CRIMINAL JUSTICE INFORMATION SERVICES (CJIS) DIVISION AUDIT UNIT

CRIMINAL JUSTICE INFORMATION SERVICES (CJIS) DIVISION AUDIT UNIT National Identity Services (NIS) Audit Program Overview 1

NIS AUDIT The NIS Audit is designed to evaluate compliance with applicable laws, regulations, policies, rules, and procedures and ensure system integrity Authority and mandate to audit – – – – Title 28 CFR 907.3 Title 5 USC 552 a(e)(10) CJIS Security Policy Security and Management Control Outsourcing Standard 2

NIS AUDIT Audits – States Repositories (State Identification Bureau – SIB) State and local agencies – Federal agencies – Channelers – Federally regulated agencies Provide assistance to agencies Collaborate with and provide feedback to internal CJIS Division offices 3

NIS AUDIT Interstate Identification Index (III) Participation Requirements National Fingerprint File (NFF) Qualification Requirements Noncriminal Justice Use of Criminal History Record Information (CHRI) User Fee Billing Rap Back (Criminal and Noncriminal) Interstate Photo System (IPS) (Criminal) Repository for Individuals of Special Concern (RISC) 4

NATIONAL CHRI Authorized Use Reason Fingerprinted Field and Purpose Code Usage Dissemination Applicant Notification and Record Challenge III Access for Exigent Circumstances User Fee State Audit Program 5

NATIONAL CHRI CHRI – Criminal History Record Information – The Compact defines CHRI as information collected by criminal justice agencies on individuals consisting of identifiable descriptions and notations of arrests, detentions, indictments, or other formal criminal charges, and any dispositions arising therefrom, including acquittal, sentencing, correctional supervision, or release; but does not include identification information such as fingerprint records if such information does not indicate involvement of the individual with the criminal justice system. 6

NATIONAL CHRI CHRI – Criminal History Record Information – Can be in any format – Is the information and not just the “rap sheet” – Includes confirming the existence or nonexistence of CHRI – Does not include information obtained independently from other sources (such as the court, police department, applicant, etc.) 7

AUTHORIZED USE Authority – Public Law 92-544 – Other federal authorities Used only for purpose requested – Not re-used for subsequent, unrelated purposes – Cannot submit for anticipated need Positive ID – fingerprint based Name-based III inquiry restriction for noncriminal justice purposes Reference https://leo.cjis.gov/leoContent/lesig/ncppcc/private/docs/noncriminal.shtml 8

AUTHORIZED USE Federal Authorities (not all inclusive) – Public Law 92-544 – National Child Protection Act and Volunteers for Children Act (NCPA/VCA) – Adam Walsh Child Protection and Safety Act (AWA) – Serve America Act (SAA) – Real ID Act – Housing Opportunity Program Extension Act – Private Security Officer Employment Authorization Act – Nursing Facility/Home Health Care Agency Act – Violence Against Women Reauthorization Act – Affordable Care Act, Sections 6201 and 6401 – Commercial Motor Vehicle Safety Enhancement (CMVSE) Act – Indian Child Protection & Family Violence Prevention Act 9

PUBLIC LAW 92-544 Published at Title 34 USC § 41101 National criminal history record checks – Noncriminal justice employment and licensing as defined by state statute Requirements – Checks must be authorized by a state statute that has been approved by the FBI – Statutes that are modified after approval must be sent to the FBI for a new approval – CHRI may not be disseminated to a non-governmental entity – Article 4 of the Compact re-use restriction 10

NCPA/VCA Published at Title 34 USC § 40102 – Public Laws 103-209, 103-322, 105-251, & 115-141 National criminal history record checks – Providers associated with qualified entities that care for children, the elderly, or individuals with disabilities NCPA/VCA versus Public Law 92-544 11

NCPA/VCA Care includes: treatment, education, training, instruction, supervision, or recreation Provider (person) – Employed or volunteers with a qualified entity – Owns or operates a qualified entity – Has, seeks to have, or may have access to children, the elderly, or individuals with disabilities, served by a qualified entity Qualified entity (business or organization) – Public, private, profit, not for profit, voluntary – Provides care, care placement, licenses/certifies 12

NCPA/VCA Authorized agency (governmental) – Division or office of a state – Designated by state to receive requests from qualified entities and receive criminal history records – May be multiple authorized agencies Requirements – Provider completes signed statement Biographic info, prior convictions, privacy rights – Fingerprints submitted to FBI through SIB with reason “NCPA/VCA”, “NCPA”, “VCA” (“volunteer” as applicable) 13

NCPA/VCA Requirements (continued) – Authorized agency obtains disposition information and makes fitness determination – CHRI may not be disseminated to a non-governmental qualified entity Volunteer and Employee Criminal History System (VECHS) Program – Allows dissemination of CHRI to non-governmental, qualified entity – Allows for re-use between qualified entities 14

NCPA/VCA VECHS program requirements – User agreement between state and qualified entity – Provider signs a waiver authorizing dissemination to the private qualified entity – Waivers retained by state, authorized agency, or qualified entity 15

ADAM WALSH ACT Published at Title 34 USC § 20962 – Public Law 109-248 – Schools Safely Acquiring Faculty Excellence Act – Section 151 vs Section 153 National criminal history record checks – Prospective foster or adoptive parents – Positions in private or public schools working with or around children (includes volunteers and contractors) 16

ADAM WALSH ACT Requirements – Request from chief executive officer of state and FBI approval – Use of AWA originating agency identifier (ORI) coordinated through the CJIS Division – Fingerprints submitted to the FBI through SIB with reason “Adam Walsh Act” and “volunteer” as applicable – Specific screening criteria – Specific private entities are authorized to receive CHRI Private schools Private agencies contracting with child welfare government agencies 17

NURSING FACILITY / HOME HEALTH CARE AGENCY ACT Published at Title 34 USC § 41105 – Public Law 105-277 National criminal history record checks – Applicant for employment if position is involved in direct patient care Statutory definitions – Home health care agency On a visiting basis in a place of residence – Nursing facility 18

NURSING FACILITY / HOME HEALTH CARE AGENCY ACT Requirements – Fingerprints submitted to the FBI through SIB with ORI ending in “NFHHC9Z” – Applicant privacy notification (28 CFR 50.12) – Private facilities/agencies are authorized to receive CHRI 19

AFFORDABLE CARE ACT Requirements – Designation of a single state agency (Grantee State Agency - GSA) – Fingerprints submitted to FBI through SIB with reason “CMS NBCP 6201” or “6401 Medicaid” – Specific screening criteria – No prohibition from disseminating to private facilities GSA business model approval from SIB FBI review 20

REASON FINGERPRINTED (RFP) AND PURPOSE CODES (PC) RFP - accurate representation of the purpose and/or authority for which the CHRI is to be used PC - all name-based III inquiry and record request messages must include the correct purpose code for which the CHRI is to be used All users are required to provide the reason for all name-based and fingerprint-based III transactions upon request by the CJIS Division systems managers, administrators, and representatives 21

DISSEMINATION CHRI may be used solely for the purpose requested and cannot be disseminated outside the receiving departments, related agencies, or other authorized entities CHRI may be disseminated to the subject of the record – Not a requirement – May be limited/restricted by the state Reference https://leo.cjis.gov/leoContent/lesig/ncppcc/private/docs/noncriminal.shtml 22

DISSEMINATION Exceptions: – – – – Public hearings Outsourcing Security Addendum/Management Control Agreement Certain federal authorities including, but not limited to: Adam Walsh NCPA/VCA with VECHS 23

APPLICANT NOTIFICATION AND RECORD CHALLENGE Privacy Act Statement Provide written notification fingerprints sent to FBI Provide the opportunity to complete or challenge the accuracy of the information contained in the FBI identification record Advise all applicants that procedures for obtaining a change, correction, or updating of an FBI identification record are set forth in Title 28, C.F.R., § 16.34 Should not deny the license or employment based on information in the record until the applicant has been afforded a reasonable time to correct or complete the record, or has declined to do so 24

APPLICANT NOTIFICATION AND RECORD CHALLENGE On-line reference documents – 1 page outlining applicants’ rights – 1 page outlining agency notification requirements – Privacy Act Statement https:/www.fbi.gov/services/cjis/compact-council – Column on left side of page – Under “Privacy Protection” heading 25

USER FEE Full fee Reduced fee – Certain volunteers No fee – Criminal justice purposes, including criminal justice employment and site security – Contractors 26

AUDIT COMPONENTS Audit Types – On-Site (Primary) – Remote Audit Components – Pre-audit Research Internal information gathering External coordination and request for information Initial analysis 27

AUDIT COMPONENTS Audit Components (continued) – Assessment Administrative interview/questionnaire Reviews of case files/procedural documents Exit briefing – Post-audit Follow-up (internal and external) Report Sanctions https:/www.fbi.gov/services/cjis/compact-council/sanctions-process-information 28

POST AUDIT Reporting – Draft Results Letter – Audit Participant Response Corrective actions/action plan Address statewide action as well as individual agencies – Final Results Letter 29

POST AUDIT Sanctions – – – – – Applicable findings forwarded to Compact Council’s Sanctions Committee Initial Review Follow up with state as necessary State response reviewed at subsequent meeting Elevate to state leadership if necessary Close out audit 30

COMMON FINDINGS III and NFF participation Requirements - Criminal fingerprint backlogs CHRI file maintenance (consolidations and dispositions) Noncriminal justice use of CHRI - - No approved statutory authority or use outside the scope of an approved statutory authority Failure to provide applicants FBI Privacy Act statement Failure to provide all applicants on which a record is returned the opportunity to complete or challenge the records and the procedures for how to do so Unauthorized dissemination to non-governmental entities Unable to provide a reason to validate the purpose of the request 31

POLICY REFERENCES III and NFF Operational and Technical Manual Title 28, U.S.C., Section 534 Title 5, U.S.C., Section 552a (Privacy Act) Title 34, U.S.C., Section 40316 (National Crime Prevention and Privacy Compact) Title 28 C.F.R., Section 50.12(b) Title 28 C.F.R., Part 906 (Outsourcing) Security and Management Control Outsourcing Standard for NonChannelers CJIS Security Policy 32

QUESTIONS? Don’t hesitate to reach out to the FBI CJIS Audit Unit for any questions you may have. Unit Chief, CJIS Audit Unit: Michael D. McIntyre (304) 625 – 2988 [email protected] Supervisor, NIS Audit Program: Randall Wickline (304) 625 – 4876 [email protected] Trainer, NIS Audit Program: Timothy Neal [email protected] (304) 625 – 2637 33