[Federal Register Volume 73, Number 148 (Thursday, July 31, 2008)]
[Proposed Rules]
[Pages 44673-44677]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-17519]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF JUSTICE

Office of Justice Programs

28 CFR Part 23

[Docket No. OJP 1473]
RIN 1121-AA59


Criminal Intelligence Systems Operating Policies

AGENCY: Office of Justice Programs, Justice.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Office of Justice Programs is publishing this proposed 
rule to amend its regulations that govern the operating policies of 
criminal intelligence systems that receive federal funding under the 
Omnibus Crime Control and Safe Streets Act of 1968, as amended (``Crime 
Control Act''). The regulations were issued pursuant to 42 U.S.C. 
3789(g), which requires that ``criminal intelligence systems'' 
receiving Crime Control Act support must collect, maintain, and 
disseminate criminal intelligence information ``in conformance with 
policy standards which are prescribed by the Office of Justice 
Programs.'' The statute specifies that the policy standards must be 
written to assure that the funding and operation of the systems further 
the purpose of the funding provisions and assure that such systems 
``are not utilized in violation of the privacy and constitutional 
rights of individuals.'' The existing regulations were last revised in 
1993 and the purpose of the revisions proposed in this document is to 
clarify and update the regulations in light of the new, post-9/11 
information sharing environment and investigative policies aimed at 
preventing terrorism.

DATES: Written comments must be submitted on or before September 2, 
2008.

ADDRESSES: Comments may be mailed to Michael Dever, Bureau of Justice 
Assistance, 810 7th Street, NW., Washington, DC 20531. To ensure proper 
handling, please reference OJP Docket No. 1473 in your correspondence. 
You may submit comments electronically or view an electronic version of 
this proposed rule at http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Michael Dever, Bureau of Justice 
Assistance, 810 7th Street, NW., Washington, DC 20531. Telephone: (202) 
616-6500.

SUPPLEMENTARY INFORMATION:

Posting of Public Comments

    Please note that all comments received are considered part of the 
public record and made available for public inspection online at http://www.regulations.gov. Such information includes personal identifying 
information (such as name and address) voluntarily submitted by the 
commenter.
    If you wish to submit personal identifying information (such as 
your name, address, etc.) as part of your comment, but do not wish for 
it to be posted online, you must include the phrase ``PERSONAL 
IDENTIFYING INFORMATION'' in the first paragraph of your comment. You 
also must locate all the personal identifying information you do not 
wish to be posted online in the first paragraph of your comment and 
identify what information you would like redacted.
    If you wish to submit confidential business information as part of 
your comment but do not wish for it to be posted online, you must 
include the phrase ``CONFIDENTIAL BUSINESS INFORMATION'' in the first 
paragraph of your comment. You also must prominently identify 
confidential business information to be redacted within the comment. If 
a comment has so much confidential business information that it cannot 
be effectively redacted, all or part of that comment may not be posted 
on http://www.regulations.gov.
    Personal identifying information and confidential business 
information identified and located as set forth above will be placed in 
the agency's public docket file, but not posted online. If you wish to 
inspect the agency's public docket file in person by appointment, 
please see the FOR FURTHER INFORMATION CONTACT paragraph.

Discussion

    The proposed rule would revise the Office of Justice Program (OJP) 
regulations in 28 CFR part 23 that set forth policy guidelines for 
Crime Control Act-funded state criminal intelligence information 
systems. The part 23 regulations were issued pursuant to a requirement 
in 42 U.S.C. 3789(g) that ``criminal intelligence systems'' receiving 
Crime Control Act support must collect, maintain, and disseminate 
criminal intelligence information ``in conformance with policy 
standards which are prescribed by the Office of Justice Programs.'' The 
statute specifies that the policy standards must be written to assure 
that the funding and operation of the systems further the purpose of 
the funding provisions and assure that such systems ``are not utilized 
in violation of the privacy and constitutional rights of individuals.''
    The existing part 23 regulations were last revised in 1993 and the 
purpose of the revisions proposed in this notice is to clarify and 
update the regulations in light of the new, post-9/11 information-
sharing environment and investigative policies aimed at preventing 
terrorism. Multiple initiatives are being pursued at the federal, 
state, and local levels to promote and strengthen information sharing 
among responsible government agencies that can promote risk 
identification and protective action, including, for example, the 
creation of state, local, and regional fusion centers across the 
country and information sharing initiatives involving Joint Terrorism 
Task Forces. The intent of these proposed revisions to part 23 is to 
ensure that the standards for sharing criminal intelligence information 
subject to the regulation be uniform and clear and not create 
unreasonable impediments to information sharing, whether real or 
perceived, while at the same time continuing to ensure that the systems 
not be used in violation of the privacy and constitutional rights of 
individuals.

[[Page 44674]]

Section 23.1

    Section 23.1 contains a parenthetical list of statutory amendments 
to the Crime Control Act that is out of date. It is proposed that this 
section be revised to strike this parenthetical.

Section 23.2

    Section 23.2 describes the background for the part 23 criminal 
intelligence operating policies. It recognizes that certain criminal 
activities often involve some degree of regular coordination and 
permanent organization involving a large number of participants over a 
broad geographical area. The examples currently cited of such ongoing 
networks of criminal activities do not include a reference to terrorism 
or the material support of terrorism. To clarify that the detection, 
exposure, investigation, and prevention of terrorist activity and 
conduct is an important part of the role played by criminal 
intelligence systems, it is proposed that ``domestic and international 
terrorism, including the material support thereof,'' be added to the 
examples of criminal activities about which it is important to gather, 
maintain, and share criminal intelligence information.

Section 23.3

    It is proposed to remove the outdated parenthetical statutory 
references and to make some non-substantive grammatical/syntactical 
changes in this section.

Section 23.20

    Paragraph (a) of section 23.20 currently states the basic operating 
principle that a project shall collect and maintain criminal 
intelligence information concerning ``an individual'' only if there is 
reasonable suspicion that the individual is involved in criminal 
conduct or activity and the information is relevant to that conduct or 
activity. Because criminal conduct or activities can be engaged in by 
organizations as well as individuals, it is proposed that this section 
be amended to clarify that criminal intelligence information can be 
collected and maintained about organizations, as well as individuals. 
This clarification is consistent with section 23.3(b)(3)(i), which 
defines the term ``criminal intelligence information'' as meaning data 
that has been evaluated to determine that it ``is relevant to the 
identification of criminal activity engaged in by an individual who or 
organization which is reasonably suspected of involvement in criminal 
activity.'' (Emphasis added.) It should be noted that the inclusion of 
the term ``organization'' in section 23.20(a) does not affect the 
prohibition in section 23.20(b) of the ``[collection] or [maintenance 
of] criminal intelligence information about the political, religious or 
social views, associations, or activities of any individual or any 
group, association, corporation, business, partnership, or other 
organization. * * *''
    Paragraph (e) is proposed to be revised to define more clearly the 
circumstances under which criminal intelligence information subject to 
the regulations may be shared. The existing language provides that such 
information shall only be disseminated ``where there is a need to know 
and a right to know the information in the performance of a law 
enforcement activity.'' The terms ``need to know'' or ``right to know'' 
are not defined in the regulation. Instead, section 23.20(g) requires 
that ``[e]ach project must establish written definitions for the need 
to know and right to know standards for dissemination to other agencies 
as provided in paragraph (e) of this section.'' While some agencies may 
broadly interpret these terms to allow efficient sharing of criminal 
intelligence information with all authorized officials or entities, 
other agencies may construe this language more restrictively. There is 
no uniform definition of the information sharing standard. In addition, 
there is no reference in this provision to disseminating criminal 
intelligence information for preventative law enforcement, homeland 
security, or counterterrorism purposes. The terrorist attacks of 
September 11, 2001, have made it clear that the sharing of intelligence 
information should be maximized, to the extent consistent with 
applicable law and protection for privacy and civil liberties, among 
federal, state, and local agencies responsible for law enforcement, 
preventing terrorism, and securing our homeland. Reducing real or 
perceived barriers to the sharing of investigative and intelligence 
information that could aid in law enforcement or in the prevention of 
crime or terrorism is now a well-recognized priority of federal, state, 
and local agencies. Therefore, to provide clearer guidance on the 
circumstances under which criminal intelligence information may be 
shared, a revision to paragraph (e) is proposed that would establish a 
uniform standard of permissible purposes for the dissemination of 
criminal intelligence information, authorizing dissemination when the 
information falls within the law enforcement, counterterrorism, or 
national security responsibility of the receiving agency or may assist 
in preventing crime or the use of violence or any conduct dangerous to 
human life or property. The proposed revision also would clarify the 
authorities to whom information may be disseminated, including agencies 
with law enforcement, homeland security, or counterterrorism missions. 
The proposed revision also would provide that criminal intelligence 
information may be disseminated to officials of the Office of Justice 
Programs when such officials are monitoring or auditing compliance by a 
project with the operating principles and funding guidelines under Part 
23.
    Paragraph (f)(1) currently limits dissemination of criminal 
intelligence information only to ``law enforcement authorities'' that 
``agree to follow procedures regarding information receipt, 
maintenance, security, and dissemination which are consistent with'' 
part 23 principles. Consistent with the change in the dissemination 
rule in section 23.20(e), this section is proposed to be amended to 
clarify that the authorities to which information may be disseminated 
would include agencies qualified to receive the information under 
paragraph (e). In addition, it is proposed that paragraph (f)(1) be 
further amended to provide that the receiving agencies have information 
procedures in place that are consistent with part 23's operating 
principles, rather than that they ``agree to follow'' such procedures. 
This retains the requirement that receiving agencies implement part 23 
principles, while removing the potential barrier to information sharing 
that requiring an ``agreement'' for each sharing arrangement might 
entail. It is important to note that a new proposed provision--section 
23.30, paragraph (f)--will require projects to have in place, or 
establish within timeframes specified by OJP's Bureau of Justice 
Assistance (BJA), a written privacy policy specifying the operational 
steps being followed to comply with section 23.20 principles.
    Paragraph (f)(2) creates an exception to the requirement in 
paragraph (f)(1) allowing the dissemination of ``an assessment of 
criminal intelligence information to a government official or any other 
individual, when necessary to avoid imminent danger to life or 
property.'' The term ``imminent'' is not defined. Because the provision 
already requires a determination that the sharing of the information 
assessment is ``necessary'' to avoid danger to life or property, it is 
proposed that the term ``imminent'' be deleted.
    Changes are proposed to paragraph (g) to conform to the proposed 
change in paragraph (e) that substitutes a national standard of 
dissemination for the

[[Page 44675]]

existing, locally-defined ``need to know and right to know'' 
dissemination standard. The proposed changes do not substantively alter 
the longstanding requirement that criminal intelligence systems record 
certain information regarding the dissemination of criminal 
intelligence information. Taking this into account, OJP has determined 
that there is no need for a new Information Collection Review or burden 
calculation for this recordkeeping requirement in this notice of 
proposed rulemaking.
    Paragraph (h) provides rules for projects to assure the continuing 
relevance and importance of criminal intelligence information and 
requires projects to have procedures for the periodic review of 
information and destruction of any information that is misleading, 
obsolete, or otherwise unreliable. The regulation limits the retention 
period to a maximum of five years without a review and validation of 
the information. When information has been reviewed or updated and a 
determination has been made that it continues to meet system submission 
criteria, the information has been ``validated'' and a new retention 
period begins. The five-year retention period was established before 
the events of 9/11 and the advent of the current terrorist threat 
environment. This relatively-short retention period may not be long 
enough to cover terrorist planning cycles and/or the need for 
historical data for terrorism threat assessment. New technologies for 
data storage and analysis make possible the extended retention and 
potential usefulness of this information for purposes of such threat 
assessments. In addition, information about subjects of criminal 
intelligence incarcerated during the five-year retention period may be 
unavailable to a jurisdiction upon the subject's release from prison. 
For these reasons, it is proposed that the retention period be changed 
to 10 years and that an exception be made to allow the tolling of the 
retention period during a subject's incarceration so that the 
intelligence file can be available to law enforcement upon the 
subject's release from prison.
    Finally, paragraph (i)(1) currently prohibits making remote 
terminal access to intelligence information available to system 
participants except as specifically approved by OJP upon a 
determination that the system has adequate policies and procedures in 
place to insure that such access is available only to authorized users. 
System managers have informed the Department that this provision's 
requirement of pre-approval by OJP is outdated, given the modern access 
controls that routinely provide appropriate security for remote access 
arrangements. It is therefore proposed that this provision be revised 
to remove the requirement that OJP approve a system's security policy 
and procedures before remote-access may be implemented. Although this 
would remove the requirement of OJP approval, OJP expects to continue 
to provide projects with training and technical assistance regarding 
information privacy and security practices and polices, including those 
prescribed through the Department of Justice's Global Justice 
Information Sharing Initiative or successor entity.
    Finally, a few non-substantive grammatical/syntactical changes are 
proposed variously throughout the section.

Section 23.30

    Section 23.30 specifies funding guidelines that require, among 
other things, that intelligence systems agree to adhere to the 
principles set forth in section 23.20, have an agency head or official 
with general policy-making authority certify in writing that he takes 
responsibility and will be accountable for the information in the 
system and the system's compliance with the section 23.20 principles. 
In the case of interjurisdictional systems, section 23.30(d)(2) 
requires (1) that section 23.20 principles be made part of the system's 
by-laws or operating policies and (2) that agencies participating in 
the interjurisdictional system, as a condition of participation, 
``accept in writing'' section 23.20 principles relating to the 
submission, maintenance, and dissemination of information. In light of 
advancements in technology since the rule was first published, it is 
proposed that the latter requirement be modified to provide that 
participating agencies, as a condition of ``access'' thereunder, 
``affirmatively accept'' those principles. This change is proposed to 
account for new technology that provides methods other than writing for 
an individual to express acceptance of conditions of access, such as 
when computer users click on an ``accept'' button for an end-user's 
licensing agreement. Also, changing the affirmative acceptance 
requirement as a condition of ``access'' (as opposed to a condition of 
``participation'') means that the user will be required to express his 
acceptance of section 23.20 principles each time access is sought, and 
not merely just once at the outset of an agency's participation in the 
interjurisdictional system.
    It is also proposed that a reference to counterterrorism be added 
in paragraph (a) regarding the purposes for which criminal intelligence 
information may be collected and exchanged.
    In addition (aside from some non-substantive grammatical/
syntactical proposed changes), it is proposed that another requirement 
be added to section 23.30, in a new paragraph (f), requiring systems to 
have in place, or establish within timeframes specified in grant-making 
or other guidance by BJA, a written privacy policy that details the 
specific operational steps being followed to comply the section 23.20 
privacy and civil liberty safeguards. It is expected that such a 
requirement would be imposed within BJA-specified timeframes that allow 
projects adequate time and support to develop such written policies. It 
is also contemplated that such written policies would be consistent 
with existing privacy guidance for justice information systems, 
including the Global Justice Information Sharing Initiative's privacy 
recommendations, DOJ privacy guidance, and other relevant privacy 
guidelines such as the privacy guidance for the information sharing 
environment.

Regulatory Flexibility Act

    The Attorney General, in accordance with the Regulatory Flexibility 
Act (5 U.S.C. 605(b)), has reviewed this proposed rule and by approving 
it certifies that it would not have a significant economic impact on a 
substantial number of small entities for the following reasons: The 
proposed clarifying changes in the regulations governing operating 
policies for federally-funded criminal intelligence systems do not 
involve changes that would impose significant costs on the state and 
local projects that manage these systems.

Executive Order 12866

    This proposed rule has been drafted and reviewed in accordance with 
Executive Order 12866, ``Regulatory Planning and Review,'' section 
1(b), Principles of Regulation. The Department of Justice has 
determined that this proposed rule is a ``significant regulatory 
action'' under Executive Order 12866, section 3(f), and accordingly it 
has been reviewed by the Office of Management and Budget.

Executive Order 13132

    This proposed rule would not have substantial direct effects on the 
States, on the relationship between the national government and the 
States, or on the distribution of power and responsibilities among the 
various levels of government. Therefore, in

[[Page 44676]]

accordance with Executive Order 13132, it is determined that this rule 
does not have sufficient federalism implications to warrant the 
preparation of a Federalism Assessment.

Executive Order 12988--Civil Justice Reform

    This proposed rule meets the applicable standards set forth in 
sections 3(a) and 3(b)(2) of Executive Order 12988.

Unfunded Mandates Reform Act of 1995

    This proposed rule would not result in the expenditure by State, 
local and tribal governments, in the aggregate, or by the private 
sector, of $100 million or more in any one year, and it would not 
significantly or uniquely affect small governments. Therefore, no 
actions were deemed necessary under the provisions of the Unfunded 
Mandates Reform Act of 1995.

Small Business Regulatory Enforcement Fairness Act of 1996

    This proposed rule is not a major rule as defined by section 251 of 
the Small Business Regulatory Enforcement Fairness Act of 1996. 5 
U.S.C. 804. This proposed rule would not result in an annual effect on 
the economy of $100 million or more; a major increase in costs or 
prices; or significant adverse effects on competition, employment, 
investment, productivity, or innovation, or on the ability of United 
States-based companies to compete with foreign-based companies in 
domestic and export markets.

List of Subjects in 28 CFR Part 23

    Crime, Information, Law enforcement, Recordkeeping.

    For the reasons stated in the preamble, the Office of Justice 
Programs proposes to amend 28 CFR Chapter I part 23 as follows:

PART 23--CRIMINAL INTELLIGENCE SYSTEMS OPERATING POLICIES

    1. The authority citation for part 23 continues to read as follows:

     Authority: 42 U.S.C. 3782(a); 42 U.S.C. 3789g(c).

    2. Section 23.1 is revised to read as follows:


Sec.  23.1  Purpose.

    The purpose of this regulation is to assure that all criminal 
intelligence systems operating through support under the Omnibus Crime 
Control and Safe Streets Act of 1968, Public Law 90-351, codified as 
amended at 42 U.S.C. 3711, et seq., (``Crime Control Act'') are 
utilized in conformance with the privacy and constitutional rights of 
individuals and organizations.


Sec.  23.2  [Amended]

    3. The first sentence of Section 23.2 is amended by removing 
``and'' after ``bribery,'' and adding ``and domestic and international 
terrorism (including the material support thereof)'' after ``corruption 
of public officials''.
    4. Section 23.3 is revised to read as follows:


Sec.  23.3  Applicability.

    (a) The provisions of this part are applicable to all criminal 
intelligence systems described in section 23.1.
    (b) As used in this part:
    (1) Criminal Intelligence System or Intelligence System means the 
arrangements, equipment, facilities, and procedures used for the 
receipt, storage, interagency exchange or dissemination, and analysis 
of criminal intelligence information;
    (2) Interjurisdictional Intelligence System means an intelligence 
system that involves two or more participating agencies representing 
different governmental units or jurisdictions;
    (3) Criminal Intelligence Information means data that have been 
evaluated to determine that it:
    (i) Is relevant to the identification of and the criminal activity 
engaged in by an individual who, or an organization that is reasonably 
suspected of involvement in criminal activity, and
    (ii) Meets criminal intelligence system submission criteria;
    (4) Participating Agency means an agency of local, county, State, 
Federal, or other governmental unit that exercises law enforcement or 
criminal investigation authority and that is authorized to submit and 
receive criminal intelligence information through an 
interjurisdictional intelligence system. A participating agency may be 
a member or a nonmember of an interjurisdictional intelligence system;
    (5) Intelligence Project or Project means either the organizational 
unit that operates an intelligence system on behalf of and for the 
benefit of a single agency, or the organization that operates an 
interjurisdictional intelligence system on behalf of a group of 
participating agencies; and
    (6) Validation of Information means the procedures governing the 
periodic review of criminal intelligence information to assure its 
continuing compliance with system submission criteria established by 
regulation or program policy.
    5. Section 23.20 is amended as follows:
    a. In paragraph (a), add ``or organization'' after ``individual'' 
both places it occurs.
    b. In paragraphs (c), (d), (h), and (n), remove ``which'' each 
place it occurs and add ``that'' in its place; in paragraph (n), remove 
``so'' from the last sentence.
    c. Remove reserved paragraph (ii) immediately preceding paragraph 
(j).
    d. Revise paragraphs (e), (f), and (g) introductory text, revise 
the last sentence of paragraph (h) and add a new sentence to follow it; 
and revise paragraph (i) to read as follows:


Sec.  23.20  Operating principles.

* * * * *
    (e)(1) Criminal intelligence information may be disseminated to law 
enforcement, homeland security, or counterterrorism agencies by a 
project or authorized recipient for any type of detective, 
investigative, preventive, or intelligence activity only when the 
information--
    (i) Falls within the law enforcement, counterterrorism, or national 
security responsibility of the receiving agency or
    (ii) May assist in preventing a crime or the use of violence or any 
conduct dangerous to human life or property.
    (2) Criminal intelligence information may also be disseminated to 
officials within the Office of Justice Programs when they are 
monitoring or auditing a project's compliance with the provisions of 
this part.
    (f)(1) Except as provided in paragraph (f)(2) of this section, a 
project shall disseminate criminal intelligence information only to 
agencies qualified to receive the information under paragraph (e) of 
this section and that have procedures regarding information receipt, 
maintenance, security, and dissemination that are consistent with the 
privacy and civil liberties safeguards included in these operating 
principles.
    (2) Paragraph (f)(1) of this section shall not limit dissemination 
of an assessment of criminal intelligence information to a government 
official or to any other individual, when reasonably necessary to avoid 
danger to life or property.
    (g) A project shall ensure the adoption of administrative, 
technical, and physical safeguards (including audit trails) to protect 
against unauthorized access and against intentional or unintentional 
damage. A record indicating to whom information has been disseminated 
outside the project, the reason for the dissemination, and the date of 
each such dissemination shall be kept. Information shall be labeled to 
indicate levels of sensitivity, levels of confidence, and the identity 
of submitting agencies and control

[[Page 44677]]

officials. Each intelligence project shall assure the implementation 
and regular review of appropriate security requirements and policies, 
including the following:
    * * *
    (h) * * * Criminal intelligence information retained in an 
intelligence system must be reviewed and validated for continuing 
compliance with system submission criteria before the expiration of the 
information's retention period, which in no event shall be longer than 
ten (10) years. The retention period relating to a subject shall be 
tolled while the subject is incarcerated.
    (i)(1) A project shall have in place security policies and 
procedures to ensure that remote access to intelligence information be 
available only to authorized system users; and
    (2) A project shall undertake no major modifications to system 
design without prior grantor agency approval.
* * * * *
    6. Section 23.30 is amended as follows:
    a. In paragraph (a), remove ``investigatory or'' and add 
``investigatory,'' in its place and after ``prosecutorial'' add ``, or 
counterterrorism''.
    b. In paragraph (b) introductory text, remove ``activity'' and add 
``activities'' in its place and remove ``areas of''.
    c. In paragraph (b)(1), remove ``of citizens''.
    d. Revise paragraphs (c) and (d) and add a new paragraph (f), to 
read as follows:


Sec.  23.30  Funding guidelines.

* * * * *
    (c) Control and supervision of information collection and 
dissemination by an intelligence system shall be retained by the head 
of a government agency or an individual with general policy making 
authority who has been expressly delegated such control by the agency 
head. This official shall certify in writing that he takes full 
responsibility for the system's compliance with this part.
    (d) (1) Official responsibility and accountability for actions 
taken by an inter-jurisdictional criminal intelligence system shall be 
assumed by the head of the governmental agency exercising control and 
supervision over the operation of the system or by an individual with 
general policy making authority who has been expressly delegated such 
control or supervision by the agency head. This official shall certify 
in writing that he takes full responsibility for the inter-
jurisdictional system's compliance with this part.
    (2) The principles set forth in Sec.  23.20 shall be made part of 
the by-laws or operating procedures for the inter-jurisdictional 
system. Each participating agency, as a condition of access, must 
affirmatively accept those principles that govern the collection, 
maintenance, and dissemination of information included as part of the 
interjurisdictional system.
* * * * *
    (f) The project has in place, or will establish within timeframes 
specified in grant-making or other guidance by BJA, a written privacy 
policy specifying the operational steps being followed to comply with 
Sec.  23.20 principles.

    Dated: July 16, 2008.
Jeffrey L. Sedgwick,
Acting Assistant Attorney General, Office of Justice Programs.
 [FR Doc. E8-17519 Filed 7-30-08; 8:45 am]
BILLING CODE 4410-18-P