28 CFR § 906.2 - Third party handling of criminal history record information.

(a) Except as prohibited in paragraph (b) of this section, criminal history record information obtained from the III System for noncriminal justice purposes may be made available:

(1) To a governmental agency pursuant to a contract or agreement under which the agency performs activities or functions for another governmental agency that is authorized to obtain criminal history record information by a federal statute, federal executive order or a state statute that has been approved by the United States Attorney General; and

(2) To a private contractor, or other nongovernmental entity or organization, pursuant to a contractual agreement under which the entity or organization performs activities or functions for a governmental agency authorized to obtain criminal history record information as identified in paragraph (a)(1) of this section or for a nongovernmental entity authorized to obtain such information by federal statute or executive order.

(b) Criminal history record information provided in response to fingerprint-based III System record requests initiated by authorized governmental agencies or nongovernmental entities for noncriminal justice purposes may be made available to contracting agencies or organizations manually or electronically for such authorized purposes. Such contractors, agencies, or organizations shall not be permitted to have direct access to the III System by computer terminal or other automated means which would enable them to initiate record requests, provided however, the foregoing restriction shall not apply with respect to: (1) Persons, agencies, or organizations that may enter into contracts with the FBI or State criminal history record repositories for the performance of authorized functions requiring direct access to criminal history record information; and (2) any direct access to records covered by 42 U.S.C. 14614(b).

(c) The contracts or agreements authorized by paragraphs (a)(1) and (a)(2) of this section shall specifically describe the purposes for which criminal history record information may be made available to the contractor and shall incorporate by reference a security and management control outsourcing standard approved by the Compact Council after consultation with the United States Attorney General. The security and management control outsourcing standard shall specifically authorize access to criminal history record information; limit the use of the information to the purposes for which it is provided; prohibit retention and/or dissemination of the information except as specifically authorized in the security and management control outsourcing standard; ensure the security and confidentiality of the information; provide for audits and sanctions; provide conditions for termination of the contractual agreement; and contain such other provisions as the Compact Council, after consultation with the United States Attorney General, may require.

(d) The exchange of criminal history record information with an authorized governmental or nongovernmental entity or contractor pursuant to this part is subject to cancellation for use, retention or dissemination of the information in violation of federal statute, regulation or executive order, or rule, procedure or standard established by the Compact Council in consultation with the United States Attorney General.