CRIMINAL JUSTICE INFORMATION SERVICES CJIS DIVISION AUDIT UNIT

CRIMINAL JUSTICE INFORMATION SERVICES (CJIS) DIVISION AUDIT UNIT National Identity Services (NIS) Audit Program Overview 1

NIS AUDIT • The NIS Audit is designed to evaluate compliance with applicable laws, regulations, policies, rules, and procedures and ensure system integrity • Authority and mandate to audit – – Title 28 CFR 907. 3 Title 5 USC 552 a(e)(10) CJIS Security Policy Security and Management Control Outsourcing Standard 2

NIS AUDIT • Audits – States • Repositories (State Identification Bureau – SIB) • State and local agencies – Federal agencies – Channelers – Federally regulated agencies • Provide assistance to agencies • Collaborate with and provide feedback to internal CJIS Division offices 3

NIS AUDIT • Interstate Identification Index (III) Participation Requirements • National Fingerprint File (NFF) Qualification Requirements • Noncriminal Justice Use of Criminal History Record Information (CHRI) • User Fee Billing • Rap Back (Criminal and Noncriminal) • Interstate Photo System (IPS) (Criminal) • Repository for Individuals of Special Concern (RISC) 4

NATIONAL CHRI • • Authorized Use Reason Fingerprinted Field and Purpose Code Usage Dissemination Applicant Notification and Record Challenge III Access for Exigent Circumstances User Fee State Audit Program 5

NATIONAL CHRI • CHRI – Criminal History Record Information – The Compact defines CHRI as information collected by criminal justice agencies on individuals consisting of identifiable descriptions and notations of arrests, detentions, indictments, or other formal criminal charges, and any dispositions arising therefrom, including acquittal, sentencing, correctional supervision, or release; but does not include identification information such as fingerprint records if such information does not indicate involvement of the individual with the criminal justice system. 6

NATIONAL CHRI • CHRI – Criminal History Record Information – Can be in any format – Is the information and not just the “rap sheet” – Includes confirming the existence or nonexistence of CHRI – Does not include information obtained independently from other sources (such as the court, police department, applicant, etc. ) 7

AUTHORIZED USE • Authority – Public Law 92 -544 – Other federal authorities • Used only for purpose requested – Not re-used for subsequent, unrelated purposes – Cannot submit for anticipated need • Positive ID – fingerprint based • Name-based III inquiry restriction for noncriminal justice purposes • Reference <https: //leo. cjis. gov/leo. Content/lesig/ncppcc/private/docs/noncriminal. shtml> 8

AUTHORIZED USE • Federal Authorities (not all inclusive) – – – Public Law 92 -544 National Child Protection Act and Volunteers for Children Act (NCPA/VCA) Adam Walsh Child Protection and Safety Act (AWA) Serve America Act (SAA) Real ID Act Housing Opportunity Program Extension Act Private Security Officer Employment Authorization Act Nursing Facility/Home Health Care Agency Act Violence Against Women Reauthorization Act Affordable Care Act, Sections 6201 and 6401 Commercial Motor Vehicle Safety Enhancement (CMVSE) Act Indian Child Protection & Family Violence Prevention Act 9

PUBLIC LAW 92 -544 • Published at Title 34 USC § 41101 • National criminal history record checks – Noncriminal justice employment and licensing as defined by state statute • Requirements – Checks must be authorized by a state statute that has been approved by the FBI – Statutes that are modified after approval must be sent to the FBI for a new approval – CHRI may not be disseminated to a non-governmental entity – Article 4 of the Compact re-use restriction 10

NCPA/VCA • Published at Title 34 USC § 40102 – Public Laws 103 -209, 103 -322, 105 -251, & 115 -141 • National criminal history record checks – Providers associated with qualified entities that care for children, the elderly, or individuals with disabilities • NCPA/VCA versus Public Law 92 -544 11

NCPA/VCA • Care includes: treatment, education, training, instruction, supervision, or recreation • Provider (person) – Employed or volunteers with a qualified entity – Owns or operates a qualified entity – Has, seeks to have, or may have access to children, the elderly, or individuals with disabilities, served by a qualified entity • Qualified entity (business or organization) – Public, private, profit, not for profit, voluntary – Provides care, care placement, licenses/certifies 12

NCPA/VCA • Authorized agency (governmental) – Division or office of a state – Designated by state to receive requests from qualified entities and receive criminal history records – May be multiple authorized agencies • Requirements – Provider completes signed statement • Biographic info, prior convictions, privacy rights – Fingerprints submitted to FBI through SIB with reason “NCPA/VCA”, “NCPA”, “VCA” (“volunteer” as applicable) 13

NCPA/VCA • Requirements (continued) – Authorized agency obtains disposition information and makes fitness determination – CHRI may not be disseminated to a non-governmental qualified entity • Volunteer and Employee Criminal History System (VECHS) Program – Allows dissemination of CHRI to non-governmental, qualified entity – Allows for re-use between qualified entities 14

NCPA/VCA • VECHS program requirements – User agreement between state and qualified entity – Provider signs a waiver authorizing dissemination to the private qualified entity – Waivers retained by state, authorized agency, or qualified entity 15

ADAM WALSH ACT • Published at Title 34 USC § 20962 – Public Law 109 -248 – Schools Safely Acquiring Faculty Excellence Act – Section 151 vs Section 153 • National criminal history record checks – Prospective foster or adoptive parents – Positions in private or public schools working with or around children (includes volunteers and contractors) 16

ADAM WALSH ACT • Requirements – Request from chief executive officer of state and FBI approval – Use of AWA originating agency identifier (ORI) coordinated through the CJIS Division – Fingerprints submitted to the FBI through SIB with reason “Adam Walsh Act” and “volunteer” as applicable – Specific screening criteria – Specific private entities are authorized to receive CHRI • Private schools • Private agencies contracting with child welfare government agencies 17

NURSING FACILITY / HOME HEALTH CARE AGENCY ACT • Published at Title 34 USC § 41105 – Public Law 105 -277 • National criminal history record checks – Applicant for employment if position is involved in direct patient care • Statutory definitions – Home health care agency • On a visiting basis in a place of residence – Nursing facility 18

NURSING FACILITY / HOME HEALTH CARE AGENCY ACT • Requirements – Fingerprints submitted to the FBI through SIB with ORI ending in “NFHHC 9 Z” – Applicant privacy notification (28 CFR 50. 12) – Private facilities/agencies are authorized to receive CHRI 19

AFFORDABLE CARE ACT • Requirements – Designation of a single state agency (Grantee State Agency - GSA) – Fingerprints submitted to FBI through SIB with reason “CMS NBCP 6201” or “ 6401 Medicaid” – Specific screening criteria – No prohibition from disseminating to private facilities • GSA business model approval from SIB • FBI review 20

REASON FINGERPRINTED (RFP) AND PURPOSE CODES (PC) • RFP - accurate representation of the purpose and/or authority for which the CHRI is to be used • PC - all name-based III inquiry and record request messages must include the correct purpose code for which the CHRI is to be used • All users are required to provide the reason for all name-based and fingerprint-based III transactions upon request by the CJIS Division systems managers, administrators, and representatives 21

DISSEMINATION • CHRI may be used solely for the purpose requested and cannot be disseminated outside the receiving departments, related agencies, or other authorized entities • CHRI may be disseminated to the subject of the record – Not a requirement – May be limited/restricted by the state • Reference <https: //leo. cjis. gov/leo. Content/lesig/ncppcc/private/docs/noncriminal. shtml> 22

DISSEMINATION • Exceptions: – – Public hearings Outsourcing Security Addendum/Management Control Agreement Certain federal authorities including, but not limited to: • Adam Walsh • NCPA/VCA with VECHS 23

APPLICANT NOTIFICATION AND RECORD CHALLENGE • Privacy Act Statement • Provide written notification fingerprints sent to FBI • Provide the opportunity to complete or challenge the accuracy of the information contained in the FBI identification record • Advise all applicants that procedures for obtaining a change, correction, or updating of an FBI identification record are set forth in Title 28, C. F. R. , § 16. 34 • Should not deny the license or employment based on information in the record until the applicant has been afforded a reasonable time to correct or complete the record, or has declined to do so 24

APPLICANT NOTIFICATION AND RECORD CHALLENGE • On-line reference documents – 1 page outlining applicants’ rights – 1 page outlining agency notification requirements – Privacy Act Statement • <https: /www. fbi. gov/services/cjis/compact-council> – Column on left side of page – Under “Privacy Protection” heading 25

USER FEE • Full fee • Reduced fee – Certain volunteers • No fee – Criminal justice purposes, including criminal justice employment and site security – Contractors 26

AUDIT COMPONENTS • Audit Types – On-Site (Primary) – Remote • Audit Components – Pre-audit • Research • Internal information gathering • External coordination and request for information • Initial analysis 27

AUDIT COMPONENTS • Audit Components (continued) – Assessment • Administrative interview/questionnaire • Reviews of case files/procedural documents • Exit briefing – Post-audit • Follow-up (internal and external) • Report • Sanctions <https: /www. fbi. gov/services/cjis/compact-council/sanctions-process-information> 28

POST AUDIT • Reporting – Draft Results Letter – Audit Participant Response • Corrective actions/action plan • Address statewide action as well as individual agencies – Final Results Letter 29

POST AUDIT • Sanctions – – – Applicable findings forwarded to Compact Council’s Sanctions Committee Initial Review Follow up with state as necessary • State response reviewed at subsequent meeting Elevate to state leadership if necessary Close out audit 30

COMMON FINDINGS • • III and NFF participation Requirements - Criminal fingerprint backlogs CHRI file maintenance (consolidations and dispositions) - No approved statutory authority or use outside the scope of an approved statutory authority Failure to provide applicants FBI Privacy Act statement Failure to provide all applicants on which a record is returned the opportunity to complete or challenge the records and the procedures for how to do so Unauthorized dissemination to non-governmental entities Unable to provide a reason to validate the purpose of the request Noncriminal justice use of CHRI - 31

POLICY REFERENCES • • III and NFF Operational and Technical Manual Title 28, U. S. C. , Section 534 Title 5, U. S. C. , Section 552 a (Privacy Act) Title 34, U. S. C. , Section 40316 (National Crime Prevention and Privacy Compact) Title 28 C. F. R. , Section 50. 12(b) Title 28 C. F. R. , Part 906 (Outsourcing) Security and Management Control Outsourcing Standard for Non. Channelers CJIS Security Policy 32

QUESTIONS? Don’t hesitate to reach out to the FBI CJIS Audit Unit for any questions you may have. Unit Chief, CJIS Audit Unit: Michael D. Mc. Intyre (304) 625 – 2988 <mmcintyre@fbi. gov> Supervisor, NIS Audit Program: Randall Wickline (304) 625 – 4876 <rpwickline@fbi. gov> Trainer, NIS Audit Program: Timothy Neal <tneal@fbi. gov> (304) 625 – 2637 33