[Federal Register Volume 64, Number 41 (Wednesday, March 3, 1999)]
[Proposed Rules]
[Pages 10262-10265]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-5343]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF JUSTICE

28 CFR Part 25

[AG Order No. 2209-99]
RIN 1105-AA51


National Instant Criminal Background Check System Regulation

AGENCY: Federal Bureau of Investigation, Department of Justice.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The United States Department of Justice (``DOJ'') proposes to 
amend the DOJ regulation implementing the

[[Page 10263]]

National Instant Criminal Background Check System (``NICS'') pursuant 
to the Brady Handgun Violence Prevention Act (``Brady Act''), to 
establish a retention period of 90 days for information relating to 
allowed firearm transfers in the system transaction log of background 
check transactions (``NICS Audit Log''). Audits of the use of the NICS 
are considered essential to safeguard the privacy of the sensitive 
information checked by the system and to ensure that the system is 
operating in the manner required by the Brady Act. Audits will help 
prevent invasions of privacy that result from misuse of the system. For 
example, audits will enable the detection of felons who assume the 
identity of a qualified person to buy guns illegally and persons who 
misuse the system to perform background checks unrelated to gun 
purchases (such as employment checks). In addition, the proposed rule 
clarifies that the retention period begins to run on the day after the 
request for a NICS check is received. The proposed rule also clarifies 
that only the FBI has direct access to the NICS Audit Log and that, in 
furtherance of the purpose of auditing the use and performance of the 
NICS, the FBI may extract and provide information from the NICS Audit 
Log to the Bureau of Alcohol, Tobacco and Firearms (``ATF'') for use in 
ATF's inspections of Federal Firearms Licensee (``FFL'') records, 
provided that ATF destroys NICS Audit Log information about allowed 
firearm transfers within the applicable retention period and maintains 
a written record certifying the destruction. By using the preexisting 
ATF inspection system to audit use of the NICS by FFLs, it will be 
unnecessary to propose a system under which the FBI would perform 
recurring audits of FFLs. Such a system could lead to duplication of 
effort and expense resulting from FBI auditors traveling to FFL 
premises to review the same records that ATF reviews during its routine 
inspections of FFLs.

DATES: Written comments must be received on or before June 1, 1999.

ADDRESSES: All comments concerning this proposed rule should be sent 
to: Mr. Emmet A. Rathbun, Unit Chief, Federal Bureau of Investigation, 
Module C-3, 1000 Custer Hollow Road, Clarksburg, West Virginia 26306-
0147.

FOR FURTHER INFORMATION CONTACT: Mr. Emmet A. Rathbun, Unit Chief, 
Federal Bureau of Investigation, telephone number (304) 625-2000.

SUPPLEMENTARY INFORMATION: This proposal would amend the National 
Instant Criminal Background Check System Regulation (28 CFR, Part 25, 
Subpart A), published in the Federal Register on October 30, 1998 (63 
FR 58303). The proposed amendments are to the portions of the NICS 
regulation providing for the retention and use of information in the 
NICS Audit Log pertaining to allowed firearm transfers, 28 CFR 
25.9(b)(1) and (2) (63 FR 58311).

Record Retention Period

    The Brady Act requires the Attorney General to ensure the privacy 
and security of information in the NICS and the proper operation of the 
system. The purpose of maintaining the NICS Audit Log is to help carry 
out this function by facilitating audits of the use and operation of 
the NICS. At the same time, to prevent the establishment of a national 
firearms registry, the Brady Act requires the destruction of NICS 
records (other than the NICS Transaction Number (``NTN'') and the date 
the NTN was assigned) relating to allowed firearm transfers. Although 
an eighteen-month retention period for information about allowed 
firearm transfers was initially proposed in the notice of proposed 
rulemaking for the NICS regulation, the final NICS rule took into 
account the comments on this subject and balanced the competing 
interests by reducing the retention period to no more than six months.
    The preamble to the final NICS regulation described the question of 
the period of record retention as follows: ``In light of the statutory 
requirement that records for allowed transfers be destroyed, and the 
countervailing statutory requirement to provide for system privacy and 
security, the Department determined that the general retention period 
for records of allowed transfers in the NICS Audit Log should be the 
minimum reasonable period for performing audits on the system, but in 
no event more than six months. Section 25.9(b) in the final rule was 
revised to reflect this and to provide that such information may be 
retained for a longer period if necessary to pursue identified cases of 
misuse of the system. The Department further determined that the FBI 
shall work toward reducing the retention period to the shortest 
practicable period of time less than six months that will allow basic 
security audits of the NICS. By February 28, 1999, the Department will 
issue a notice of a proposed revision of the regulation setting forth a 
further reduced period of retention that will be observed by the 
system.'' (63 FR 58304.) The purpose of this notice is to propose a 
period of retention less than six months that will be observed by the 
system.
    Audits of the NICS will include (1) quality control audits of NICS 
examiners and call center operators to ensure the accuracy of the 
responses given to FFLs; (2) audits of the system's data processing to 
aid in the resolution of technical system problems; (3) audits of the 
use of the NICS by state agencies serving as points of contact 
(``POCs'') for the NICS and/or using the NICS in connection with 
issuing firearms licenses or permits, to ensure that such agencies are 
accessing the NICS only for authorized purposes; and (4) audits of the 
use of the NICS by FFLs to ensure that FFLs are accessing the NICS only 
for authorized purposes and are not sending the NICS false data to 
evade the system.
    Auditing the users (FFLs and POCs) of the NICS is essential to 
safeguard the security and privacy of personal information in the 
system. The NICS will perform background checks that access a 
tremendous amount of criminal history, mental health, military 
background, and other information about individuals. Access to such 
sensitive information for background checks on individuals should only 
be available for purposes authorized by law. Misuse of that information 
could lead to significant invasions of privacy. The Brady Act 
recognized the sensitivity of system information by requiring the 
Attorney General to issue regulations ``to ensure the security and 
privacy of the information of the system.'' The Brady Act also provides 
that disclosures of information from the NICS are subject to the 
restrictions of the Privacy Act. Without the capacity to audit the use 
of the system, there will be no way of determining whether FFLs are 
requesting checks for purposes other than checking on the background of 
a prospective gun purchaser. Many businesses and individuals would be 
very interested in having easy access to these government databases 
through FFLs to do employment or other unauthorized checks on persons. 
While it is true that a NICS check will not disclose what record was 
the reason for a denial, the mere fact that the system response is 
``denied'' (indicating that at least one disqualifying record exists) 
may be enough to cause employers or others to take adverse action 
against the person checked. A ``delayed'' response might also have a 
detrimental impact on the subject of the check if a person misusing the 
system does not wait to see if a ``proceed'' follows or concludes, 
unfairly, that the response means the individual checked has some kind 
of stigmatizing ``record.'' The FBI must take appropriate steps to 
identify and guard against such invasions of privacy.
    In addition, the Brady Act requires the Attorney General to 
establish a system that will inform FFLs whether

[[Page 10264]]

available information demonstrates that a person seeking to acquire a 
firearm is disqualified by law from possessing firearms. The background 
check system established to perform this function is based upon names 
and other personally identifying information that can be falsified. 
Therefore, it is equally important to be able to audit NICS 
transactions to ensure that FFLs are not misusing the NICS by 
deliberately submitting false information to the system. The ability to 
audit the background checks requested by FFLs, by comparing the 
information submitted to the NICS with information retained by the FFL, 
will deter attempts to evade the system. In other words, audits will 
help ensure that the system is operating in the manner required by the 
Brady Act.
    There is no formula for determining with precision what retention 
period is the minimum necessary to allow adequate audits of the NICS, 
and because the NICS is a new system, there is no historical data 
regarding the use of the NICS from which any definite conclusion about 
retention periods can be drawn. What can be said with certainty is 
that, at six months, the NICS retention period is already less than 
half of the retention period established for auditing the users of the 
Interstate Identification Index (``III''), the information system 
managed by the FBI that makes up the vast majority of the records 
checked by the NICS. It is also undeniable that, the shorter the 
period, the less likely it is that even random audits will uncover or 
deter system misuse.
    In determining the period of retention that will allow for a 
minimal opportunity to detect misuse of the system by FFLs and POCs, 
the Department recognizes the need for both: (1) a sufficient period of 
system activity to be audited; and (2) time to administer the audits. A 
time period for administering the audits is necessary to: identify 
those system records that will be used in the audit; conduct the audit; 
and review the results of the audit to determine whether there are any 
identified cases of misuse of the system. Accordingly, the Department 
has concluded that the shortest practicable period of time for 
retaining records of allowed transfers that would permit the 
performance of basic security audits of the NICS is 90 days.
    Under the proposed rule, therefore, section 25.9(b)(1) provides 
that in cases of allowed transfers, all information in the NICS Audit 
Log relating to the person or the transfer, other than the NTN assigned 
to the transfer and the date the number was assigned, will be destroyed 
not more than 90 days after the date the request for the NICS check was 
received. The proposed rule also changes section 25.9(b)(1) to provide 
that the retention period begins to run on the day after ``the date the 
request for the NICS check was received,'' instead of the date the 
``transfer was allowed.'' This change provides a uniform date from 
which to begin the retention period.

Accomplishing the Audits

    Quality control, data processing, and POC audits can all be 
accomplished by FBI employees or contractors without the need for 
outside assistance. In order to audit the use of the NICS by FFLs, 
however, the FBI is developing a plan, in coordination with ATF, under 
which information from the NICS Audit Log will be provided to ATF for 
use in conjunction with its compliance inspections of FFL records. FFLs 
are subject to inspections by ATF pursuant to the provisions of the Gun 
Control Act (``GCA''), 18 U.S.C. 923(g)(1)(B)(ii). By using the 
preexisting ATF inspection system to audit use of the NICS by FFLs, it 
will be unnecessary to propose a system under which the FBI would 
perform recurring audits of FFLs. Such a system could lead to 
duplication of effort and expense resulting from FBI auditors traveling 
to FFL premises to review the same records that ATF reviews during its 
routine inspections of FFLs. It is least intrusive and most efficient 
to have regular review of FFL NICS records performed by ATF as part of 
its inspection program.
    The information comparisons by ATF of NICS Audit Log data with FFL 
records of NICS checks will detect and deter misuse of the NICS by FFLs 
and ensure FFL compliance with the Brady Act and the GCA. Under this 
plan, ATF will not have direct access to the information in the NICS 
Audit Log. The information will be extracted from the NICS Audit Log by 
the FBI and provided to ATF for the FFLs to be inspected. 
Irregularities relating to the use of the NICS by an FFL discovered 
during an ATF inspection will be referred to the FBI. Under this plan, 
ATF will destroy the NICS Audit Log information about allowed firearm 
transfers within the applicable retention period and maintain a written 
record certifying destruction of the records. The information provided 
to ATF from the NICS Audit Log will be the same information that ATF is 
already authorized to review when inspecting FFL records under the GCA.
    The proposed rule, therefore, amends paragraph 25.9(b)(2) to 
clarify that while only the FBI has direct access to the NICS Audit 
Log, the FBI, in furtherance of the purpose of conducting audits of the 
use and performance of the NICS, may extract and provide information 
from the NICS Audit Log to ATF for use in ATF's inspections of FFL 
records, provided that ATF destroys information about allowed firearm 
transfers within the retention period for such information set forth in 
paragraph 25.9(b)(1) and maintains a written record certifying the 
destruction.

Applicable Administrative Procedures and Executive Orders

Regulatory Flexibility Analysis

    The Attorney General, in accordance with the Regulatory Flexibility 
Act (5 U.S.C. 605(b)), has reviewed this final regulation and by 
approving it certifies that this regulation will not have a significant 
economic impact on a substantial number of small entities. While many 
FFLs are small businesses, they are not subject to any additional 
burdens by the proposed plan to audit their use of the NICS.

Executive Order 12866

    The proposed rule has been drafted and reviewed in accordance with 
Executive Order 12866, section 1(b), Principles of Regulation. The 
Department of Justice has determined that this proposed rule is a 
``significant regulatory action'' under section 3(f) of Executive Order 
12866, Regulatory Planning and Review, and thus it has been reviewed by 
the Office of Management and Budget (``OMB'').

Executive Order 12612

    This proposed rule will not have a substantial direct effect on the 
states, on the relationship between the national government and the 
states, or on the distribution of power and responsibilities among the 
various levels of government. Therefore, in accordance with Executive 
Order 12612, it is determined that this proposed rule does not have 
sufficient federalism implications to warrant the preparation of a 
Federal Assessment.

Unfunded Mandates Reform Act of 1995

    This proposed rule will not result in the expenditure by state, 
local, and tribal governments, in the aggregate, or by the private 
sector, of $100,000,000 or more in any one year, and it will not 
significantly or uniquely affect small governments. Therefore, no 
actions were deemed necessary under the provisions of the Unfunded 
Mandates Reform Act of 1995.

[[Page 10265]]

Small Business Regulatory Enforcement Fairness Act of 1996

    This final rule is not a major rule as defined by the Small 
Business Regulatory Enforcement Fairness Act of 1996. 5 U.S.C. 804. 
This rule will not result in an annual effect on the economy of 
$100,000,000 or more, a major increase in costs or prices, or have 
significant adverse effects on competition, employment, investment, 
productivity, innovation, or on the ability of United States-based 
companies to compete with foreign-based companies in domestic and 
export markets.

List of Subjects in 28 CFR Part 25

Administrative practice and procedure, Business and industry, Computer 
technology, Courts, Firearms, Law enforcement officers, Penalties, 
Privacy, Reporting and recordkeeping requirements, Security measures, 
Telecommunications.
    Accordingly, Sec. 25.9 of part 25 of title 28 of the Code of 
Federal Regulations is proposed to be amended as follows:

PART 25--DEPARTMENT OF JUSTICE INFORMATION SYSTEMS

Subpart A--The National Instant Criminal Background Check System

    1. The authority section for Subpart A continues to read as 
follows:

    Authority: Pub. L. 103-159, 107 Stat. 1536.


Sec. 25.9  [Amended]

    2. In Sec. 25.9, paragraph (b) is revised to read as follows:
* * * * *
    (b) The FBI will maintain an automated NICS Audit Log of all 
incoming and outgoing transactions that pass through the system.
    (1) The NICS Audit Log will record the following information: type 
of transaction (inquiry or response), line number, time, date of 
inquiry, header, message key, ORI, and inquiry/response data (including 
the name and other identifying information about the prospective 
transferee and the NTN). In cases of allowed transfers, all information 
in the NICS Audit Log related to the person or the transfer, other than 
the NTN assigned to the transfer and the date the number was assigned, 
will be destroyed not more than 90 days after the date the request for 
the NICS check is received. NICS Audit Log records relating to denials 
will be retained for 10 years, after which time they will be 
transferred to a Federal Records Center for storage. The NICS will not 
be used to establish any system for the registration of firearms, 
firearm owners, or firearm transactions or dispositions, except with 
respect to persons prohibited from receiving a firearm by 18 U.S.C. 922 
(g) or (n) or by state law.
    (2) The NICS Audit Log will be used to analyze system performance, 
assist users in resolving operational problems, support the appeals 
process, or support audits of the use of the system. Searches may be 
conducted on the NICS Audit Log by time frame, i.e., by day or month, 
by FFL, or by a particular state or agency. Information in the NICS 
Audit Log pertaining to allowed transfers may only be directly accessed 
by the FBI for the purpose of conducting audits of the use and 
performance of the NICS. Permissible uses include extracting and 
providing information from the NICS Audit Log to ATF in connection with 
ATF's inspections of FFL records, provided that ATF destroys the 
information about allowed transfers within the retention period for 
such information set forth in Sec. 25.9(b)(1) and maintains a written 
record certifying the destruction. Such information, however, may be 
retained and used as long as needed to pursue cases of identified 
misuse of the system. The NICS, including the NICS Audit Log, may not 
be used by any Department, agency, officer, or employee of the United 
States to establish any system for the registration of firearms, 
firearm owners, or firearm transactions or dispositions. The NICS Audit 
Log will be monitored and reviewed on a regular basis to detect any 
possible misuse of the NICS data.
* * * * *
    Dated: February 27, 1999.
Janet Reno,
Attorney General.
[FR Doc. 99-5343 Filed 3-1-99; 2:36 pm]
BILLING CODE 4410-06-P