e-CFR banner

Home
gpo.gov
govinfo.gov

e-CFR Navigation Aids

Browse

Simple Search

Advanced Search

 — Boolean

 — Proximity

 

Search History

Search Tips

Corrections

Latest Updates

User Info

FAQs

Agency List

Incorporation By Reference

eCFR logo

Related Resources

 

Electronic Code of Federal Regulations

e-CFR data is current as of December 12, 2019

Title 28Chapter IPart 20 → Subpart B


Title 28: Judicial Administration
PART 20—CRIMINAL JUSTICE INFORMATION SYSTEMS


Subpart B—State and Local Criminal History Record Information Systems


Contents
§20.20   Applicability.
§20.21   Preparation and submission of a Criminal History Record Information Plan.
§20.22   Certification of compliance.
§20.23   Documentation: Approval by OJARS.
§20.24   State laws on privacy and security.
§20.25   Penalties.

Source: 41 FR 11715, Mar. 19, 1976, unless otherwise noted.

§20.20   Applicability.

(a) The regulations in this subpart apply to all State and local agencies and individuals collecting, storing, or disseminating criminal history record information processed by manual or automated operations where such collection, storage, or dissemination has been funded in whole or in part with funds made available by the Law Enforcement Assistance Administration subsequent to July 1, 1973, pursuant to title I of the Act. Use of information obtained from the FBI Identification Division or the FBI/NCIC system shall also be subject to limitations contained in subpart C.

(b) The regulations in this subpart shall not apply to criminal history record information contained in:

(1) Posters, announcements, or lists for identifying or apprehending fugitives or wanted persons;

(2) Original records of entry such as police blotters maintained by criminal justice agencies, compiled chronologically and required by law or long standing custom to be made public, if such records are organized on a chronological basis;

(3) Court records of public judicial proceedings;

(4) Published court or administrative opinions or public judicial, administrative or legislative proceedings;

(5) Records of traffic offenses maintained by State departments of transportation, motor vehicles or the equivalent thereof for the purpose of regulating the issuance, suspension, revocation, or renewal of driver's, pilot's or other operators' licenses;

(6) Announcements of executive clemency.

(c) Nothing in these regulations prevents a criminal justice agency from disclosing to the public criminal history record information related to the offense for which an individual is currently within the criminal justice system. Nor is a criminal justice agency prohibited from confirming prior criminal history record information to members of the news media or any other person, upon specific inquiry as to whether a named individual was arrested, detained, indicted, or whether an information or other formal charge was filed, on a specified date, if the arrest record information or criminal record information disclosed is based on data excluded by paragraph (b) of this section. The regulations do not prohibit the dissemination of criminal history record information for purposes of international travel, such as issuing visas and granting of citizenship.

§20.21   Preparation and submission of a Criminal History Record Information Plan.

A plan shall be submitted to OJARS by each State on March 16, 1976, to set forth all operational procedures, except those portions relating to dissemination and security. A supplemental plan covering these portions shall be submitted no later than 90 days after promulgation of these amended regulations. The plan shall set forth operational procedures to—

(a) Completeness and accuracy. Insure that criminal history record information is complete and accurate.

(1) Complete records should be maintained at a central State repository. To be complete, a record maintained at a central State repository which contains information that an individual has been arrested, and which is available for dissemination, must contain information of any dispositions occurring within the State within 90 days after the disposition has occurred. The above shall apply to all arrests occurring subsequent to the effective date of these regulations. Procedures shall be established for criminal justice agencies to query the central repository prior to dissemination of any criminal history record information unless it can be assured that the most up-to-date disposition data is being used. Inquiries of a central State repository shall be made prior to any dissemination except in those cases where time is of the essence and the repository is technically incapable of responding within the necessary time period.

(2) To be accurate means that no record containing criminal history record information shall contain erroneous information. To accomplish this end, criminal justice agencies shall institute a process of data collection, entry, storage, and systematic audit that will minimize the possibility of recording and storing inaccurate information and upon finding inaccurate information of a material nature, shall notify all criminal justice agencies known to have received such information.

(b) Limitations on dissemination. Insure that dissemination of nonconviction data has been limited, whether directly or through any intermediary only to:

(1) Criminal justice agencies, for purposes of the administration of criminal justice and criminal justice agency employment;

(2) Individuals and agencies for any purpose authorized by statute, ordinance, executive order, or court rule, decision, or order, as construed by appropriate State or local officials or agencies;

(3) Individuals and agencies pursuant to a specific agreement with a criminal justice agency to provide services required for the administration of criminal justice pursuant to that agreement. The agreement shall specifically authorize access to data, limit the use of data to purposes for which given, insure the security and confidentiality of the data consistent with these regulations, and provide sanctions for violation thereof;

(4) Individuals and agencies for the express purpose of research, evaluative, or statistical activities pursuant to an agreement with a criminal justice agency. The agreement shall specifically authorize access to data, limit the use of data to research, evaluative, or statistical purposes, insure the confidentiality and security of the data consistent with these regulations and with section 524(a) of the Act and any regulations implementing section 524(a), and provide sanctions for the violation thereof. These dissemination limitations do not apply to conviction data.

(c) General policies on use and dissemination. (1) Use of criminal history record information disseminated to noncriminal justice agencies shall be limited to the purpose for which it was given.

(2) No agency or individual shall confirm the existence or nonexistence of criminal history record information to any person or agency that would not be eligible to receive the information itself.

(3) Subsection (b) does not mandate dissemination of criminal history record information to any agency or individual. States and local governments will determine the purposes for which dissemination of criminal history record information is authorized by State law, executive order, local ordinance, court rule, decision or order.

(d) Juvenile records. Insure that dissemination of records concerning proceedings relating to the adjudication of a juvenile as delinquent or in need or supervision (or the equivalent) to noncriminal justice agencies is prohibited, unless a statute, court order, rule or court decision specifically authorizes dissemination of juvenile records, except to the same extent as criminal history records may be disseminated as provided in paragraph (b) (3) and (4) of this section.

(e) Audit. Insure that annual audits of a representative sample of State and local criminal justice agencies chosen on a random basis shall be conducted by the State to verify adherence to these regulations and that appropriate records shall be retained to facilitate such audits. Such records shall include, but are not limited to, the names of all persons or agencies to whom information is disseminated and the date upon which such information is disseminated. The reporting of a criminal justice transaction to a State, local or Federal repository is not a dissemination of information.

(f) Security. Wherever criminal history record information is collected, stored, or disseminated, each State shall insure that the following requirements are satisfied by security standards established by State legislation, or in the absence of such legislation, by regulations approved or issued by the Governor of the State.

(1) Where computerized data processing is employed, effective and technologically advanced software and hardware designs are instituted to prevent unauthorized access to such information.

(2) Access to criminal history record information system facilities, systems operating environments, data file contents whether while in use or when stored in a media library, and system documentation is restricted to authorized organizations and personnel.

(3)(i) Computer operations, whether dedicated or shared, which support criminal justice information systems, operate in accordance with procedures developed or approved by the participating criminal justice agencies that assure that:

(a) Criminal history record information is stored by the computer in such manner that it cannot be modified, destroyed, accessed, changed, purged, or overlaid in any fashion by non-criminal justice terminals.

(b) Operation programs are used that will prohibit inquiry, record updates, or destruction of records, from any terminal other than criminal justice system terminals which are so designated.

(c) The destruction of records is limited to designated terminals under the direct control of the criminal justice agency responsible for creating or storing the criminal history record information.

(d) Operational programs are used to detect and store for the output of designated criminal justice agency employees all unauthorized attempts to penetrate any criminal history record information system, program or file.

(e) The programs specified in paragraphs (f)(3)(i) (b) and (d) of this section are known only to criminal justice agency employees responsible for criminal history record information system control or individuals and agencies pursuant to a specific agreement with the criminal justice agency to provide such programs and the program(s) are kept continuously under maximum security conditions.

(f) Procedures are instituted to assure that an individual or agency authorized direct access is responsible for (1) the physical security of criminal history record information under its control or in its custody and (2) the protection of such information from unauthorized access, disclosure or dissemination.

(g) Procedures are instituted to protect any central repository of criminal history record information from unauthorized access, theft, sabotage, fire, flood, wind, or other natural or manmade disasters.

(ii) A criminal justice agency shall have the right to audit, monitor and inspect procedures established above.

(4) The criminal justice agency will:

(i) Screen and have the right to reject for employment, based on good cause, all personnel to be authorized to have direct access to criminal history record information.

(ii) Have the right to initiate or cause to be initiated administrative action leading to the transfer or removal of personnel authorized to have direct access to such information where such personnel violate the provisions of these regulations or other security requirements established for the collection, storage, or dissemination of criminal history record information.

(iii) Institute procedures, where computer processing is not utilized, to assure that an individual or agency authorized direct access is responsible for

(a) The physical security of criminal history record information under its control or in its custody and

(b) The protection of such information from unauthorized access, disclosure, or dissemination.

(iv) Institute procedures, where computer processing is not utilized, to protect any central repository of criminal history record information from unauthorized access, theft, sabotage, fire, flood, wind, or other natural or manmade disasters.

(v) Provide that direct access to criminal history record information shall be available only to authorized officers or employees of a criminal justice agency and, as necessary, other authorized personnel essential to the proper operation of the criminal history record information system.

(5) Each employee working with or having access to criminal history record information shall be made familiar with the substance and intent of these regulations.

(g) Access and review. Insure the individual's right to access and review of criminal history information for purposes of accuracy and completeness by instituting procedures so that—

(1) Any individual shall, upon satisfactory verification of his identity, be entitled to review without undue burden to either the criminal justice agency or the individual, any criminal history record information maintained about the individual and obtain a copy thereof when necessary for the purpose of challenge or correction;

(2) Administrative review and necessary correction of any claim by the individual to whom the information relates that the information is inaccurate or incomplete is provided;

(3) The State shall establish and implement procedures for administrative appeal where a criminal justice agency refuses to correct challenged information to the satisfaction of the individual to whom the information relates;

(4) Upon request, an individual whose record has been corrected shall be given the names of all non-criminal justice agencies to whom the data has been given;

(5) The correcting agency shall notify all criminal justice recipients of corrected information; and

(6) The individual's right to access and review of criminal history record information shall not extend to data contained in intelligence, investigatory, or other related files and shall not be construed to include any other information than that defined by §20.3(b).

[41 FR 11715, Mar. 19, 1976, as amended at 42 FR 61595, Dec. 6, 1977]

§20.22   Certification of compliance.

(a) Each State to which these regulations are applicable shall with the submission of its plan provide a certification that to the maximum extent feasible action has been taken to comply with the procedures set forth in the plan. Maximum extent feasible, in this subsection, means actions which can be taken to comply with the procedures set forth in the plan that do not require additional legislative authority or involve unreasonable cost or do not exceed existing technical ability.

(b) The certification shall include—

(1) An outline of the action which has been instituted. At a minimum, the requirements of access and review under §20.21(g) must be completely operational;

(2) A description of any legislation or executive order, or attempts to obtain such authority that has been instituted to comply with these regulations;

(3) A description of the steps taken to overcome any fiscal, technical, and administrative barriers to the development of complete and accurate criminal history record information;

(4) A description of existing system capability and steps being taken to upgrade such capability to meet the requirements of these regulations; and

(5) A listing setting forth categories of non-criminal justice dissemination. See §20.21(b).

§20.23   Documentation: Approval by OJARS.

Within 90 days of the receipt of the plan, OJARS shall approve or disapprove the adequacy of the provisions of the plan and certification. Evaluation of the plan by OJARS will be based upon whether the procedures set forth will accomplish the required objectives. The evaluation of the certification(s) will be based upon whether a good faith effort has been shown to initiate and/or further compliance with the plan and regulations. All procedures in the approved plan must be fully operational and implemented by March 1, 1978. A final certification shall be submitted on March 1, 1978.

Where a State finds it is unable to provide final certification that all required procedures as set forth in §20.21 will be operational by March 1, 1978, a further extension of the deadline will be granted by OJARS upon a showing that the State has made a good faith effort to implement these regulations to the maximum extent feasible. Documentation justifying the request for the extension including a proposed timetable for full compliance must be submitted to OJARS by March 1, 1978. Where a State submits a request for an extension, the implementation date will be extended an additional 90 days while OJARS reviews the documentation for approval or disapproval. To be approved, such revised schedule must be consistent with the timetable and procedures set out below:

(a) July 31, 1978—Submission of certificate of compliance with:

(1) Individual access, challenge, and review requirements;

(2) Administrative security;

(3) Physical security to the maximum extent feasible.

(b) Thirty days after the end of a State's next legislative session—Submission to OJARS of a description of State policy on dissemination of criminal history record information.

(c) Six months after the end of a State's legislative session—Submission to OJARS of a brief and concise description of standards and operating procedures to be followed by all criminal justice agencies covered by OJARS regulations in complying with the State policy on dissemination.

(d) Eighteen months after the end of a State's legislative session—Submission to OJARS of a certificate attesting to the conduct of an audit of the State central repository and of a random number of other criminal justice agencies in compliance with OJARS regulations.

[41 FR 11715, Mar. 19, 1976, as amended at 42 FR 61596, Dec. 6, 1977]

§20.24   State laws on privacy and security.

Where a State originating criminal history record information provides for sealing or purging thereof, nothing in these regulations shall be construed to prevent any other State receiving such information, upon notification, from complying with the originating State's sealing or purging requirements.

§20.25   Penalties.

Any agency or individual violating subpart B of these regulations shall be subject to a civil penalty not to exceed $10,000 for a violation occurring before September 29, 1999, and not to exceed $11,000 for a violation occurring on after September 29, 1999. For civil penalties assessed after August 1, 2016, whose associated violations occurred after November 2, 2015, see the civil penalty amount as provided in 28 CFR 85.5. In addition, OJARS may initiate fund cut-off procedures against recipients of OJARS assistance.

[41 FR 11715, Mar. 19, 1976, as amended by Order No. 2249-99, 64 FR 47102, Aug. 30, 1999; AG Order 3690-2016, 81 FR 42499, June 30, 2016]

Need assistance?