28 CFR 20.21 - Preparation and submission of a Criminal History Record Information Plan.
A plan shall be submitted to OJARS by each State on March 16, 1976, to set forth all operational procedures, except those portions relating to dissemination and security. A supplemental plan covering these portions shall be submitted no later than 90 days after promulgation of these amended regulations. The plan shall set forth operational procedures to -
(a) Completeness and accuracy. Insure that criminal history record information is complete and accurate.
(1) Complete records should be maintained at a central State repository. To be complete, a record maintained at a central State repository which contains information that an individual has been arrested, and which is available for dissemination, must contain information of any dispositions occurring within the State within 90 days after the disposition has occurred. The above shall apply to all arrests occurring subsequent to the effective date of these regulations. Procedures shall be established for criminal justice agencies to query the central repository prior to dissemination of any criminal history record information unless it can be assured that the most up-to-date disposition data is being used. Inquiries of a central State repository shall be made prior to any dissemination except in those cases where time is of the essence and the repository is technically incapable of responding within the necessary time period.
(2) To be accurate means that no record containing criminal history record information shall contain erroneous information. To accomplish this end, criminal justice agencies shall institute a process of data collection, entry, storage, and systematic audit that will minimize the possibility of recording and storing inaccurate information and upon finding inaccurate information of a material nature, shall notify all criminal justice agencies known to have received such information.
(b) Limitations on dissemination. Insure that dissemination of nonconviction data has been limited, whether directly or through any intermediary only to:
(3) Individuals and agencies pursuant to a specific agreement with a criminal justice agency to provide services required for the administration of criminal justice pursuant to that agreement. The agreement shall specifically authorize access to data, limit the use of data to purposes for which given, insure the security and confidentiality of the data consistent with these regulations, and provide sanctions for violation thereof;
(4) Individuals and agencies for the express purpose of research, evaluative, or statistical activities pursuant to an agreement with a criminal justice agency. The agreement shall specifically authorize access to data, limit the use of data to research, evaluative, or statistical purposes, insure the confidentiality and security of the data consistent with these regulations and with section 524(a) of the Act and any regulations implementing section 524(a), and provide sanctions for the violation thereof. These dissemination limitations do not apply to conviction data.
(c) General policies on use and dissemination.
(1) Use of criminal history record information disseminated to noncriminal justice agencies shall be limited to the purpose for which it was given.
(3) Subsection (b) does not mandate dissemination of criminal history record information to any agency or individual. States and local governments will determine the purposes for which dissemination of criminal history record information is authorized by State law, executive order, local ordinance, court rule, decision or order.
(d) Juvenile records. Insure that dissemination of records concerning proceedings relating to the adjudication of a juvenile as delinquent or in need or supervision (or the equivalent) to noncriminal justice agencies is prohibited, unless a statute, court order, rule or court decision specifically authorizes dissemination of juvenile records, except to the same extent as criminal history records may be disseminated as provided in paragraph (b) (3) and (4) of this section.
(e) Audit. Insure that annual audits of a representative sample of State and local criminal justice agencies chosen on a random basis shall be conducted by the State to verify adherence to these regulations and that appropriate records shall be retained to facilitate such audits. Such records shall include, but are not limited to, the names of all persons or agencies to whom information is disseminated and the date upon which such information is disseminated. The reporting of a criminal justice transaction to a State, local or Federal repository is not a dissemination of information.
(f) Security. Wherever criminal history record information is collected, stored, or disseminated, each State shall insure that the following requirements are satisfied by security standards established by State legislation, or in the absence of such legislation, by regulations approved or issued by the Governor of the State.
(1) Where computerized data processing is employed, effective and technologically advanced software and hardware designs are instituted to prevent unauthorized access to such information.
(2) Access to criminal history record information system facilities, systems operating environments, data file contents whether while in use or when stored in a media library, and system documentation is restricted to authorized organizations and personnel.
(i) Computer operations, whether dedicated or shared, which support criminal justice information systems, operate in accordance with procedures developed or approved by the participating criminal justice agencies that assure that:
(a) Criminal history record information is stored by the computer in such manner that it cannot be modified, destroyed, accessed, changed, purged, or overlaid in any fashion by non-criminal justice terminals.
(b) Operation programs are used that will prohibit inquiry, record updates, or destruction of records, from any terminal other than criminal justice system terminals which are so designated.
(d) Operational programs are used to detect and store for the output of designated criminal justice agency employees all unauthorized attempts to penetrate any criminal history record information system, program or file.
(e) The programs specified in paragraphs (f)(3)(i) (b) and (d) of this section are known only to criminal justice agency employees responsible for criminal history record information system control or individuals and agencies pursuant to a specific agreement with the criminal justice agency to provide such programs and the program(s) are kept continuously under maximum security conditions.
(f) Procedures are instituted to assure that an individual or agency authorized direct access is responsible for (1) the physical security of criminal history record information under its control or in its custody and (2) the protection of such information from unauthorized access, disclosure or dissemination.
(g) Procedures are instituted to protect any central repository of criminal history record information from unauthorized access, theft, sabotage, fire, flood, wind, or other natural or manmade disasters.
(ii) A criminal justice agency shall have the right to audit, monitor and inspect procedures established above.
(4) The criminal justice agency will:
(ii) Have the right to initiate or cause to be initiated administrative action leading to the transfer or removal of personnel authorized to have direct access to such information where such personnel violate the provisions of these regulations or other security requirements established for the collection, storage, or dissemination of criminal history record information.
(a) The physical security of criminal history record information under its control or in its custody and
(b) The protection of such information from unauthorized access, disclosure, or dissemination.
(iv) Institute procedures, where computer processing is not utilized, to protect any central repository of criminal history record information from unauthorized access, theft, sabotage, fire, flood, wind, or other natural or manmade disasters.
(v) Provide that direct access to criminal history record information shall be available only to authorized officers or employees of a criminal justice agency and, as necessary, other authorized personnel essential to the proper operation of the criminal history record information system.
(5) Each employee working with or having access to criminal history record information shall be made familiar with the substance and intent of these regulations.
(g) Access and review. Insure the individual's right to access and review of criminal history information for purposes of accuracy and completeness by instituting procedures so that -
(1) Any individual shall, upon satisfactory verification of his identity, be entitled to review without undue burden to either the criminal justice agency or the individual, any criminal history record information maintained about the individual and obtain a copy thereof when necessary for the purpose of challenge or correction;
(2) Administrative review and necessary correction of any claim by the individual to whom the information relates that the information is inaccurate or incomplete is provided;
(3) The State shall establish and implement procedures for administrative appeal where a criminal justice agency refuses to correct challenged information to the satisfaction of the individual to whom the information relates;
(4) Upon request, an individual whose record has been corrected shall be given the names of all non-criminal justice agencies to whom the data has been given;
(5) The correcting agency shall notify all criminal justice recipients of corrected information; and
(6) The individual's right to access and review of criminal history record information shall not extend to data contained in intelligence, investigatory, or other related files and shall not be construed to include any other information than that defined by § 20.3(b).