChiefCity of Hollister


County of San Benito

Susan ThompsonCounty Administrative OfficerCounty of San Benito

Curtis J. HillSheriff-CoronerCounty of San Benito


As an employee/volunteer of____________________ " you may have access toconfidential records stored in the SBISS South Bay Information Sharing System.All access is based on the "need to know" and the "right to know." Misuse ofsuch information may adversely affect an individual's civil rights, and violates thelaw and/or SBISS policy.

Penal Code Section 502 prescribes the penalties relating to computercrimes. Penal Code Sections 11105 and 13300 identify who has access tocriminal history information and under what circumstances it may be released.Penal Code Sections 11141-11143 and 13302-13304 prescribe penalties formisuse of criminal history information. Government Code Section 6200prescribes the felony penalties for misuse of public records.

"Any person authorized by law to receive a record or information obtainedfrom a record who knowingly furnishes the record or information not authorizedby law to receive the record or information is guilty of a misdemeanor."

Any employee/volunteer who is responsible for SBISS misuse is subject toimmediate dismissal from employment. Violations of the law may result incriminal and/or civil action.

I HAVE READ THE ABOVE AND UNDERSTAND THE POLICYREGARDING MISUSE OF ALL SBISS ACCESSIBLE INFORMATION.


COPLINK

Date Time Data Data Verified inType Coplink?


28 CFR Part 23CRIMINAL INTELLIGENCE SYSTEMS OPERATING POLICIES

Executive Order 122911998 Policy Clarification

1993 Revision and Commentary

28 CFR Part 23

Executive Order 12291 These regulations are not a "major rule" as defined bysection 1(b) of Executive Order No. 12291,3 CFR part 127 (1981), because theydo not result in: (a) An effect on the economy of $100 million or more, (b) a majorincrease in any costs or prices, or (c) adverse effects on competition,employment, investment, productivity, or innovation among Americanenterprises. Regulatory Flexibility Act These regulations are not a rule within themeaning of the Regulatory Flexibility Act, 5 U.S.C. 601-612. These regulations, ifpromulgated, will not have a "significant" economic impact on a substantialnumber of small "entities," as defined by the Regulatory Flexibility Act.Paperwork Reduction Act There are no collection of information requirementscontained in the proposed regulation. List of Subjects in 28 CFR Part 23Administrative practice and procedure, Grant programs, Intelligence, LawEnforcement. For the reasons set out in the preamble, title 28, part 23 of theCode of Federal Regulations is revised to read as follows: PART 23-CRIMINALINTELLIGENCE SYSTEMS OPERATING POLICIES Sec. 23.1 Purpose. 23.2Background. 23.3 Applicability. 23.20 Operating principles. 23.30 Fundingguidelines. 23.40 Monitoring and auditing of grants for the funding of intelligencesystems. Authority: 42 U.S.C. 3782(a); 42 U.S.C. 3789g(c). § 23.1 Purpose. Thepurpose of this regulation is to assure that all criminal intelligence systemsoperating through support under the Omnibus Crime Control and Safe StreetsAct of 1968,42 U.S.C. 3711, et seq., as amended (Pub. L. 90-351, as amendedby Pub. L. 91-644, Pub. L. 93-83, Pub. L. 93-415, Pub. L. 94-430, Pub. L. 94-503, Pub. L. 95-115, Pub. L. 96-157, Pub. L. 98-473, Pub. L. 99-570, Pub. L.100-690, and Pub. L. 101-647), are utilized in conformance with the privacy andconstitutional rights of individuals. § 23.2 Background. It is recognized thatcertain criminal activities including but not limited to loan sharking, drugtrafficking, trafficking in stolen property, gambling, extortion, smuggling, bribery,and corruption of public officials often involve some degree of regularcoordination and permanent organization involving a large number of participantsover a broad geographical area. The exposure of such ongoing networks ofcriminal activity can be aided by the pooling of information about such activities.However, because the collection and exchange of intelligence data necessary tosupport control of serious criminal activity may represent potential threats to theprivacy of individuals to whom such data relates, policy guidelines for Federallyfunded projects are required. § 23.3 Applicability. (a) These policy standards are


applicable to all criminal intelligence systems operating through support underthe Omnibus Crime Control and Safe Streets Act of 1968, 42 U.S.C. 3711, etseq., as amended (Pub. L. 90-351, as amended by Pub. L. 91-644, Pub. L. 93-83, Pub. L. 93-415, Pub. L. 94-430, Pub. L. 94-503, Pub. L. 95-115, Pub. L. 96-157, Pub. L. 98-473, Pub. L. 99-570, Pub. L. 100-690, and Pub. L. 101-647). (b)As used in these policies: (1) Criminal Intelligence System or Intelligence Systemmeans the arrangements, equipment, facilities, and procedures used for thereceipt, storage, interagency exchange or dissemination, and analysis of criminalintelligence information; (2) Interjurisdictional Intelligence System

-2-means an intelligence system which involves two or more participating agenciesrepresenting different governmental units or jurisdictions; (3) Criminal IntelligenceInformation means data which has been evaluated to determine that it: (i) isrelevant to the identification of and the criminal activity engaged in by anindividual who or organization which is reasonably suspected of involvement incriminal activity, and (ii) meets criminal intelligence system submission criteria;(4) Participating Agency means an agency of local, county, State, Federal, orother governmental unit which exercises law enforcement or crimina.1investigation authority and which is authorized to submit and receive criminalintelligence information through an interjurisdictional intelligence system. Aparticipating agency may be a member or a nonmember of an interjurisdictionalintelligence system; (5) Intelligence Project or Project means the organizationalunit which operates an intelligence system on behalf of and for the benefit of asingle agency or the organization which operates an interjurisdictionalintelligence system on behalf of a group of participating agencies; and (6)Validation of Information means the procedures governing the periodic review ofcriminal intelligence information to assure its continuing compliance with systemsubmission criteria established by regulation or program policy. § 23.20Operating principles. (a) A project shall collect and maintain criminal intelligenceinformation concerning an individual only if there is reasonable suspicion that theindividual is involved in criminal conduct or activity and the information is relevantto that criminal conduct or activity. (b) A project shall not collect or maintaincriminal intelligence information about the political, religious or social views,associations, or activities of any individual or any group, association, corporation,business, partnership, or other organization unless such information directlyrelates to criminal conduct or activity and there is reasonable suspicion that thesubject of the information is or may be involved in criminal conduct or activity. (c)Reasonable Suspicion or Criminal Predicate is established when informationexists which establishes sufficient facts to give a trained law enforcement orcriminal investigative agency officer, investigator, or employee a basis to believethat there is a reasonable possibility that an individual or organization is involvedin a definable criminal activity or enterprise. In an interjurisdictional intelligencesystem, the project is responsible for establishing the existence of reasonablesuspicion of criminal activity either through examination of supporting informationsubmitted by a participating agency or by delegation of this responsibility to aproperly trained participating agency which is subject to routine inspection and


audit procedures established by the project. (d) A project shall not include in anycriminal intelligence system information which has been obtained in violation ofany applicable Federal, State, or local law or ordinance. In an interjurisdictionalintelligence system, the project is responsible for establishing that no informationis entered in violation of Federal, State, or local laws, either through examinationof supporting information submitted by a participating agency or by delegation ofthis responsibility to a properly trained participating agency which is subject toroutine inspection and audit procedures established by the project. (e) A projector authorized recipient shall disseminate criminal intelligence information onlywhere there is a need to know and a right to know the information in theperformance of a law enforcement activity. (f) (1) Except as noted in paragraph(f)(2) of this section, a project shall disseminate criminal intelligence informationonly to law enforcement authorities who shall agree to follow proceduresregarding information receipt, maintenance, security, and dissemination whichare consistent with these principles. (2) Paragraph (f)(1) of this section shall notlimit the dissemination of an assessment of c~iminal intelligence information to agovernment official or to any other individual, when necessary, to avoid imminentdanger to life or property. (g) A project maintaining criminal intelligenceinformation shall ensure that administrative, technical, and physical safeguards(including audit trails) are adopted to insure against unauthorized access andagainst intentional or unintentional damage. A record indicating who has beengiven information, the reason for release of the information, and the date of eachdissemination outside the project shall be kept. Information shall be labeled toindicate levels of sensitivity, levels of confidence, and the identity of submittingagencies and control officials. Each project must establish written definitions forthe need to know and right to know standards for dissemination to other agenciesas provided in paragraph (e) of this section. The project is responsible forestablishing the existence of an inquirer's need to know and right to" know theinformation being requested either through inquiry or by delegation of thisresponsibility to a properly trained

- 3-

participating agency which is subject to routine inspection and audit proceduresestablished by the project. Each intelligence project shall assure that thefollowing security requirements are implemented: (1) Where appropriate, projectsmust adopt effective and technologically advanced computer software andhardware designs to prevent unauthorized access to the information contained inthe system; (2) The project must restrict access to its facilities, operatingenvironment and documentation to organizations and personnel authorized bythe project; (3) The project must store information in the system in a mannersuch that it cannot be modified, destroyed, accessed, or purged withoutauthorization; (4) The project must institute procedures to protect criminalintelligence information from unauthorized access, theft, sabotage, fire, flood, orother natural or manmade disaster; (5) The project must promulgate rules andregulations based on good cause for implementing its authority to screen, .rejectfor employment, transfer, or remove personnel authorized to have direct accessto the system; and (6) A project may authorize and utilize remote (off-premises)


system data bases to the extent that they comply with these securityrequirements. (h) All projects shall adopt procedures to assure that allinformation which is retained by a project has relevancy and importance. Suchprocedures shall provide for the periodic review of information and thedestruction of any information which is misleading, obsolete or otherwiseunreliable and shall require that any recipient agencies be advised of suchchanges which involve errors or corrections. All information retained as a resultof this review must reflect the name of the reviewer, date of review andexplanation of decision to retain. Information retained in the system must bereviewed and validated for continuing compliance with system submission criteriabefore the expiration of its retention period, which in no event shall be longerthan five (5) years. (i) If funds awarded under the Act are used to support theoperation of an intelligence system, then: (1) No project shall make direct remoteterminal access to intelligence information available to system participants,except as specifically approved by the Office of Justice Programs (OJP) basedon a determination that the system has adequate policies and procedures inplace to insure that it is accessible only to authorized systems users; and (2) Aproject shall undertake no major modifications to system design without priorgrantor agency approval. 0) A project shall notify the grantor agency prior toinitiation of formal information exchange procedures with any Federal, State,regional, or other information systems not indicated in the grant documents asinitially approved at time of award. (k) A project shall make assurances that therewill be no purchase or use in the course of the project of any electronic,mechanical, or other device for surveillance purposes that is in violation of theprovisions of the Electronic Communications Privacy Act of 1986, Public Law 99-508, 18 U.S.C. 2510-2520, 2701-2709 and 3121-3125, or any applicable Statestatute related to wiretapping and surveillance. (I) A project shall makeassurances that there will be no harassment or interference with any lawfulpolitical activities as part of the intelligence operation. (m) A project shall adoptsanctions for unauthorized access, utilization, or disclosure of informationcontained in the system. (n) A participating agency of an interjurisdictionalintelligence system must maintain in its agency files information whichdocuments each submission to the system and supports compliance with projectentry criteria. Participating agency files supporting system submissions must bemade available for reasonable audit and inspection by project representatives.Project representatives will conduct participating agency inspection and audit insuch a manner so as to protect the confidentiality and sensitivity of participatingagency intelligence records.

-4-

(0) The Attorney General or designee may waive, in whole or in part, theapplicability of a particular requirement or requirements contained in this part withrespect to a criminal intelligence system, or for a class of submitters or users ofsuch system, upon a clear and convincing showing that such waiver wouldenhance the collection, maintenance or dissemination of information in thecriminal intelligence system, while ensuring that such system would not beutilized in violation of the privacy and constitutional rights of individuals or any


applicable state or federal law. § 23.30 Funding guidelines. The following fundingguidelines shall apply to all Crime Control Act funded discretionary assistanceawards and Bureau of Justice Assistance (BJA) formula grant programsubgrants, a purpose of which is to support the operation of an intelligencesystem. Intelligence systems shall only be funded where a grantee/subgranteeagrees to adhere to the principles set forth above and the project meets thefollowing criteria: (a) The proposed collection and exchange of criminalintelligence information has been coordinated with and will support ongoing orproposed investigatory or prosecutorial activities relating to specific areas ofcriminal activity. (b) The areas of criminal activity for which intelligenceinformation is to be utilized represent a significant and recognized threat to thepopulation and: (1) Are either undertaken for the purpose of seeking illegal poweror profits or pose a threat to the life and property of citizens; and (2) Involve asignificant degree of permanent criminal organization; or (3) Are not limited toone jurisdiction. (c) The head of a government agency or an individual withgeneral policy making authority who has been expressly delegated such controland supervision by the head of the agency will retain control and supervision ofinformation collection and dissemination for the criminal intelligence system. Thisofficial shall certify in writing that he or she takes full responsibility and will beaccountable for the information maintained by and disseminated from the systemand that the operation of the system will be in compliance with the principles setforth in § 23.20. (d) Where the system is an interjurisdictional criminal intelligencesystem, the governmental agency which exercises control and supervision overthe operation of the system shall require that the head of that agency or anindividual with general policymaking authority who has been expressly delegatedsuch control and supervision by the head of the agency: (1) assume officialresponsibility and accountability for actions taken in the name of the joint entity,and (2) certify in writing that the official takes full responsibility and will beaccountable for insuring that the information transmitted to the interjurisdictionalsystem or to participating agencies will be in compliance with the principles setforth in § 23.20. The principles set forth in § 23.20 shall be made part of the by-laws or operating procedures for that system. Each participating agency, as acondition of participation, must accept in writing those principles which governthe submission, maintenance and dissemination of information included as partof the interjurisdictional system. (e) Intelligence information will be collected,maintained and disseminated primarily for State and local law enforcementefforts, including efforts involving Federal participation. § 23.40 Monitoring andauditing of grants for the funding of intelligence systems. (a) Awards for thefunding of intelligence systems will receive specialized monitoring and auditiilaccordance with a plan designed to insure compliance with operating principlesas set forth in § 23.20. The plan shall be approved prior to award of funds.

- 5-(b) All such awards shall be subject to a special condition requiring compliancewith the principles set forth in § 23.20. (c) An annual notice will be published byOJP which will indicate the existence and the objective of all systems for the


continuing interjurisdictional exchange of criminal intelligence information whichare subject to the 28 CFR Part 23 Criminal Intelligence Systems Policies.

Laurie Robinson Acting Assistant Attorney General Office of Justice Programs(FR Doc. 93-22614 Filed 9-15-93; 8:45 am) Criminal Intelligence SharingSystems; Policy Clarification [Federal Register: December 30, 1998 (Volume 63,Number 250)] [Page 71752-71753] From the Federal Register Online via GPOAccess [wais.access.gpo.gov] DEPARTMENT OF JUSTICE 28 CFR Part 23[OJP(BJA)-1177B] RIN 1121-ZB40

-6-1993 Revision and Commentary

28 CFR Part 23 Final Revision to the Office of Justice Programs, CriminalIntelligence Systems Operating Policies

AGENCY: Office of Justice Programs, Justice.

ACTION: Final Rule SUMMARY: The regulation governing criminal intelligencesystems operating through support under Title I of the Omnibus Crime Controland Safe Streets Act of 1968, as amended, is being revised to update basicauthority citations and nomenclature, to clarify the applicability of the regulation,to define terms, and to modify a number of the regulation's operating policies andfunding guidelines. EFFECTIVE DATE: September 16, 1993 FOR FURTHERINFORMATION CONTACT: Paul Kendall, Esquire, General Counsel,Office ofJustice Programs, 633 Indiana Ave., NW., Suite 1245-E, Washington, DC 20531,Telephone (202) 307-6235. SUPPLEMENTARY INFORMATION: The rule whichthis rule supersedes had been in effect and unchanged since September 17,1980. A notice of proposed rulemaking for 28 CFR part 23, was published in theFederal Register on February 27, 1992, (57 FR 6691). The statutory authoritiesfor this regulation are section 801 (a) and section 812(c) of title I of the OmnibusCrime Control and Safe Streets Act of 1968, as amended, (the Act), 42 U.S.C.3782(a) and 3789g(c). 42 U.S.C. 3789g (c) and (d) provide as follows:Confidentiality of InformationSec. 812 ....

(c) All criminal intelligence systems operating through support under this titleshall collect, maintain, and disseminate criminal intelligence information inconformance with policy standards which are prescribed by the Office of JusticePrograms and which are written to assure that the funding and operation of thesesystems furthers the purpose of this title and to assure that such systems are notutilized in violation of the privacy and constitutional rights of individuals.

(d) Any person violating the provisions of this section, or of any rule, regulation,or order issued thereunder, shall be fined not to exceed $10,000, in addition toany other penalty imposed by law.

This statutory provision and its implementing regulation apply to intelligencesystems funded under title I of the Act, whether the system is operated by asingle law enforcement agency, is an interjurisdictional intelligence system, is


funded with discretionary grant funds, or is funded by a State with formula grantfunds awarded under the Act's Drug Control and System Improvement GrantProgram pursuant to part E, subpart 1 of the Act, 42 U.S.C. 3751-3759. Theneed for change to 28 CFR part 23 grew out of the program experience of theOffice of Justice Programs (OJP) and its component agency, the Bureau ofJustice Assistance (BJA), with the regulation and the changing and expandinglaw enforcement agency need to respond to criminal mobility, the National drugprogram, the increased complexity of criminal networks and conspiracies, andthe limited funding available to State and local law enforcement agencies. Inaddition, law enforcement's capability to perform intelligence data base andanalytical functions has been enhanced by technological advancements andsophisticated analytical techniques.

- 7-

28 CFR part 23 governs the basic requirements of the intelligence systemprocess. The process includes:

1. Information submission or collection 2. Secure storage 3. Inquiry and searchcapability 4. Controlled dissemination 5. Purge and review process

Information systems that receive, store and disseminate information onindividuals or organizations based on reasonable suspicion of their involvementin criminal activity are criminal intelligence systems under the regulation. Thedefinition includes both systems that store detailed intelligence or investigativeinformation on the suspected criminal activities of subjects and those which storeonly information designed to identify individuals or organizations that are thesubject of an inquiry or analysis (a so-called "pointer system"). It does not includecriminal history record information or identification (fingerprint) systems. Thereare nine significant areas of change to the regulation:

(1) Nomenclature changes (authority citations, organizational names) areincluded to bring the regulation up to date.

(2) Definitions of terms (28 CFR 23.3(b» are modified or added as appropriate.The term "intelligence system" is redefined to clarify the fact that historicaltelephone toll files, analytical information, and work products that are not eitherretained, stored, or exchanged and criminal history record information oridentification (fingerprint) systems are excluded from the definition, and henceare not covered by the regulation; the terms "interjurisdictional intelligencesystem", "criminal intelligence information", "participating agency", "intelligenceproject", and "validation of information" are key terms that are defined in theregulation for the first time.

(3) The operating principles for intelligence systems (28 CFR 23.20) are modifiedto define the term "reasonable suspicion" or "criminal predicate". The finding ofreasonable suspicion is a threshold requirement for entering intelligenceinformation on an individual or organization into an intelligence data base (28CFR 23.20(c». This determination, as well as determinations that informationwas legally obtained (28 CFR 23.20(d» and that a recipient of the informationhas a need to know and a right to know the information in the performance of a


law enforcement function (28 CFR 23.20(e», are established as the responsibilityof the project for an interjurisdictional intelligence system. However, theregulation permits these responsibilities to be delegated to a properly trainedparticipating agency which is subject to project inspection and audit (28 CFR23.20(c),(d),(g».

(4) Security requirements are established to protect the integrity of theintelligence data base and the information stored in the data base (28 CFR23.20(g)(1 )(i)-(vi».

(5) The regulation provides that information retained in the system must bereviewed and validated for continuing compliance with system submission criteriawithin a 5-year retention period. Any information not validated within that periodmust be purged from the system (28 CFR 23.20(h».

(6) Another change continues the general prohibition of direct remote terminalaccess to intelligence information in a funded intelligence system but provides anexception for systems which obtain express OJP approval based on adetermination that the system has adequate policies and procedures in place toinsure that access to system intelligence information is limited to authorizedsystem users (28 CFR 23.20(i)(1». OJP will carefully review all requests forexception to assure that a need exists and that system integrity will be providedand maintained (28 CFR 23.20(i)(1» .

. (7) The regulation requires participating agencies to maintain back-up files forinformation submitted to an interjurisdictional intelligence system and provide forinspection and audit by project staff (28 CFR 23.20(h».

(8) The final rule also includes a provision allowing the Attorney General or theAttorney General's designee to authorize a departure from the specificrequirements of this part, in those cases where it is clearly shown that suchwaiver would promote the purposes and effectiveness of a criminal intelligencesystem while at the same time ensuring compliance with all applicable laws andprotection for the privacy and constitutional

- 8-

rights of individuals. The Department recognizes that other provisions of federallaw may be applicable to (or may be adopted in the future with respect to) certainsubmitters or users of information in criminal intelligence systems. Moreover, astechnological developments unfold over time in this area, experience may showthat particular aspects of the requirements in this part may no longer be neededto serve their intended purpose or may even prevent desirable technologicaladvances. Accordingly, this provision grants the flexibility to make such beneficialadaptations in particular cases or classes without the necessity to undertake anew rulemaking process. This waiver authority could only be exercised by theAttorney General or designee, in writing, upon a clear and convincing showing(28 CFR 23.20 (0».

(9) The funding guidelines (28 CFR 23.30) are revised to permit fundedintelligence systems to collect information either on organized criminal activitythat represents a significant and recognized threat to the population or on


criminal activity that is multi-jurisdictional in nature. Rulemaking History OnFebruary 27, 1992, the Department of Justice, Office of Justice Programs,published a notice of proposed rulemaking in the Federal Register (57 FR 6691).The Office of Justice Programs received a total of eleven comments on theproposed regulation, seven from State agencies, two from Regional InformationSharing Systems (RISS) program fund recipients, one from a Federal agency,and one from the RISS Project Directors Association. Comments will bediscussed in the order in which they address the substance of the proposedregulation. Discussion of Comments Title - Part 23 Comment: One commentorsuggested reinserting the word "Operating" in the title of the regulation to read"Criminal Intelligence Systems Operating Policies" to reflect that the regulationapplies only to policies governing system operations. Response: Agreed. Thetitle has been changed. APPLICABILITY - SECTION 23.3(a) Comment: Aquestion was raised by one respondent as to whether the applicability of theregulation under Section 23.3(a) to systems "operating through support" underthe Crime Control Act included agencies receiving any assistance funds and whooperated an intelligence system QLonly those who received assistance funds forthe specific purpose of funding the operation of an intelligence system.Response: The regulation applies to grantees and subgrantees who receive anduse Crime Control Act funds to fund the operation of an intelligence system.Comment: Another commentor asked whether the purchase of software, officeequipment, or the payment of staff salaries for a criminal intelligence systemwould constitute "operating through support" under the Crime Control Act.Response: Any direct Crime Control Act fund support that contributes to theoperation of a criminal intelligence system would subject the system to theoperation of the policy standards during the period of fund support. Comment: Athird commentor inquired whether an agency's purchase of a telephone penregister or computer equipment to store and analyze pen register informationwould subject the agency or its information systems to the regulation. Response:No, neither a pen register nor equipment to analyze telephone toll information fallunder the definition of a criminal intelligence system even though they may assistan agency to produce investigative or other information for an intelligencesystem. APPLICABILITY - SECTION 23.3(b) Comment: Several commentorsquestioned whether information systems that are designed to collect informationon criminal suspects for purposes of inquiry and analysis, and which provide fordissemination of such information, qualify as "criminal intelligence systems." Onepointed out that the information qualifying for system submission could not be"unconfirmed" or "soft" intelligence. Rather, it would generally have to be- 9-: One respondent asked whether the definition of criminal intelligence systemcovered criminal history record information (CHR/) systems, fugitive files, or otherwant or warrant based information systems. investigative file-based informationto meet the "reasonable suspicion" test. Response: The character of aninformation system as a criminal intelligence system does not depend upon thesource or categorization of the underlying information as "raw" or "soft"intelligence, preliminary investigation information, or investigative information,


findings or determinations. It depends upon the purpose for which the informationsystem exists and the type of information it contains. If the purpose of the systemis to collect and share information with other law enforcement agencies onindividuals reasonably suspected of involvement in criminal activity, and theinformation is identifying or descriptive information about the individual and thesuspected criminal activity, then the system is a criminal intelligence system forpurposes of the regulation. Only those criminal intelligence systems that receive,store and provide for the interagency exchange and analysis of criminalintelligence information in a manner consistent with this regulation are eligible forfunding support with Crime Control Act funds. Comment

Response: No. A CHRI system contains information collected on arrests,detention, indictments, informations or other charges, dispositions, sentencing,correctional supervision, and release. It encompasses systems designed tocollect, process, preserve, or disseminate such information. CHRI is factual,historical and objective information which provides a criminal justice system"profile" of an individual's past and present involvement in the criminal justicesystem. A fugitive file is designed to provide factual information to assist in thearrest of individuals for whom there is an outstanding want or warrant. Criminalintelligence information, by contrast, is both factual and conjectural (reasonablesuspicion), current and subjective. It is intended for law enforcement use only, toprovide law enforcement officers and agencies with useful information on criminalsuspects and to foster interagency coordination and cooperation. A criminalintelligence system can have criminal history record information in it as anidentifier but a CHRI system would not contain the suspected criminal activityinformation contained in a criminal intelligence system. This distinction providesthe basis for the limitations on criminal intelligence systems set forth in theoperating policies. Because criminal intelligence information is both conjecturaland subjective in nature, may be widely disseminated through the interagencyexchange of information and cannot be accessed by criminal suspects to verifythat the information is accurate and complete, the protections and limitations setforth in the regulation are necessary to protect the privacy interests of thesubjects and. potential subjects of a criminal intelligence system. Comment:Another commentor asked whether a law enforcement agency's criminalintelligence information unit, located at headquarters, which authorizes nooutside access to information in its intelligence system, would be subject to theregulation. Response: No. The sharing of investigative or general file informationon criminal subjects within an agency is a practice that takes place on a dailybasis and is necessary for the efficient and effective operation of a lawenforcement agency. Consequently, whether such a system is described as acase management or intelligence system, the regulation is not intended to applyto the exchange or sharing of such information when it takes place within a singlelaw enforcement agency or organizational entity. For these purposes, anoperational multi-jurisdictional task force would be considered a singleorganizational entity provided that it is established by and operates under awritten memorandum of understanding or interagency agreement. The definitionof "Criminal Intelligence System" has been modified to clarify this point. However,


if a single agency or entity system provides access to system information tooutside agencies on an inquiry or request basis, as a matter of either policy orpractice, the system would qualify as a criminal intelligence system and besubject to the regulation. Comment: A commentor questioned whether theproposed exclusion of "analytical information and work products" from thedefinition of "Intelligence System" was intended to exclude all dissemination ofanalytical results from coverage under the regulation. Response: No. Theexceptions in the proposed definition of "Intelligence System" of modus operandifiles, historical telephone toll files and analytical information and work productsare potentially confusing. The exceptions reflect types of data that mayor maynot qualify as "Criminal Intelligence Information" depending on particular factsand circumstances. Consequently, these exceptions have been deleted from thedefinition

- 10-: One commentor requested clarification of the role of the "Project" in theoperation of an intelligence system, i.e. is the project required to have physicalcontrol (possession) of the information in an intelligence system or will authorityover the system (operational control) suffice? : Operational control over anintelligence system's intelligence information is sufficient. The regulation seeks toestablish a single locus of authority and responsibility for system information.Once that principle is established, the regulation permits, for example, theestablishment of remote (off premises) data bases that meet applicable securityrequirements. of "Intelligence System" in the final rule. For example, analyticalinformation and work products that are derived from unevaluated or bulk data(i.e. information that has not been tested to determine that it meets intelligencesystem submission criteria) are not intelligence information if they are returned tothe submitting agency. This information and its products cannot be retained,stored, or made available for dissemination in an intelligence system unless anduntil the information has been evaluated and determined to meet systemsubmission criteria. The proposed definition of "Analytical Information and WorkProducts" in Section 23.3(b) has also been deleted. To address the aboveissues, the definition of "Intelligence System" has been modified to define a"Criminal Intelligence System or Intelligence System" to mean "thearrangements, equipment, facilities, and procedures used for the receipt,storage, interagency exchange or dissemination, and analysis of criminalintelligence information." Comment: Several commentors raised questionsregarding the concept of "evaluated data" in the definition of "CriminalIntelligence Information", requesting guidance on what criteria to use inevaluating data. Another questioned whether there needed to be an activeinvestigation as the basis for information to fall within the definition and whetherinformation on an individual who or organization which is not the primary subjector target of an investigation or other data source, e.g. a criminal associate or co-conspirator, can qualify as "Criminal Intelligence Information." Response: Thedefinition of "Criminal Intelligence Information" has been revised to reflect thatdata is evaluated for two purposes related to criminal intelligence systemsubmissions: (1) to determine that it is relevant in identifying a criminal suspect


and the criminal activity involved; and (2) to determine that the data meetscriminal intelligence system submission criteria, including reasonable suspicionof involvement in criminal activity. As rewritten, there is no requirement that an"active investigation" is necessary. Further, the revised language makes it clearthat individuals or organizations who are not primary subjects or targets can beidentified in the criminal intelligence information, provided that they independentlymeet system submission criteria. CommentResponseOPERATING PRINCIPLES- SECTION 23.20(c) Comment: One respondent took the position that"Reasonable Suspicion", as defined in Section 23.20 (c), is not necessary to theprotection of individual privacy and Constitutional rights, suggesting instead thatinformation in a funded intelligence system need only be "necessary and relevantto an agency's lawful purposes." Response: While it is agreed that the standardsuggested is appropriate for investigative or other information files maintained foruse by or within an agency, the potential for national dissemination of informationin intelligence information systems, coupled with the lack of access by subjects tochallenge the information, justifies the reasonable suspicion standard as well asother operating principle restrictions set forth in this regulation. Also, the qualityand utility of "hits" in an information system is enhanced by the reasonablesuspicion requirement. Scarce resources are not wasted by agencies incoordinating information on subjects for whom information is vague, incompleteand conjectural. Comment: The prior commentor also criticized the proposeddefinition of reasonable suspicion for its specific reference to an "investigativefile" as the source of intelligence system information, the potential inconsistencybetween the concepts of "infer" and "conclude" as standards for determiningwhether reasonable suspicion is justified by the information available, and theuse of "reasonable possibility" rather than "articulable" or "sufficient" facts as theoperative standard to conclude that reasonable suspicion exists. Response: Thereference to an "investigative file" as the information source has been broadenedto encompass any information source. The information available must provide abasis for the submitter to "believe" there is a reasonable possibility of thesubject's involvement in the criminal activity or enterprise.

- 11 -The concept of a "basis to believe" requires reasoning and logic coupled withsound judgment based on experience in law enforcement rather than a merehunch, whim, or guess. The belief that is formed, that there is a "reasonablepossibility" of criminal involvement, has been retained because the proposedstandard is appropriately less restrictive than that which is required to establishprobable cause.

OPERATING PRINCIPLES - SECTION 23.20(d) Comment: Section 23.20(d)prohibits the inclusion in an intelligence system of information obtained inviolation of Federal, State, or local law or ordinance. Would a project bepotentially liable for accepting, maintaining and disseminating such informationeven if it did not know that the information was illegally obtained? Response: Inaddition to protecting the rights of individuals and organizations that may besubjects in a criminal intelligence system, this prohibition serves to protect a


project from liability for disseminating illegally obtained information. A clearproject policy that prohibits the submission of illegally obtained information,coupled with an examination of supporting information to determine that theinformation was obtained legally or the delegation of such authority to a properlytrained participating agency, and the establishment and performance of routineinspection and audit of participating agency records, should be sufficient to shielda project from potential liability based on negligence in the performance of itsintelligence information screening function. OPERATING PRINCIPLES -SECTION 23.20(h) Comment: One commentor requested clarification of the"periodic review" requirement in Section 23.20(h) and what constitutes an"explanation of decision to retain" information.

Response: The periodic review requirement is designed to insure that systeminformation is accurate and as up-to-date as reasonably possible. When a reviewhas occurred, the record is appropriately updated and notated. The explanationof decision to retain can be a variety of reasons including "active investigation","preliminary review in progress", "subject believed still active in jurisdiction", andthe like. When information that has been reviewed or updated and adetermination made that it continues to meet system submission criteria, theinformation has been "validated" and begins a new retention period. Theregulation limits the retention period to a maximum of five years without a reviewand validation of the information. OPERATING PRINCIPLES - SECTION 23.20(j)Comment: One commentor requested a definition of "remote terminal" and askedhow OJP would determine whether "adequate policies and procedures" are inplace to insure the continued integrity of a criminal intelligence system.Response: A "remote terminal" is hardware that enables a participating agency toinput into or access information from a project's criminal intelligence data basewithout the intervention of project staff. While the security requirements set forthin Section 23.20(g)(1 )-(5) should minimize the threat to system integrity fromunauthorized access to and the use of system information, special measures arecalled for when direct remote terminal access is authorized. The Office of JusticePrograms will expect any request for approval of remote terminal access toinclude information on the following system protection measures: 1. Proceduresfor identification of authorized remote terminals and security of terminals; 2.Authorized access officer (remote terminal operator) identification and verificationprocedures; 3. Provisions for the levels of dissemination of information asdirected by the submitting agency; 4. Provisions for the rejection of submissionsunless critical data fields are completed; 5. Technological safeguards on systemaccess, use, dissemination, and review and purge; 6. Physical security of thesystem;

- 12-

7. Training 'and certification of system-participating agency personnel; 8.Provisions for the audit of system-participating agencies, to include: file datasupporting submissions to the system; security of access terminals; and policyand procedure compliance; and 9. Documentation for audit trails of the entiresystem operation. Moreover, a waiver provision has been added to ensure


flexibility in adapting quickly to technological and legal changes which mayimpact any of the requirements contained in this regulation. See Section 23.20(0). Comment: Related to the above discussion, another commentor askedwhether restrictions on direct remote terminal access would prohibit remoteaccess to an "index" of information in the system. Response: Yes. The ability toobtain all information directly from a criminal intelligence system through the useof hardware based outside the system constitutes direct remote terminal accesscontrary to the provisions of Section 23.20(i)(1), except as specifically approvedby OJP. Thus, a hit/no hit response, if gleaned from an index, would bring aremote terminal within the scope of the requirement for OJP approval of directremote terminal access. Comment: One commentor pointed out that therequirement for prior OJP approval of "modifications to system design" wasoverly broad and could be read to require that even minor changes be submittedfor approval. The commentor proposed a substitute which would limit therequirement to those modifications "that alter the system's identified goals in away contrary to the requirements of (this regulation)."

Response: While it is agreed that the language is broad, the proposed limitationis too restrictive. The intent was that "modifications to system design" refer to"major" changes to the system, such as the nature of the information collected,the place or method of information storage, the authorized uses of information inthe system, and provisions for access to system information by authorizedparticipating agencies. This clarification has been incorporated in the regulation.In order to decentralize responsibility for approval of system designmodifications, the proposed regulation has been revised to provide for approvalof such modifications by the grantor agency rather than OJP. A similar changehas been made to Section 23.200). OPERATING PRINCIPLES - SECTION23.20(n) Comment: Several com mentors expressed concern with the verificationprocedures set forth in Section 23.20(n). One suggested that file informationcannot "verify" the correctness of submissions but instead serves to "document"or "substantiate" its correctness. Another proposed deleting the requirementsthat (1) files maintained by participating agencies to support system submissionsbe subject to the operating principles, and (2) participating agencies areauthorized to maintain such files separately from other agency files. The firstrequirement conflicts with the normal investigative procedures of a lawenforcement agency in that all information in agency source files cannot meet theoperating principles, particularly the reasonable suspicion and relevancyrequirements. The important principle is that the information which is gleanedfrom an agency's source files and submitted to the system meet the operatingprinciples. The second requirement has no practical value. At most, it results inthe creation of duplicative files or in submission information being segregatedfrom source files. Response: OJP agrees with both comments. The word"documents" has been substituted for "verifies" and the provisions subjectingparticipating agency source files to the operating principles and authorizingmaintenance of separate files have been deleted. Projects should use their auditand inspection access to agency source files to document the correctness ofparticipating agency submissions on a sample basis. FUNDING GUIDELINES -


SECTION 23.30(b) Comment: One commentor asked: Who defines the areas ofcriminal activity that "represent a significant and recognized threat to thepopulation?" Response: The determination of areas of criminal activity focus andpriority are matters for projects, project policy boards and member agencies todetermine, provided that the additional regulatory requirements set forth inSection 23.30(b) are met. MONITORING AND AUDITING OF GRANTS -SECTION 23.40(a)

- 13 -Comment: One commentor asked: "Who is responsible for developing thespecialized monitoring and audit of awards for intelligence systems to insurecompliance with the operating principles"?

Response: The grantor agency (the agency awarding a sub-grant to support anintelligence system) shall establish and approve a plan for specialized monitoringand audit of sub-awards prior to award. For the BJA Formula Grant Program, theState agency receiving the award from BJA is the grantor agency. Technicalassistance and support in establishing a monitoring and audit plan is availablethrough BJA. INFORMATION ON JUVENILES Comment: Can intelligenceinformation pertaining to a juvenile who otherwise meets criminal intelligencesystem submission criteria be entered into an intelligence data base? Response:There is no limitation or restriction on entering intelligence information on juvenilesubjects set forth in Federal law or regulation. However, State law may restrict orprohibit the maintenance or dissemination of such information by its lawenforcement agencies. Therefore, State laws should be carefully reviewed todetermine their impact on this practice and appropriate project policies adopted.

Executive Order 12291 These regulations are not a "major rule" as defined bysection 1(b) of Executive Order No. 12291,3 CFR part 127 (1981), because theydo not result in: (a) An effect on the economy of $100 million or more, (b) a majorincrease in any costs or prices, or (c) adverse effects on competition,employment, investment, productivity, or innovation among Americanenterprises. Regulatory Flexibility Act These regulations are not a rule within themeaning of the Regulatory Flexibility Act, 5 U.S.C. 601-612. These regulations, ifpromulgated, will not have a "significant" economic impact on a substantialnumber of small "entities," as defined by the Regulatory Flexibility Act.Paperwork Reduction Act There are no collection of information requirementscontained in the proposed regulation. List of Subjects in 28 CFR Part 23Administrative practice and procedure, Grant programs, Intelligence, LawEnforcement. For the reasons set out in the preamble, title 28, part 23 of theCode of Federal Regulations is revised to read as follows: PART 23--CRIMINALINTELLIGENCE SYSTEMS OPERATING POLICIES Sec.

1. Purpose.

2. Background.3. Applicability.

4. Operating principles.


5. Funding guidelines.

6. Monitoring and auditing of grants for the funding of intelligence systems.

Authority: 42 U.S.C. 3782(a); 42 U.S.C. 3789g(c). § 23.1 Purpose. The purposeof this regulation is to assure that all criminal intelligence systems operatingthrough support under the Omnibus Crime Control and Safe Streets Act of 1968,42 U.S.C. 3711, et seq., as amended (Pub. L. 90-351, as amended by Pub. L.91-644, Pub. L. 93-83, Pub. L. 93-415, Pub. L. 94-430, Pub. L. 94-503, Pub. L. '95-115, Pub. L. 96-157, Pub. L. 98-473, Pub. L. 99-570, Pub. L.100-690, andPub. L. 101-647), are utilized in conformance with the privacy and constitutionalrights of individuals. § 23.2 Background. It is recognized that certain criminalactivities including but not limited to loan sharking, drug trafficking, trafficking instolen property, gambling, extortion, smuggling, bribery, and corruption of publicofficials often involve some degree of regular coordination and permanentorganization involving a large number of participants over a broad geographicalarea. The exposure of such ongoing networks of criminal activity can

- 14-means the organizational unit which operates an intelligence system on behalf ofand for the benefit of a single agency or the organization which operates aninterjurisdictional intelligence system on behalf of a group of participatingagencies; and (6) means the procedures governing the periodic review ofcriminal intelligence information to assure its continuing compliance with systemsubmission criteria established by regulation or program policy .. (a) A projectshall collect and maintain criminal intelligence information concerning anindividual only if there is reasonable suspicion that the individual is involved incriminal conduct or activity and the information is relevant to that criminal conductor activity. (b) A project shall not collect or maintain criminal intelligenceinformation about the political, religious or social views, associations, or activitiesof any individual or any group, association, corporation, business, partnership, orother organization unless such information directly relates to criminal conduct oractivity and there is reasonable suspicion that the subject of the information is ormay be involved in criminal conduct or activity. (c) be aided by the pooling ofinformation about such activities. However, because the collection and exchangeof intelligence data necessary to support control of serious criminal activity mayrepresent potential threats to the privacy of individuals to whom such datarelates, policy guidelines for Federally funded projects are required. § 23.3Applicability. (a) These policy standards are applicable to all criminal intelligencesystems operating through support under the Omnibus Crime Control and SafeStreets Act of 1968, 42 U.S.C. 3711, et seq., as amended (Pub. L. 90-351, asamended by Pub. L. 91-644, Pub. L. 93-83, Pub. L. 93-415, Pub. L. 94-430, Pub.L. 94-503, Pub. L. 95-115, Pub. L. 96-157, Pub. L. 98-473, Pub. L. 99-570, Pub.L. 100-690, and Pub. L. 101-647). (b) As used in these policies: (1) CriminalIntelligence System or Intelligence System means the arrangements, equipment,facilities, and procedures used for the receipt, storage, interagency exchange ordissemination, and analysis of criminal intelligence information; (2)


Interjurisdictional Intelligence System means an intelligence system whichinvolves two or more participating agencies representing different governmentalunits or jurisdictions; (3) Criminal Intelligence Information means data which hasbeen evaluated to determine that it: (i) is relevant to the identification of and thecriminal activity engaged in by an individual who or organization which isreasonably suspected of involvement in criminal activity, and (ii) meets criminalintelligence system submission criteria; (4) Participating Agency means anagency of local, county, State, Federal, or other governmental unit whichexercises law enforcement or criminal investigation authority and which isauthorized to submit and receive criminal intelligence information through aninterjurisdictional intelligence system. A participating agency may be a memberor a nonmember of an interjurisdictional intelligence system; (5) IntelligenceProject or Project Validation of Information § 23.20 OperatingprinciplesReasonable Suspicion or Criminal Predicate is established wheninformation exists which establishes sufficient facts to give a trained lawenforcement or criminal investigative agency officer, investigator, or employee abasis to believe that there is a reasonable possibility that an individual ororganization is involved in a definable criminal activity or enterprise. In aninterjurisdictional intelligence system, the project is responsible for establishingthe existence of reasonable suspicion of criminal activity either throughexamination of supporting information submitted by a participating agency or bydelegation of this responsibility to a properly trained participating agency which issubject to routine inspection and audit procedures established by the project. (d)A project shall not include in any criminal intelligence system information whichhas been obtained in violation of any applicable Federal, State, or local law orordinance. In an interjurisdictional intelligence system, the project is responsiblefor establishing that no information is entered in violation of Federal, State, orlocal laws, either through examination of supporting information submitted by aparticipating agency or by delegation of this responsibility to a properly trainedparticipating agency which is subject to routine inspection and audit proceduresestablished by the project. (e) A project or authorized recipient shall disseminatecriminal intelligence information only where there is a need to know and a right toknow the information in the performance of a law enforcement activity. (f) (1)Except as noted in paragraph (f) (2) of this. section, a project shall disseminatecriminal intelligence

-15 -information only to law enforcement authorities who shall agree to followprocedures regarding information receipt, maintenance, security, anddissemination which are consistent with these principles.

(2) Paragraph (f) (1) of this section shall not limit the dissemination of anassessment of criminal intelligence information to a government official or to anyother individual, when necessary, to avoid imminent danger to life or property. (g)A project maintaining criminal intelligence information shall ensure thatadministrative, technical, and physical safeguards (including audit trails) areadopted to insure against unauthorized access and against intentional or


unintentional damage. A record indicating who has been given information, thereason for release of the information, and the date of each dissemination outsidethe project shall be kept. Information shall be labeled to indicate levels ofsensitivity, levels of confidence, and the identity of submitting agencies andcontrol officials. Each project must establish written definitions for the need toknow and right to know standards for dissemination to other agencies asprovided in paragraph (e) of this section. The project is responsible forestablishing the existence of an inquirer's need to know and right to know theinformation being requested either through inquiry or by delegation of thisresponsibility to a properly trained participating agency which is subject to routineinspection and audit procedures established by the project. Each intelligenceproject shall assure that the following security requirements are implemented:

(1) Where appropriate, projects must adopt effective and technologicallyadvanced computer software and hardware designs to prevent unauthorizedaccess to the information contained in the system;

(2) The project must restrict access to its facilities, operating environment anddocumentation to organizations and personnel authorized by the project; (3) Theproject must store information in the system in a manner such that it cannot bemodified, destroyed, accessed, or purged without authorization; (4) The projectmust institute procedures to protect criminal intelligence information fromunauthorized access, theft, sabotage, fire, flood, or other natural or manmadedisaster; (5) The project must promulgate rules and regulations based on goodcause for implementing its authority to screen, reject for employment, transfer, orremove personnel authorized to have direct access to the system; and (6) Aproject may authorize and utilize remote (off-premises) system data bases to theextent that they comply with these security. requirements.

(h) All projects shall adopt procedures to assure that all information which isretained by a project has relevancy and importance. Such procedures shallprovide for the periodic review of information and the destruction of anyinformation which is misleading, obsolete or otherwise unreliable and shallrequire that any recipient agencies be advised of such changes which involveerrors or corrections. All information retained as a result of this review mustreflect the name of the reviewer, date of review and explanation of decision toretain. Information retained in the system must be reviewed and validated forcontinuing compliance with system submission criteria before the expiration of itsretention period, which in no event shall be longer than five (5) years. (i) If fundsawarded under the Act are used to support the operation of an intelligencesystem, then:

(1) No project shall make direct remote terminal access to intelligenceinformation available to system participants, except as specifically approved bythe Office of Justice Programs (OJP) based on a determination that the systemhas adequate policies and procedures in place to insure that it is accessible onlyto authorized systems users; and (2) A project shall undertake no majormodifications to system design without prior grantor agency approval.


0) A project shall notify the grantor agency prior to initiation of formal informationexchange procedures with any Federal, State, regional, or other informationsystems not indicated in the grant documents as initially approved at time ofaward. (k) A project shall make assurances that there will be no purchase or usein the course of the project of any

- 16-

electronic, mechanical, or other device for surveillance purposes that is inviolation of the provisions of the Electronic Communications Privacy Act of 1986,Public Law 99-508, 18 U.S.C. 2510-2520, 2701-2709 and 3121-3125, or anyapplicable State statute related to wiretapping and surveillance. (I) A project shallmake assurances that there will be no harassment or interference with any lawfulpolitical activities as part of the intelligence operation. (m) A project shall adoptsanctions for unauthorized access, utilization, or disclosure of informationcontained in the system. (n) A participating agency of an interjurisdictionalintelligence system must maintain in its agency files information whichdocuments each submission to the system and supports compliance with projectentry criteria. Participating agency files supporting system submissions must bemade available for reasonable audit and inspection by project representatives.Project representatives will conduct participating agency inspection and audit insuch a manner so as to protect the confidentiality and sensitivity of participatingagency intelligence records. (0) The Attorney General or designee may waive, inwhole or in part, the applicability of a particular requirement or requirementscontained in this part with respect to a criminal intelligence system, or for a classof submitters or users of such system, upon a clear and convincing showing thatsuch waiver would enhance the collection, maintenance or dissemination ofinformation in the criminal intelligence system, while ensuring that such systemwould not be utilized in violation of the privacy and constitutional rights ofindividuals or any applicable state or federal law. § 23.30 Funding guidelines.The following funding guidelines shall apply to all Crime Control Act fundeddiscretionary assistance awards and Bureau of Justice Assistance (BJA) formulagrant program subgrants, a purpose of which is to support the operation of anintelligence system. Intelligence systems shall only be funded where agrantee/subgrantee agrees to adhere to the principles set forth above and theproject meets the following criteria: (a) The proposed collection and exchange ofcriminal intelligence information has been coordinated with and will supportongoing or proposed investigatory or prosecutorial activities relating to specificareas of criminal activity. (I:» The areas of criminal activity for which intelligenceinformation is to be utilized represent a significant and recognized threat to thepopulation and:

(1) Are either undertaken for the purpose of seeking illegal power or profits orpose a threat to the life and property of citizens; and

(2) Involve a significant degree of permanent criminal organization; or (3) Are notlimited to one jurisdiction.

(c) The head of a government agency or an individual with general policy makingauthority who has been expressly delegated such control and supervision by the


head of the agency will retain control and supervision of information collectionand dissemination for the criminal intelligence system. This official shall certify inwriting that he or she takes full responsibility and will be accountable for theinformation maintained by and disseminated from the system and that theoperation of the system will be in compliance with the principles set forth in §23.20. (d) Where the system is an interjurisdictional criminal intelligence system,the governmental agency which exercises control and supervision over theoperation of the system shall require that the head of that agency or an individualwith general policymaking authority who has been expressly delegated suchcontrol and supervision by the head of the agency:

(1) assume official responsibility and accountability for actions taken in the nameof the joint entity, and

(2) certify in writing that the official takes full responsibility and will beaccountable for insuring that the information transmitted to the interjurisdictionalsystem or to participating agencies will be in compliance with

- 17-

the principles set forth in § 23.20. The principles set forth in § 23.20 shall bemade part of the by-laws or operating procedures for that system. Eachparticipating agency, as a condition of participation, must accept in writing thoseprinciples which govern the submission, maintenance and dissemination ofinformation included as part of the interjurisdictional system.

(e) Intelligence information will be collected, maintained and disseminatedprimarily for State and local law enforcement efforts, including efforts involvingFederal participation. § 23.40 Monitoring and auditing of grants for the funding ofintelligence systems. (a) Awards for the funding of intelligence systems willreceive specialized monitoring and audit in accordance with a plan designed toinsure compliance with operating principles as set forth in § 23.20. The plan shallbe approved prior to award of funds. (b) All such awards shall be subject to aspecial condition requiring compliance with the principles set forth in § 23.20. (c)An annual notice will be published by OJP which will indicate the existence andthe objective of all systems for the continuing interjurisdictional exchange ofcriminal intelligence information which are subject to the 28 CFR Part 23 CriminalIntelligence Systems Policies. Laurie Robinson Acting Assistant Attorney GeneralOffice of Justice Programs (FR Doc. 93-22614 Filed 9-15-93; 8:45am)

- 18-1998 Policy Clarification

AGENCY: Bureau of Justice Assistance (BJA), Office of Justice Programs (OJP),Justice.

ACTION: Clarification of policy.

SUMMARY: The current policy governing the entry of identifying information intocriminal intelligence sharing systems requires clarification. This policy clarificationis to make clear that the entry of individuals, entities and organizations, andlocations that do not otherwise meet the requirements of reasonable suspicion is


appropriate when it is done solely for the purposes of criminal identification or isgermane to the criminal subject's criminal activity. Further, the definition of"criminal intelligence system" is clarified.

EFFECTIVE DATE: This clarification is effective December 30, 1998.

FOR FURTHER INFORMATION CONTACT: Paul Kendall, General Counsel,Office of Justice Programs, 810 7th Street NW, Washington, DC 20531, (202)307-6235.

SUPPLEMENTARY INFORMATION: The operation of criminal intelligenceinformation systems is governed by 28 CFR Part 23. This regulation was writtento both protect the privacy rights of individuals and to encourage and expeditethe exchange of criminal intelligence information between and among lawenforcement agencies of different jurisdictions. Frequent interpretations of theregulation, in the form of policy guidance and correspondence, have been theprimary method of ensuring that advances in technology did not hamper itseffectiveness.

CommentsThe clarification was opened to public comment. Comments expressingunreserved support for the clarification were received from two RegionalIntelligence Sharing Systems (RISS) and five states. A comment from theChairperson of a RISS, relating to the use of identifying information to begin newinvestigations, has been incorporated. A single negative comment was received,but was not addressed to the subject of this clarification.

Use of Identifying Information

28 CFR 23.3(b)(3) states that criminal intelligence information that can be putinto a criminal intelligence sharing system is "information relevant to theidentification of and the criminal activity engaged in by an individual who ororganization which is reasonably suspected of involvement in criminal activity,and ... meets criminal intelligence system submission criteria." Further, 28 CFR23.20(a) states that a system shall only collect information on an individual if"there is reasonable suspicion that the individual is involved in criminal conductor activity and the information is relevant to that criminal conduct or activity." 28CFR 23.20(b) extends that limitation to [page 71753] collecting information ongroups and corporate entities.

In an effort to protect individuals and organizations from the possible taint ofhaving their names in intelligence systems (as defined at 28 CFR Sec.23.3(b)(1», the Office of Justice Programs has previously interpreted this sectionto allow information to be placed in a system only if that informationindependently meets the requirements of the regulation. Information that mightbe vital to identifying potential criminals, such as favored locations andcompanions, or names of family members, has been excluded from the systems.This policy has hampered the effectiveness of many criminal intelligence sharingsystems.


Given the swiftly changing nature of modern technology and the expansion of thesize and complexity of criminal organizations, the Bureau of Justice Assistance(BJA) has determined that it is necessary to clarify this element of 28 CFR Part23. Many criminal intelligence databases are now employing "Comment" or"Modus Operandi" fields whose value would be greatly enhanced by the ability tostore more detailed and wide-ranging identifying information. This may includenames and limited data about people and organizations that are not suspected ofany criminal activity or involvement, but merely aid in the

- 19 -identification and investigation of a criminal suspect who independently satisfiesthe reasonable suspicion standard.

Therefore, BJA issues the following clarification to the rules applying to the use ofidentifying information. Information that is relevant to the identification of acriminal suspect or to the criminal activity in which the suspect is engaged maybe placed in a criminal intelligence database, provided that (1) appropriatedisclaimers accompany the information noting that is strictly identifyinginformation, carrying no criminal connotations; (2) identifying information may notbe used as an independent basis to meet the requirement of reasonable

, suspicion of involvement in criminal activity necessary to create a record or file ina criminal intelligence system; and (3) the individual who is the criminal suspectidentified by this information otherwise meets all requirements of 28 CFR Part 23.This information may be a searchable field in the intelligence system.

For example: A person reasonably suspected of being a drug dealer is known toconduct his criminal activities at the fictional "NorthSouth Market." An agencymay wish to note this information in a criminal intelligence database, as it may beimportant to future identification of the suspect. Under the previous interpretationof the regulation, the entry of "NorthSouth Market" would not be permitted,because there was no reasonable suspicion that the "NorthSouth Market" was acriminal organization. Given the current clarification of the regulation, this will bepermissible, provided that the information regarding the "NorthSouth Market" wasclearly noted to be non-criminal in nature. For example, the data field in which"NorthSouth Market" was entered could be marked "Non-Criminal IdentifyingInformation," or the words "NorthSouth Market" could be followed by aparenthetical comment such as "This organization has been entered into thesystem for identification purposes only - it is not suspected of any criminal activityor involvement." A criminal intelligence system record or file could not be createdfor "NorthSouth Market" solely on the basis of information provided, for example,in a comment field on the suspected drug dealer. Independent information wouldhave to be obtained as a basis for the opening of a new criminal intelligence fileor record based on reasonable suspicion on "NorthSouth Market." Further, thefact that other individuals frequent "NorthSouth Market" would not necessarilyestablish reasonable suspicion for those other individuals, as it relates to criminalintelligence systems.

The Definition of a "Criminal Intelligence System"


The definition of a "criminal intelligence system" is given in 28 CFR 23.3(b)(1) asthe "arrangements, equipment, facilities, and procedures used for the receipt,storage, interagency exchange or dissemination, and analysis of criminalintelligence information .... " Given the fact that cross-database searchingtechniques are now common-place, and given the fact that multiple databasesmay be contained on the same computer system, BJA has determined that thisdefinition needs clarification, specifically to differentiate between criminalintelligence systems and non-intelligence systems.

The comments to the 1993 revision of 28 CFR Part 23 noted that "the term'intelligence system' is redefined to clarify the fact that historical telephone tollfiles, analytical information, and work products that are not either retained,stored, or exchanged and criminal history record information or identification(fingerprint) systems are excluded from the definition, and hence are not coveredby the regulation .... " 58 FR 48448-48449 (Sept. 16, 1993.) The commentsfurther noted that materials that "may assist an agency to produce investigativeor other information for an intelligence system ... " do not necessarily fall underthe regulation. Id.

The above rationale for the exclusion of non-intelligence information sourcesfrom the definitio"n of "criminal intelligence system," suggests now that, given theavailability of more modern non-intelligence information sources such as theInternet, newspapers, motor vehicle administration records, and other publicrecord information on-line, such sources shall not be considered part of criminalintelligence systems, and shall not be covered by this regulation, even if criminalintelligence systems access such sources during searches on criminal suspects.Therefore, criminal intelligence systems may conduct searches across thespectrum of non-intelligence systems without those systems being brought under28 CFR Part 23. There is also no limitation on such non-intelligence informationbeing stored on the same computer system as criminal intelligence information,provided that sufficient precautions are in place to separate the two types ofinformation and to make it clear to operators and users of the information thattwo different types of information are being accessed.

- 20-Such precautions should be consistent with the above clarification of the rulegoverning the use of identifying information. This could be accomplished, forexample, through the use of multiple windows, differing colors of data or clearlabeling of the nature of information displayed.

Additional guidelines will be issued to provide details of the above clarificationsas needed.

Dated: December 22, 1998.

Nancy Gist Director, Bureau of Justice Assistance [FR Doc. 98-34547 Filed 12-29-98; 8:45 am] BILLING CODE 4410-18-P

- 21 -


a. Background: The South Bay Information Sharing System (SBISS) wasestablished on , 2009 by agencies in Santa Clara, SantaCruz, Monterey, and San Benito Counties. The SBISS is a cooperativeventure, created among other reasons, to develop and implement aRegional justice information sharing system that would allow lawenforcement and justice agencies throughout Santa Clara, Santa Cruz,Monterey, and San Benito Counties to share information retained in theircase and records management systems ("Information"), as well as inother relevant data files.

b. Intended Benefits: The SBISS seeks to protect the total community byefficiently and effectively providing accessible, accurate Information forthe speedy investigation and apprehension of terrorists and other lawviolators. Information is shared through a COPLINK Solution Suite("COPLlNK"), a computerized system that was installed by, and iscurrently maintained by Knowledge Computing Corporation ("KCC" or"Contractor"), an Arizona Corporation.

c. Purpose of Policy: The purpose of the COPLINK System Use Agreement("Agreement") is to outline the terms and conditions under whichparticipating agencies ("Agency" or "Agencies") will share and useinformation in COPLINK and to detail various indemnifications,relationships, and obligations among the Agencies and KCC.

d. Agency Participation: An Agency can apply to participate by submitting aproposal to the SBISS Governing Board that outlines the Agency'sintended use of COPLlNK, the type of data the Agency intends tocontribute, and any other information requested by the SBISS. Amajority vote of the full membership of the SBISS Board is required toapprove an Agency's participation in COPLINK. The Agency must alsosign a copy of this Agreement and accept its conditions. The Agency willproactively cooperate with the SBISS, the other participating Agencies,and any contractors working to implement, improve and manage thesystem by obtaining the cooperation of their own System vendors and ormaintenance contractors to facilitate: .

• Network access and connectivity• Data extracts for engineering and testing purposes• Production extracts• Required modifications to their source systems


South Bay Information Sharing SystemCOPLINK System Use Policy

I l:fovemqer 18.}!2Q9 - - { Deleted: October 27

• Regular data updates as agreed to during the design and anyimprovement process

• Timely review and approval of design documents and testresults

e. Agency Withdrawal: An Agency may withdraw their participation in. COPLINK at any time by providing written notice to the SBISS that theAgency wishes to withdraw their participation. In the event that theAgency wishes to withdraw their data from the COPLINK repository, theAgency shall give the Board of Directors sixty (60) days written noticeand the Agency shall be responsible for contacting the maintenancevendor (currently Knowledge Computing Corporation) and requesting thedata removal. The withdrawing Agency is responsible for all of the costassociated with the removal of their data from COPLINK.

a. Sharing of Information: Each Agency authorizes the release ofInformation residing in COPLINK to all authorized users of COPLINK aspermitted by law. Any Agency that does not want certain Informationmade available is responsible for ensuring that the Information is notincluded in the data transfer to COPLINK. An Agency that wants certaindata to be made available only to a select group of users is responsiblefor placing the appropriate restriction indicator on COPLINK.

1. California law prohibits the release of victim information tounauthorized users in specific sex related crimes.

b. Limitation on Information Sharing: Information contributed by eachAgency shall only be shared with or released to those other Agenciesthat have entered into this agreement. Only authorized employees whohave an approved login and password ("Authorized Users") will beallowed to access or use information in COPLINK.

c. Liability: Each Agency is solely responsible for any and all claims(including without limitation, claims for bodily injury, death or damage toproperty), demands, obligations,· damages, actions, causes of action,suits, losses, judgments, fines, penalties, liabilities, costs and expenses(including, without limitation, attorney's fees, disbursements and courtcosts) ("Claims") of every kind and nature whatsoever, arising in anymanner by reason of the gross negligent acts, errors, omissions or willfulmisconduct incident to the performance of this Agreement, inclUding theuse or alleged or actual misuse of COPLINK by that Agency, its officers,agents or employees.



I J:1ovember 18. 2!JQ.9 - -1Deleted: October 27

d. Indemnification: Each Agency executing this Agreement, with theexception of Knowledge Computing Corporation (KCC), is a public entity.In contemplation of the provisions of Section 895.2 of the GovernmentCode of the State of California imposing certain tort liability jointly uponpublic entities, solely by reason of such entities being parties to anAgreement as defined by Section 895 of said Code, the Agencieshereto, as between themselves, pursuant to the authorization containedin Section 895.4 and 895.6 of said Code, will each assume the fullliability imposed upon it or upon any of its officers, agents, or employeesby law, for injury caused by a gross negligent or wrongful act or omissionoccurring in the performance of this Agreement, to the same extent thatsuch liability would be imposed in the absence of Section 895.2 of saidCode.

To achieve the above-stated purpose, each Agency shall indemnify, holdharmless, and defend the other Agencies, their County or Cities, CityCouncils, Party, Boards of Supervisor and other elected officials, boardsand commissions, officers, agents and employees (collectively, the"Indemnified Parties") from and against any and all claims of every kindand nature whatsoever, arising in any manner by reason of the grossnegligent acts, errors, omissions or willful misconduct incident to theperformance of this Agreement, including the use or alleged or actualmisuse of COPLINK by that Agency and its employees. The provision ofSection 2778 of the California Civil Code is made a part hereto as if fullyset forth herein. Each Agency executing this agreement certifies that ithas adequate self insured retention of funds to meet any obligationarising from this Agreement.

KCC shall defend, indemnify and hold harmless the Agencies and theirIndemnified Parties from and against any and all claims of every kindand nature whatsoever, arising in any manner by reason of the grossnegligent acts, errors, omissions or willful misconduct incident to theperformance by KCC or its subcontractors of any tier in the performanceof installing or maintaining COPLINK.

Notwithstanding the foregoing, nothing herein shall be construed torequire KCC or the Agencies to indemnify any other party from any claimarising from the sole gross negligence or willful misconduct of anotherparty. Nothing in this indemnity shall be construed as authorizing anyaward of attorney fees in any action on or to enforce the terms of thisAgreement. This indemnity shall apply to all claims and liabilityregardless of whether any insurance policies are applicable. Any policylimits shall not act as a limitation upon the amount of indemnification tobe provided.



I Jiovember 18. 2QQ!J - --{ Deleted: October 27

The provisions of this section, II d, shall survive the expiration ortermination of this Agreement.

a. Ownership: Each Agency retains control of all information it provides toCOPLINK. Each Agency is responsible for creating, updating, anddeleting records in its own records management system or database,according to its own policies. Each Agency shall use its best efforts toinsure the completeness and accuracy of its source data.

b. Release of Information: Agencies and Authorized Users shall release ormake available information accessed from COPLINK only to persons orentities authorized to receive COPLINK information.

c. Unauthorized Requests: If an Agency receives a request for informationin COPLINK by anyone who is not authorized to receive information fromCOPLlNK, that Agency shall refer the request to the law enforcementagency that authored or originated the requested information ("SourceAgency").

d. Public Record Requests, Subpoenas and Court Orders: Any Agencyreceiving a public records request, subpoena, or court order ("LegalRequest") for information in COPLINK not authored by or originated bythat Agency shall refer the Legal Request to the source Agency for thepurposes of responding to the Legal Request.

a. Accuracy of Information: Agencies agree that the data maintained inCOPLINK consists of information assumed to be accurate. Agencies willparticipate in several testing sessions, to validate and ensure that itsinformation is accurate. However, data inaccuracies can arise formUltiple reasons (e.g., entry errors, misinterpretation, outdated data,etc.). It shall be the responsibility of the Agency requesting or using thedata to confirm the accuracy of the information with the Source Agencybefore taking any enforcement-related action.

b. Timeliness of Information: Each Agency shall determine the frequencywith which its data will be refreshed in COPLINK. In addition, eachAgency has its own policy regarding the speed at which incidents arerecorded in its internal records management systems. Since changes oradditions to data do not get updated in COPLINK on a real-time basis,Agencies recognize that information may not always be timely andrelevant. It shall be the responsibility of the requesting Agency toconfirm the timeliness and relevance of the information with the Source



I Ifpvember 1~. 2!!e9 - - -{ Deleted: October 27

Agency. Additionally, a data refresh schedule will be published by eachSystem Administrator to enable a user to determine the potentialtimeliness of each Agency's data.

c. Hold Harmless: To the extent permitted by law, each Agency agrees tohold the other Agencies harmless for any information in COPLlNK, orany action taken as a result of that data, regardless of whether the datais accurate or not, or any time delay associated with changes, additions,or deletions to the information contributed. This hold harmless provisionshall not apply to the willful misconduct or gross negligence of SourceAgencies.

a. Login Application Process: Each Agency's System Administrator isresponsible for management of user accounts at that Agency. EachAgency agrees that all Authorized Users shall be current employees andbe authorized to review criminal history data for legitimate purposes.Each potential user shall submit a request for a login and password tothe Agency System Administrator. The Agency System Administratorshall have discretion to deny or revoke individual access within theirAgency.

b. Login Assignment: Each Authorized User will be issued a user login anda default password by the Agency System Administrator. Upon logginginto COPLINK for the first time, each Authorized User will change thedefault password to another password. Authorized Users may beassigned to groups that have different levels of access rights based onthe level of restriction of the information.

c. Provision of Agreement: The Agency System Administrator mustprovide a copy of the terms and conditions of this Agreement to allAuthorized Users when they are issued a login ID for the system. EachAuthorized User shall sign an acknowledgement stating, "I have receiveda copy of the terms and conditions of usage of COPLINK. I agree tocomply with the terms and conditions and I understand that violation ofthe terms and conditions may lead to disciplinary action and/or criminalprosecution: The Agency System Administrator shall maintain theoriginal signed acknowledgements at all times.

d. Intended Use: Each Authorized User agrees that COPLlNK, theinformation contained in it, and the networking resources it provides areto be used solely for purposes consistent with the law. Authorized Usersshall not use or share the information for any unethical, illegal, orcriminal purpose.



lliove'!}ber 18. 29Q~ - {Deleted: October 27

e. Limitations on Use of Logins: An Authorized User may not accessCOPLINK by using a name or password that was assigned to anotheruser. An Authorized User cannot give his or her password to anotherperson, including another user, to access the system.

f. Audit Trail: Each transaction on COPLINK is logged, and an audit trail iscreated. Each Agency System Administrator shall conduct an internalaudit on a periodic basis to ensure information is reasonably up to dateand user queries are made for legitimate law enforcement purposes.COPLINK will require each Authorized User to input the reason for therequested information before any information is generated. Thisinformation shall be recorded on COPLlNK, and retained to allow theSystem Administrator to complete the internal audit. Each SystemAdministrator shall maintain the audit trail for a minimum of three years.Requests for transaction logs shall be made in Writing to the AgencySystem Administrator, who shall provide the logs to the requesting partywithin a reasonable amount of time.

g. Termination of Logins: Each Agency System Administrator isresponsible for timely removal of any login accounts as Authorized Usersleave the Agency or are denied access by the Agency SystemAdministrator for any other reason.

a. Information Confidentialitv: Information in COPLINK is confidential andis not sUbject to public disclosure, except as required by law.· OnlyAuthorized Users are allowed to view and use the information inCOPLINK. The information will otherwise be kept confidential.

b. Internal Requests for Information: An Authorized User who receives arequest from a non-authorized requestor for information in COPLINKshall not release that information, but may refer the requestor to theSource Agency.

c. Removal or Editing of Records: Agencies shall determine a schedule forrecord deletion and other edits. If an agency requires a record edited,removed or otherwise changed in a more timely manner, they areresponsible for contacting the maintenance contractor (currentlyKnowledge Computing Corporation) directly and arranging for such achange to be manually processed to their data.



I Jiovembe! 1~. 2!!Q~ - -{Deleted: October 27

a. Network Access: Access to COPLINK will be provided by a privatenetwork maintained by a secure network configuration or other suchmethod chosen by the Santa Clara County Office of the Sheriff as thehost agency.

b. System Availability: COPLINK shall operate 24-hours a day, 7-days aweek, with downtime limited to those hours required for any necessarymaintenance activities.

a. Term: This Agreement will commence on the date that it is executed byan Agency and KCC.

b. Amendments: Any change in the terms of this Agreement, shall beincorporated into this Agreement by a written amendment properlyexecuted and signed by a person authorized to bind the Agencies andKCC.

c. Supplemental Policies: An Agency may add individual terms andconditions for its own computers or networks providing the terms andconditions do not conflict with the provisions of this Agreement.

d. Sanctions for Non-Compliance: Any Agency that violates the terms andconditions of this Agreement may be disconnected from COPLINK. Theoffending Agency will be provided with a 60-day written notice of theviolation and the opportunity to correct the violation. Failure to abide byor follow the terms and conditions of this AgreellJent will result in thetermination of COPLINK access for the offending Agency. All disputesconcerning access shall be determined by a majority of the COPLINKBoard.

By executing this agreement, each Agency acknowledges that it hasreceived a copy of this Agreement and will comply with its terms andconditions. This Agreement may be executed in one or morecounterparts, each of which will be deemed an original, but all of whichtogether will constitute one and the same instrument. A completeoriginal will be kept on file with the Santa Clara County Office of theSheriff. For all other purposes, facsimile signatures are acceptable asoriginals.



I Jiovl}mber 18. 2!Je~ - - -{Deleted: October 27

I • _- - -{Deleted: -- --- . -- -- . -- . --- .. -- . )


South Bay Information Sharing SystemCOPLINK System Use PolicyJiovember 18. 2009



lipvember 18. 2009

SignatureDate

Printed Name and Title

SignatureDate


SignatureDate


SignatureDate



South Bay Information Sharing SystemCOPLINK System Use Policyliovember 18.2009



I /fovember 18. 2009


memorandum of understanding south bay information sharing ... · memorandum of understanding south...

Documents