Secret data (as defined in Rule
1. When not in use it shall be stored in
locking, fire-resistant vaults or safes. Computer programs and data files
should be backed-up on electronic media and secured in a location separate from
the building in which the computer system is located.
2. Areas where the information is processed
and handled shall be restricted to authorized personnel in the performance of
3. The information
shall be under the absolute control of criminal justice agencies with access
regulated by agency heads or their designees.
4. A log or other record shall be maintained
when information is removed from, or returned to the physically
secured storage defined above in paragraph (1)(a)1.
CHRI, as defined in Rule
1. Stored in a secure location when
not under the control of authorized criminal justice agency
2. Processed in areas
restricted to authorized personnel in the performance of official
3. Under the absolute
control of criminal justice agencies except as exempted by these
and Sensitive data, as defined in Rule
4., shall be used and stored in a controlled access area.
(2) Secret information, CHRI or restricted
information is a "Secret of State", which is required by State policy, the
interest of the community and the right of privacy of the citizens of this
State to be confidential. Such information shall not be divulged except as
permitted by Georgia law and these Rules. Criminal justice agencies must
destroy documents containing secret information, CHRI or restricted information
no longer required for operations in a manner precluding access to the
information by unauthorized persons.
(3) Criminal justice agencies shall
disseminate CHRI only to agencies or persons requiring such information to
perform duties serving the administration of criminal justice or as otherwise
provided by statute, executive order or these Rules. Under no circumstances
will CHRI be transmitted via the CJIS network to devices not authorized to
access such information, which may exist in the GCIC computerized
files, FBI Interstate Identification Index (III) or computerized files
maintained in other states.
Local agency heads shall provide the GCIC Director with written notification of
security policy violations for criminal justice information committed by
employees of their agencies or agencies over which they exercise management
(5) The Director shall
establish an information security structure that provides for an ISO. The
Director shall also ensure that each local agency having access to the CJIS
network designates a LASO.
Ga. Comp. R. & Regs. R. 140-2-.02
CFR 20.21, FBI CJIS Security
Original Rule entitled
"Data Security Requirements for Criminal Justice Information" adopted. F.
Feb. 25, 1976; eff.
Mar. 16, 1976.
New Rule of same title adopted. F. Jan. 7,
1983; eff. Feb. 1, 1983, as specified by the Agency.
New Rule of same title adopted. F. Sept. 6,
1984; eff. Oct. 8, 1984, as specified by the Agency.
New Rule entitled "Security Policy for Criminal Justice Information"
adopted. F. July 2, 1986; eff.
July 22, 1986.
New Rule of same title adopted. F. Nov. 7,
1990; eff. Nov. 27, 1990.
New Rule of same title adopted. F. Mar. 4,
1998; eff. Mar. 24, 1998.
F. Sept. 5, 2002; eff.
Sept. 25, 2002.
Repealed: New Rule of same title adopted. F.
Sept. 25, 2007, eff.
Oct. 15, 2007.