240 IAC 5-2-10 - Security; confidentiality
Authority: IC 10-11-2-10; IC 10-13-2-9; IC 10-13-2-10
Affected: IC 10-13-2
Sec. 10.
(a)
"System", as used in the security and confidentiality rules, means IDACS,
NLETS, and/or NCIC terminals, equipment, and any and all data accessible from
or stored therein.
(b) Access,
meaning the ability to obtain information from the system, shall be permitted
only to criminal justice agencies in the discharge of their official mandated
responsibilities, and those agencies as required by state and/or federal
enabling authority. Release of Indiana bureau of motor vehicles data to
noncriminal justice agencies may occur when it is determined to be in the best
interest of law enforcement/criminal justice to do so. Agencies that shall be
permitted access to SYSTEM data include the following:
(1) Police forces and departments at all
governmental levels (including private college and railroad police departments
as authorized by Indiana Code) that are responsible for enforcement of general
criminal laws.
(2) Prosecutive
agencies and departments at all governmental levels.
(3) Courts at all governmental levels with a
criminal or equivalent jurisdiction.
(4) Correction departments at all
governmental levels, including corrective institutions and probation
departments.
(5) Parole commissions
and agencies at all governmental levels.
(6) Agencies at all governmental levels which
have as a principal function the collection and provision of fingerprint
identification information.
(7)
Regional or local governmental organizations established pursuant to statute
which collect and process criminal justice information and whose policy and
governing boards have, as a minimum, a majority composition of members
representing criminal justice agencies.
(c) Approved noncriminal justice agencies may
have access to SYSTEM data on a limited basis. "Limited basis" means restricted
to only that data recommended through resolution by the IDACS committee and
approved by the state police superintendent.
(d) All computers, electronic switches, and
manual terminals (including mobile data terminals/printers) interfaced with the
SYSTEM computer for the exchange of SYSTEM data shall be under the management
control of criminal justice agencies. Similarly, satellite computers and manual
terminals accessing the SYSTEM shall be under the management control of a
criminal justice agency.
(e)
"Management control" means the authority to set and enforce:
(1) priorities;
(2) standards for the selection, supervision,
and termination of personnel; and
(3) policy governing the operations of
computers, circuits, and telecommunications terminals used to process SYSTEM
information insofar as the equipment is used to process, store, or transmit
SYSTEM information. Management control includes, but is not limited to, the
supervision of equipment, systems design, programming, and operating procedures
necessary for the development and implementation of the computerized SYSTEM.
Management control shall remain fully independent of noncriminal justice data
systems, and criminal justice systems shall receive priority service and be
primarily dedicated to the service of the criminal justice community.
(f) In those instances where
criminal justice agencies are utilizing equipment and personnel of a
noncriminal justice agency for SYSTEM purposes, they shall have complete
management control of the hardware and the people who use and operate the
system.
(g) The criminal justice
agency shall exercise management control with regard to the operation of the
equipment by:
(1) having a written agreement
with the noncriminal justice agency operating the data center providing the
criminal justice agency authority to select and supervise personnel;
(2) having the authority to set and enforce
policy concerning computer operations; and
(3) having budgetary control with regard to
personnel and equipment in the criminal justice agency.
(h) Procedures for the use of system-derived
criminal history data shall be as follows:
(1)
Criminal history data on an individual from the national computerized file
shall be made available outside the federal government to criminal justice
agencies for criminal justice purposes. This precludes the dissemination of
such data for use in connection with licensing (except when a federal, state,
or local law/ordinance exists making the criminal justice agency responsible
for the processing or issuing of the licenses/permits) applications, or local
or state employment, other than with a criminal justice agency, or for other
uses unless such dissemination is pursuant to state and federal statutes or
state and federal executive order. There are no exceptions.
(2) Researchers using the data shall
acknowledge a fundamental commitment to respect individual privacy interests by
removing the identification of subjects as fully as possible from the data.
Proposed programs shall be reviewed by the IDACS committee to assure their
propriety and to determine that proper security is being provided. All
noncriminal justice agency requests involving the identities of individuals in
conjunction with their national criminal history records shall be approved by
the NCIC advisory policy board through the IDACS committee. The NCIC or the
IDACS committee shall retain rights to monitor any research project approved
and to terminate same if violation of the above principles is detected.
Research data shall be provided off line only.
(3) Upon verification that any agency has
received criminal history information and has disclosed that information to an
unauthorized source, immediate action shall be taken by the IDACS committee.
Unauthorized use of criminal history information shall result in imposed
sanctions as authorized by this article.
(4) Agencies are instructed that their rights
to direct access to NCIC information encompass only requests reasonably
connected with their criminal justice responsibilities.
(5) The IDACS committee shall make checks as
necessary concerning inquiries made of the SYSTEM to detect possible
misuse.
(i) The person's
right to see and challenge the contents of his records shall form an integral
part of the SYSTEM with reasonable administrative procedures. If an individual
has a criminal record supported by fingerprints and that record has been
entered in the NCIC III file, or the state central repository, it shall be
available to that individual for review, upon presentation of appropriate
identification, and in accordance with applicable state and federal
administrative and statutory regulations. Such requests shall be made by the
person contacting the FBI or state central repository directly, and not through
the SYSTEM.
(j) The following
security measures are the minimum to be adopted by all agencies having access
to the SYSTEM data and are designed to prevent unauthorized access to the
SYSTEM data and/or unauthorized use of that data:
(1) Security measures for computer centers as
follows:
(A) All computer sites accessing
SYSTEM data shall have the security to protect against any unauthorized access
to any of the stored data and/or the computer equipment including the
following:
(i) All doors having access to the
central processing unit (CPU) room shall be locked at all times.
(ii) A visitor's log shall be maintained of
all persons entering the CPU area except those assigned to the area on a
permanent basis. The visitor's name, date, time in, time out, agency
represented, and reason for visit.
(B) Since personnel at these computer centers
have access to data stored in the SYSTEM, they shall be screened thoroughly
under the authority and supervision of the IDACS committee or their designated
representative. This screening shall also apply to noncriminal justice
maintenance or technical personnel. The screening process shall consist of a
character investigation, including fingerprints, for the purpose of
establishing suitability for the position. Investigations shall consist of the
gathering of information as to the applicant's honesty, integrity, and general
reputation. Personal characteristics or habits, such as lack of judgment, lack
of physical or mental vigor, inability to cooperate with others, intemperance,
or other characteristics which would tend to cause the applicant to be
unsuitable for this type of position, shall be considered sufficient grounds
for rejection. Also, convincing information in an applicant's past history
involving moral turpitude, disrespect for law, or unethical dealings shall be
considered sufficient grounds for rejection. If any of the above facts are
presented to the IDACS committee, a recommendation shall be made and presented
to the state police superintendent for a final approval or disapproval
decision.
(C) All visitors to these
computer centers shall be accompanied by a permanent full-time employee of the
data center.
(D) Computers having
access to the SYSTEM shall have the proper computer instructions written and
other built-in controls to prevent SYSTEM data from being accessible to any
terminals other than authorized terminals. These instructions and controls
shall be made available to the IDACS committee for inspection upon
request.
(E) Computers and/or
terminals (including mobile data terminals) having access to SYSTEM data shall
maintain an audit of all transactions. This audit trail shall be maintained
either manually by each agency or automated by the computer center. This
transaction audit shall be monitored and reviewed on a regular basis to detect
any possible misuse of SYSTEM data. This audit shall be made available to IDACS
for inspection upon request.
(2) Security measures for communications as
follows:
(A) Lines/channels being used to
transmit SYSTEM information shall be dedicated solely to SYSTEM use, i.e.,
there shall be no terminals belonging to agencies outside the criminal justice
system sharing these lines/channels except by prior IDACS committee
approval.
(B) Security of the
lines/channels shall be established to protect against clandestine devices
being utilized to intercept or inject SYSTEM traffic.
(C) Audio response terminals, radio devices,
and mobile data terminals, whether digital (teleprinters) or voice, shall not
be used for the transmission of criminal history data beyond that information
necessary to effect an immediate identification or to ensure adequate safety
for officers and the general public. Transmission shall be made to police
officers upon his or her request.
(3) Security measures for terminal devices
having access to the SYSTEM as follows:
(A)
All agencies and computer centers having terminals on the SYSTEM and/or having
access to SYSTEM data shall physically place these terminals in a secure
location previously approved by the IDACS committee within the authorized
agency. Subsequent physical location changes of terminals shall have prior
approval of the IDACS committee.
(B) The agencies having terminals with access
to SYSTEM data shall have terminal operators screened as in subdivision (1)(B)
and restrict access to the terminal to a minimum number of authorized
employees.
(C) Copies of SYSTEM
data obtained from terminal devices shall be afforded security to prevent any
unauthorized access to or use of that data. Copies of SYSTEM data which are no
longer relevant shall be destroyed.
(D) Mobile teleprinters having access to
SYSTEM data shall afford security to that data in the same manner as a fixed
terminal. Any positive "wanted response" shall be duplicated at the agencies
station terminal for proper interpretation and confirmation to occur. SYSTEM
data shall not be transmitted to the device when it is unattended.
Notes
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.