28 CFR Part 23 for Rookies

Ensemble Group 28 CFR

The 15 Operating Principles of 28 CFR Part 23 Compliance

Before we begin, let us start by saying that to whoever is reading this, we would like to offer our personal thanks for the service you provide.  As a company, we are a resource for you and look forward to providing more information like this.  With that said, let’s jump right into all of the fun that is law enforcement data management.  There really is no standard when it comes to how agencies collect information and store it.  While there are no real guidelines around storing everyday investigation information, once an agency decides to collect multiple records in one repository, there are guidelines that must be followed.  This is the legislation formally known as 28 CFR part 23.

Throughout our time providing demonstrations for GangScope, we have continuously come across agencies that are collecting information digitally that is simply not compliant with federal standards.  Even worse, there are even some agencies that do not even know that requirements exist.  While they may have information that may lead to prosecution, it may not be compliant, and therefore may be inadmissible.  This 28 CFR part 23 is the template for how to run a system to store data that will always be compliant while observing privacy and constitutional rights.  This document looks to help in a crash course in 28 CFR part 23.  If someone asked me to describe it in one sentence; this is the federally mandated guideline by which your agency or task force will be asked to follow when implementing a criminal/gang intelligence data system.

The 28 CFR part 23 covers 5 major areas:

    1. Submission and Entry of Criminal Intelligence Information
    1. Security
    1. Inquiry
    1. Dissemination
  1. Review-and-Purge

We have reviewed the full official statute and have created the following summarized guidelines that are laid out.  Most seem to be standard information gathering principles, but some do apply specifically to what you collect and track.

This is broken down into 15 operating principles:

      1. Only collect evidence when there is reasonable suspicion and you feel it may be relevant
      1. Do not collect information on political, religious, and social associations unless there are ties to criminal activities that make these relevant
      1. Reasonable Suspicion or Criminal Predicate is established when information is collected that creates sufficient facts for you to believe there is a reasonable possibility of criminal activity
      1. Do not include any information that has been obtained in violation of any laws
      1. Information is shared on a need-to-know and right-to-know basis
        1. Each intelligence system must set this up for future information dissemination
      1. Information can only be shared with individuals who agree to follow your own created procedures that align with these operating principles… unless when imminent danger to life or property
      1. Guidelines around unauthorized access and intentional/unintentional damage
          1. Creation of administrative, technical, and physical safeguards including audits
          1. Keeping records of:
              1. Who has been given information
              1. Reason for the release of the information
            1. Date of each dissemination
          1. Information is labeled to indicate:
              1. Levels of sensitivity
              1. Levels of confidence
            1. Submitting agency and control officials
          1. Wherever appropriate, leverage technology to mitigate unauthorized access to systems
          1. Access to facilities, servers, and operating system should be restricted to users
          1. The system should not allow for records access or any changes without authorization
          1. Procedures must be in place for natural and man-made disasters
          1. Promote rules that will help screen and manage authorized users to the system
        1. Remote databases may be used that comply with security requirements
      1. Guidelines around periodic review
          1. Get rid of any information that is misleading, obsolete, or unreliable
          1. All records must be reviewed and validated for continued compliance every 5 years
          1. Any recipient agencies will have to be advised of changes
        1. Reviews must record:
            1. Name of reviewer
            1. Date of review
          1. Explanation of decision to retain
      1. These next guidelines apply if you are funded by the Crime Control Act
          1. Only systems approved by the Office of Justice Programs can make remote terminal access into national intelligence systems based upon sufficient policy and procedure
        1. There shall be no major system modifications without Grantor approval
      1. For agencies receiving funds for a database, notification must be made to the Grantor before there can be any additional exchanges of that data
      1. There will be no purchase or use of any electronic, mechanical, or other devices that violates any federal electronic privacy statutes, or state-related wiretapping and surveillance laws
      1. There will be no harassment or interference with lawful political activities
      1. Sanctions shall be in place for access, utilization, and disclosure of information
      1. There must be files that document each submission to the system for audit and inspection purposes
    1. The Attorney General or designee may waive parts of this to enhance the intelligence system, as long as it does not violate any privacy or constitutional rights.

    (This is an overview and the official version provides slightly more detail)

While this may seem like a lot, most of this is automated with software that is 28 CFR compliant.  What this 28 CFR compliance means for you:

    • Automated tracking of all actions from a list of easily manageable authorized users
    • Automated tasks sent for supervisory approval based on standards to keep the information on people who are of interest judicially compliant
  • Assurance that information is securely stored as the software promotes proper habits and process

If you are interested in learning more about compliance, and how to best manage your intelligence information, please feel free to contact us at GangScope, the most flexible software platform dedicated to 28 CFR part 23 compliance.

Kind Regards,

The GangScope Team

(Editor’s Note: Here are some PDF’s that cover the same)