Chapter 13 Criminal Intelligence Systems Regulation 28 CFR Part 23, Criminal Intelligence Systems Operating Policies, ensures that all criminal intelligence systems operating with support from the Edward Byrne Memorial State and Local Law Enforcement Assistance Discretionary and Formula Grant Programs are utilized in conformance with the constitutional and privacy rights of individuals. Certain criminal activities including but not limited to loan sharking, drug trafficking, trafficking in stolen property, gambling, extortion, smuggling, bribery, and corruption of public officials often involve some degree of regular coordination and permanent organization involving a large number of participants over a broad geographical area. The exposure of such ongoing networks of criminal activity can be aided by pooling information about such activities. However, the collection and exchange of intelligence data necessary to support control of serious criminal activity may represent potential threats to the privacy of individuals to whom such data relates. Therefore, policy guide- lines for Federally funded projects are required. 13.1 Definitions The following definitions are pertinent to this requirement. 13.1a Criminal Intelligence System "Criminal Intelligence System" or "Intelligence System" means the arrangements, equipment, facilities, and procedures used for the receipt, storage, interagency exchange, dissemination, and analysis of criminal intelligence information. Any information system that receives, stores, and disseminates information on individuals or organizations based on their involvement in criminal activity is a criminal intelligence system. The definition includes both systems that store detailed information on the criminal activities of subjects and systems that store only information designed to identify individuals or organizations that are the subject of an inquiry or analysis (i.e., a pointer system). 28 CFR Part 23 does not apply to the exchange or sharing of information, whether described as a case management or intelligence system, when it takes place within a single law enforcement agency or organizational entity. However, if, as a matter of policy or practice, a single agency or entity system provides access to information maintained in that system to outside agencies on an inquiry or request basis, the system would qualify as a criminal intelligence system and be subject to the regulation. Information gathered for and in support of a specific investigation, that is maintained in case files, and that is not received and stored centrally or exchanged is considered case information and is not governed by 28 CFR Part 23. Likewise, historical telephone toll files, analytical information, and work products that are neither received and stored centrally nor exchanged are excluded from the regulation. 13.1b Analytical Information and Work Products "Analytical information and work products" refers to working files for investigations where the bulk data and analytical results are returned to the submitter upon completion and are not otherwise retained, stored, or disseminated. 13.1c Interjurisdictional Intelligence System "Interjurisdictional Intelligence System" means an intelligence system that involves two or more participating agencies representing different governmental units or jurisdictions. 13.1d Criminal Intelligence Information "Criminal Intelligence Information" means data that has been evaluated to determine that: (1) it is relevant to the identification of and the criminal activity engaged in by an individual who, or organization that, is reasonably suspected of involvement in criminal activity, and (2) it meets criminal intelligence system submission criteria. Criminal intelligence information is factual or conjectural (i.e., in the case of reasonable suspicion); current; and subjective. It is intended for law enforcement use only, to provide law enforcement officers and agencies with useful information on criminal suspects and to foster interagency coordination and cooperation. Because criminal intelligence information is both conjectural and subjective in nature, may be widely disseminated through the interagency exchange of information, and cannot be accessed by criminal suspects to verify that the information is accurate and complete, the protections and limitations set forth in Regulation 28CFR Part 23 are necessary to protect the privacy interests of the subjects and potential subjects of a criminal intelligence system. 13.1e Participating Agency "Participating Agency" means an agency of Federal, State, local, county, or other governmental unit that exercises law enforcement or criminal investigation authority and that is authorized to submit and receive criminal intelligence information through an interjurisdictional intelligence system. A participating agency may be a member or a nonmember of an interjurisdictional intelligence system. 13.1f Intelligence Project "Intelligence Project" refers to an organizational unit that operates an intelligence system on behalf of and for the benefit of, a single agency or an organization that operates an interjurisdictional intelligence system on behalf of a group of participating agencies. 13.1g Validation of Information "Validation of Information" means the procedures governing the periodic review of criminal intelligence information to ensure its continuing compliance with system submission criteria established by regulation or program policy. 13.2 Operating Principles This section sets forth the major tenets of the criminal intelligence regulation, 28 CFR Part 23: Criminal Predicate for Information Gathering; Adherence to Law During Information Gathering; "Need to Know" Predicate for Information Dissemination; System Protection Against Unauthorized Access; Periodic Review of Information and Purging of Files. 13.2a Criminal Predicate for Information Gathering The collection and maintenance of intelligence information must meet the following conditions: An Intelligence Project collects and maintains criminal intelligence information concerning an individual only if there is reasonable suspicion or criminal predicate that the individual is involved in criminal conduct or activity and only if the information is relevant to that criminal conduct or activity. "Reasonable Suspicion" or "Criminal Predicate" is established when information exists that establishes sufficient facts to give a trained law enforcement or criminal investigative agency officer, investigator, or employee a basis to believe there is a reasonable possibility that an individual or organization is involved in a definable criminal activity or enterprise. In an interjurisdictional intelligence system, the project is responsible for establishing the existence of reasonable suspicion of or criminal predicate for criminal activity either through examination of supporting information submitted by a participating agency or by delegation of this responsibility to a properly trained participating agency that is subject to routine inspection and audit procedures established by the project. An Intelligence Project collects or maintains no criminal intelligence information about the political, religious, or social views; associations; or activities of any individual, group, association, corporation, business, partnership, or other party - unless such information directly relates to criminal conduct or activity and there is reasonable suspicion that the subject of the information is or may be involved in criminal conduct or activity. 13.2b Adherence to Law During Information Gathering An Intelligence Project includes no criminal intelligence system information that has been obtained in violation of any applicable Federal, State, or local law or ordinance. In an interjurisdictional intelligence system, the project is responsible for ensuring that no information is entered in violation of Federal, State, or local laws. This responsibility is met either through examination of supporting information submitted by a participating agency or by delegation of this responsibility to a properly trained participating agency that is subject to routine inspection and audit procedures established by the project. 13.2c "Need to Know" Predicate for Information Dissemination An Intelligence Project or authorized recipient disseminates criminal intelligence information only when the party receiving the information both needs to know and has a right to know the information in the performance of a law enforcement activity. Except as noted immediately following, a project disseminates criminal intelligence information only to law enforcement authorities who agree to follow procedures regarding information receipt, maintenance, security, and dissemination that are consistent with these principles. However, this general limitation does not limit the dissemination of an assessment of criminal intelligence information to a government official or to any other individual when necessary to avoid imminent danger to life or property. The project establishes and disseminates to other agencies written definitions of the need to know and right to know standards for dissemination of criminal intelligence information. The project establishes the existence of an inquirer's need to know and right to know the information being requested, either through direct inquiry or through delegation of this responsibility to a properly trained participating agency that is subject to routine inspection and audit procedures established by the project. 13.2d System Protection Against Unauthorized Access An Intelligence Project maintaining criminal intelligence information ensures that administrative, technical, and physical safeguards (e.g., including audit trails) are adopted to prevent unauthorized access and intentional or unintentional damage. A record indicating who has been given information, the reason for release of the information, and the date of each dissemination outside the project shall be kept. Information is labeled to indicate levels of sensitivity, levels of confidence, and the identity of submitting agencies and control officials. Each intelligence project ensures that the following security requirements are implemented: When appropriate, projects adopt effective and technologically advanced computer software and hardware designs to prevent unauthorized access to the information contained in the system. The project restricts access to its facilities, operating environment, and documentation to organizations and personnel authorized by the project. The project stores information in the system in a manner that ensures the data cannot be modified, destroyed, accessed, or purged without authorization. The project institutes procedures to protect criminal intelligence information from unauthorized access, theft, sabotage, fire, flood, or other natural or manmade disaster. The project promulgates rules and regulations based on good cause for implementing its authority to screen, reject for employment, transfer, or remove personnel authorized to have direct access to the system. A project authorizes remote (off-premises) system databases only to the extent that they comply with these security requirements. 13.2e Periodic Review of Information and Purging of Files An Intelligence Project adopts procedures to ensure that all information retained by a project has relevancy and importance. Such procedures provide for the periodic review of information and for the correction or destruction of any information that is misleading, obsolete, or otherwise unreliable. The procedures also require that any recipient agencies be advised of any changes involving information destruction or correction. All information retained without modification as a result of this periodic review reflects the name of the reviewer, the date of the review, and an explanation of the decision to retain. Information retained in the system is reviewed and validated for continuing compliance with system submission criteria before the expiration of its retention period, which in no event will exceed 5 years. 13.3 State Administrative Agency Responsibilities If formula grant funds are subawarded to support the operation of an intelligence system, the SAA administering the Byrne Formula Grant Program is required to ensure that intelligence system projects comply with 28 CFR Part 23 by implementing the following procedures: Ensuring proper access. Obtaining assurances from projects funded. Ensuring projects assume responsibility for adherence to the regulation. Providing BJA with a list of projects funded. Implementing special monitoring of intelligence projects. 13.3a Ensuring Proper Access Three major components are involved in SAA ensurance of proper access to a Criminal Intelligence System, as follows: No project will make direct remote terminal access to intelligence information available to system participants, except as specifically approved by the SAA based on a determination that the system has adequate policies and procedures in place to ensure that it is accessible only by authorized systems users. A project will undertake no major modifications to the intelligence system design without prior approval of the SAA. A project will notify the SAA prior to initiation of formal information exchange procedures with any Federal, State, regional, or other information systems not indicated in the grant documents as approved at time of award. 13.3b Obtaining Assurances From Projects Funded The SAA must require submission of the following written assurances from the intelligence system project with the application for formula grant funding: There will be no purchase or use during the course of the project of any electronic, mechanical, or other device for surveillance purposes that is in violation of the provisions of the Electronic Communications Privacy Act of 1986, Public Law 99-508, 18 U.S.C. 2510-2520, 2701-2709 and 3121-3125, or any applicable State statute related to wiretapping and surveillance. There will be no harassment or interference with any lawful political activities as part of the intelligence operation. The project will adopt sanctions for unauthorized access, utilization, or disclosure of information contained in the system. Any person violating the provisions of this section, or of any rule, regulation, or order issued thereunder, shall be fined an amount not to exceed $10,000, in addition to any other penalty imposed by law. All participating agencies of an interjurisdictional intelligence system will maintain in its agency files information that documents the correctness of each submission to the system and supports compliance with project entry criteria. Participating agency files supporting system submissions must be made available for reasonable audit and inspection by project representatives. Project representatives will conduct participating agency inspection and audit in a manner that protects the confidentiality and sensitivity of participating agency intelligence records. The proposed collection and exchange of criminal intelligence information has been coordinated with, and will support, ongoing or proposed investigatory or prosecutorial activities relating to specific areas of criminal activity. The areas of criminal activity, for which intelligence information is to be utilized, represent a significant and recognized threat to the population and 1) either are undertaken for the purpose of seeking illegal power or profits or pose a threat to the life and property of citizens; and 2) involve a significant degree of permanent criminal organization; or 3) are not limited to one jurisdiction. The principles set forth in 28 CFR 23.20 will be made part of the by-laws or operating procedures for that system. Each participating agency, as a condition of participation, must accept in writing those principles that govern the submission, maintenance, and dissemination of information included as part of the interjurisdictional system. Intelligence information will be collected, maintained, and disseminated primarily for State and local law enforcement efforts, including efforts involving Federal participation. 13.3c Ensuring Projects Assume Responsibility for Adherence to the Regulation The head of a government agency or an individual with general policymaking authority who has been expressly delegated such control and supervision by the head of the agency will retain control and supervision of information collection and dissemination for the criminal intelligence system. This official will certify in writing that he or she takes full responsibility and will be accountable for the information maintained by and disseminated from the system and that the operation of the system will be in compliance with the principles set forth in 28 CFR 23.20. Where the system is an interjurisdictional criminal intelligence system, the governmental agency that exercises control and supervision over the operation of the system will require that the head of that agency or an individual with general policymaking authority who has been expressly delegated such control and supervision by the head of the agency: Assume official responsibility and accountability for actions taken in the name of the joint entity. Certify in writing that the official takes full responsibility and will be accountable for ensuring that the information transmitted to the interjurisdictional system or to participating agencies will be in compliance with the principles set forth in 28 CFR 23.20. 13.3d Providing BJA With a List of Projects Funded The SAA is required, as part of its application for formula grant funds or as soon thereafter as such projects are identified for funding, to provide BJA with a list of funded intelligence systems subgrantee projects. The SAA should also make an assurance that it will ensure compliance of these systems with 28 CFR Part 23. 13.3e Implementing Special Monitoring of Intelligence Projects The SAA is required to monitor all funded intelligence systems for compliance with 28 CFR Part 23. A sample checklist for use in monitoring intelligence systems is found in Appendix G. The SAA must include a plan designed to ensure compliance with operating principles set forth in 28 CFR Part 23 in its application for formula grant funds. The plan must be approved by BJA prior to award of funds.