The concept of privacy is broad, encompassing different personal values and interests. A number of privacy-related factors become relevant in the current law enforcement intelligence environment and are intended to address “all crime and all threats.”42 Privacy interests may be characterized as representing a diverse array of issues, such as privacy of a person’s beliefs, personal behavior, personal communications, personal attributes (such as health or handicaps), and personal data (information privacy). Private information includes not only information that a law enforcement agency may be collecting about a person’s possible involvement in a criminal act, but also information relating to the following:
• Name, address, telephone number, or e-mail
• Race, national, or ethnic origin
• Religion
• Gender
• Marital status
• Fingerprints, blood type, or DNA
41 This occurred with North Carolina prosecutor Michael Nifong in the allegations of sexual assault against Duke University lacrosse players. For more information, see “Duke Lacrosse Prosecutor Disbarred.” CNN. www.cnn.
com.
42 Portions of this discussion are based on information in: National Criminal Justice Association (NCJA). Justice Information Privacy Guide. Washington, D.C.: NCJA, 2002, 12–13.
Chapter 7 147
• Financial status, history, or credit condition
• Psychiatric or psychological conditions and history
• Criminal history
• Age
• Sexual orientation
• Education
• Medical history or conditions
• Employment history, including employment dispositions
• Identifying number, symbol, or other character assigned to identify a person (such as a social security number, driver’s license number or university student identification number).
In the course of an intelligence inquiry, the law enforcement agency will collect different types of personal information, but has the obligation to maintain the privacy of the information regardless of whether the person is an intelligence target, witness, informant, or information provider (such as a citizen).
Privacy of personal data (information privacy) is described as when, how, and to what extent you share personal information about yourself. Information privacy involves the right to control one’s personal information and the ability to determine if and how that information should be obtained and used. It entails restrictions on a wide range of activities relating to personal information: its collection, use, retention, and disclosure.43
The law enforcement organization has an obligation to protect the privacy of all persons about whom the agency collects personal identifying information, including those suspected of committing crimes. Two primary methods are used:
security and confidentiality.
Security of personal information means that mechanisms and processes have been put in place to ensure that there is no unauthorized access to private information.
Whether the private information is in a computer system or in paper records, there must be an adequate mechanism in place to ensure that the information is not obtained by persons who do not have lawful access to them.
Confidentiality, particularly as related to information sharing, includes behaviors and processes that seek to prevent unauthorized disclosure of the information to third parties. After private information has been collected, the custodian of the information has the obligation to protect it from being shared with others unless there is a bona fide reason for a third party to receive the information. Once again, the standard of sharing personal information to others based on their right to know and need to know the information. This is an illustration of processes to ensure confidentiality. Moreover, there is an expectation that those who receive private information will maintain the confidentiality of personal information entrusted to them. Confidentiality is about limiting access to personal information 1. To those having specific permission for access44 to the records and 2. Preventing its disclosure to unauthorized third parties.
43 NCJA, 2002, p. 12.
44 “Permission to access” private records can include consent by the individual and permission as provided through lawful regulatory procedures and/or the legal process.
Law Enforcement Intelligence: A Guide for State, Local, and Tribal Law Enforcement Agencies 148
To maximize privacy protection, law enforcement agencies should ensure that privacy protections are in place. The National Strategy for Information Sharing emphasized this by establishing core privacy principles that all agencies are required to adopt. These are:
• Share protected information only to the extent that it is terrorism information, homeland security information, or law enforcement information related to terrorism.
• Identify and review the protected information to be shared within the Information Sharing Environment (ISE).
• Enable ISE participants to determine the nature of the protected information to be shared and its legal restrictions (e.g., “this record contains individually identifiable information about a U.S. citizen”).
• Assess, document, and comply with all applicable laws and policies.
• Establish data accuracy, quality, and retention procedures.
• Deploy adequate security measures to safeguard protected information.
• Implement adequate accountability, enforcement, and audit mechanisms to verify compliance.
• Establish a redress process consistent with legal authorities and mission requirements.
• Implement the guidelines through appropriate changes to business processes and systems, training, and technology.
• Make the public aware of the agency’s policies and procedures, as appropriate.
• Ensure that agencies disclose protected information to nonfederal entities—
including state, local, tribal, and foreign governments—only if the nonfederal entities provide comparable protections.
• State, local, and tribal governments are required to designate a senior official accountable for implementation.45
Protecting privacy is accomplished through the implementation of a privacy policy,46 along with effective training and supervision.
A privacy policy is a written, published statement that articulates the policy position of an organization on how it handles the personally identifiable information that it gathers and uses in the normal course of business. The policy should include information relating to the processes of information collection, analysis, maintenance, dissemination, access, expungement, and disposition.
The purpose of a privacy policy is to articulate publicly that the agency will adhere to legal requirements and agency policy determinations that enable gathering and sharing of information to occur in a manner that protects personal privacy interests. A well-developed and implemented privacy policy uses justice entity resources wisely and effectively; protects the agency, the individual, and the public; and promotes public trust.47
State, local, and tribal law enforcement (SLTLE) agencies have a mandate to establish a privacy policy not only from the NCISP, but also to participate in the ISE.
It is clear that there are unequivocal expectations for law enforcement agencies
45 National Strategy for Information Sharing.
Washington, D.C.: Executive Office of the President, 2007, 27–28.
46 The Privacy Policy Development Guide may be downloaded at it.ojp.gov/documents/
Privacy_Guide_Final.pdf.
47 Global Justice Information Sharing Initiative. Privacy Policy Development Guide. Washington, D.C.: Bureau of Justice Assistance, Office of Justice Programs, U.S. Department of Justice, 2006, 4–1.
Chapter 7 149 to meet national professional standards for privacy and civil rights protections.
As such, the obligation is to not only implement the policy, but to also provide training and supervision to ensure that the policy is effectively applied.