Skip navigation

Report of the National Task Force on Privacy, Technology and Criminal Justice Information, DOJ BJS, 2011

Download original document:
Brief thumbnail
This text is machine-read, and may contain errors. Check the original document to verify accuracy.
U.S. Department of Justice
Office of Justice Programs

Bureau of Justice Statistics

Report of the National Task
Force on Privacy, Technology,
and Criminal Justice Information
Law and policy
Change drivers
Recommendations

Privacy, Technology, and Criminal Justice Information

U.S. Department of Justice
Office of Justice Programs
Bureau of Justice Statistics

Report of the
National Task Force
on Privacy, Technology,
and Criminal Justice
Information

August 2001, NCJ 187669

Report of the work prepared under Cooperative Agreement number
96-BJ-CX-K010, awarded to SEARCH Group, Incorporated,
7311 Greenhaven Drive, Suite 145, Sacramento, California 95831.
Contents of this document do not necessarily represent the views
or policies of the Bureau of Justice Statistics or the U.S. Department
of Justice.

U.S. Department of Justice
Bureau of Justice Statistics
Lawrence A. Greenfeld
Acting Director
Acknowledgments. This report was prepared by SEARCH, The National Consortium for
Justice Information and Statistics, Kenneth E. Bischoff, Chair, and Gary R. Cooper, Executive
Director. The project director was Sheila J. Barton, Deputy Executive Director. Robert R. Belair,
SEARCH General Counsel, wrote this report. Kevin L. Coy, Associate, Mullenholz, Brimsek &
Belair, assisted in its preparation. Twyla R. Cunningham, Manager, Corporate Communications,
and Linda B. Townsdin, Writer/Editor, edited this report, and Jane L. Bassett, Publishing
Specialist, provided layout and design assistance. The Federal project monitor was Carol G.
Kaplan, Chief, Criminal History Improvement Programs, Bureau of Justice Statistics.
Report of work prepared under Cooperative Agreement number 96-BJ-CX-K010, awarded to
SEARCH Group, Incorporated, 7311 Greenhaven Drive, Suite 145, Sacramento, California
95831. Contents of this document do not necessarily represent the views or policies of the Bureau
of Justice Statistics or the U.S. Department of Justice.
Copyright © SEARCH Group, Incorporated, dba SEARCH, The National Consortium for Justice
Information and Statistics, 2001
The U.S. Department of Justice authorizes any person to reproduce, publish, translate, or
otherwise use all or any part of the copyrighted material to this publication, except for those items
indicating they are copyrighted or printed by any source other than SEARCH, The National
Consortium for Justice Information and Statistics.

Page ii

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Contents
I. Introduction and executive summary ......................................................................................... 1
II. Report purpose and scope........................................................................................................... 8
III. Information privacy standards: Background ......................................................................... 10
IV. Privacy protections for criminal justice information ............................................................. 12
A brief overview of the structure of the criminal justice information system ............................. 12
Constitutional and common law standards with respect to the privacy of
criminal history record information .......................................................................................... 14
Constitutional standards ........................................................................................................ 14
Common law standards ......................................................................................................... 16
Federal criminal history record legislation and regulations......................................................... 16
SEARCH Technical Report No. 13 ............................................................................................. 18
State legislation ............................................................................................................................ 18
Access to criminal history record information in “open,” “intermediate,” and
“closed” record States: Three case studies................................................................................ 21
Florida: An “open records” State .......................................................................................... 21
Washington: An “intermediate records” State ...................................................................... 23
Massachusetts: A “closed records” State .............................................................................. 25
V. Change drivers and trend lines: The basis for a new look at privacy and
criminal justice information ......................................................................................................... 27
Information privacy concerns at a historic high level.................................................................. 28
Public opinion survey results................................................................................................. 28
Activity at the Federal and State level to protect privacy ..................................................... 30
Privacy issues are receiving increasing media attention, often requiring
companies and government agencies to modify their practices ......................................... 31
Other indications of the importance of privacy concerns:
The European Union Data Protection Directive, omnibus proposals
in the United States, and self-regulatory initiatives............................................................ 35
The Information Culture .............................................................................................................. 36
Changes in technology ................................................................................................................. 37
Information technologies....................................................................................................... 41
Identification technologies .................................................................................................... 42
Communication technologies, including the Internet............................................................ 46

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page iii

Trend toward integrated systems ................................................................................................. 49
Definition of integration ........................................................................................................ 49
Benefits and privacy risks of integration............................................................................... 50
A new approach that closely resembles a “Business Model” for the
criminal justice system.............................................................................................................. 51
More public access, demand for criminal justice records............................................................ 53
Changes in the marketplace: Growing commercialization of records as private
companies sell criminal justice records compiled from public record information.................. 56
The changing marketplace..................................................................................................... 56
The Fair Credit Reporting Act .............................................................................................. 58
The Individual Reference Services Group ............................................................................ 60
Privacy risks posed by changes in the marketplace............................................................... 60
Federal and State initiatives ......................................................................................................... 61
The Security Clearance Information Act of 1985.................................................................. 62
Sex offender statutes.............................................................................................................. 62
The Brady Handgun Violence Prevention Act ...................................................................... 63
The National Child Protection Act........................................................................................ 64
Juvenile justice reform ................................................................................................................. 65
A brief history of the philosophy of the juvenile justice system........................................... 65
Recent legal trends ................................................................................................................ 67
Criminal intelligence information systems .................................................................................. 69
VI. Task Force recommendations ................................................................................................... 71
Background .................................................................................................................................. 71
Recommendations and commentary ............................................................................................ 71
VII. Conclusion ................................................................................................................................. 82

Appendix 1: Task Force participants ............................................................................................. 83
Appendix 2: Glossary of criminal justice information terms ....................................................... 105
Appendix 3: Comparison of criminal history and other privacy measures................................ 109

Page iv

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

I. Introduction and executive summary
Rationale for Bureau of Justice
Statistics and SEARCH project
In 1998, the Bureau of Justice
Statistics (BJS) in the Office of
Justice Programs (OJP), U.S.
Department of Justice, and
SEARCH, The National Consortium for Justice Information
and Statistics,1 determined that
the time was appropriate to conduct a comprehensive project2 to
review the law and policy addressing the collection, use, and
dissemination of criminal justice
record information and, particularly, criminal history record
information (CHRI).3

In the mid-1970s and again in
the mid-1980s, BJS and its
predecessor organizations, along
with SEARCH, had looked
closely and comprehensively at
this very issue. Those reviews:
•

Concluded that CHRI
should not be made available to the general public.

•

Recognized that there are
some legitimate, noncriminal justice uses of CHRI
(for example, for background checks for positions
of trust).

•

Recognized a sharp distinction between arrest-only and
conviction information, and
recommended more relaxed
rules for the dissemination
of conviction information.

•

Strongly endorsed the view
that CHRI should be made
available for various noncriminal justice purposes
only after a search conducted on the basis of fingerprints.

•

Recommended that various
privacy and fair information
practice protections should
attach to the handling of
CHRI, including a right on
the part of the record subject to see and correct the
record.

1

Hereafter, SEARCH.

2

The project was funded by and operated under the auspices of the Bureau
of Justice Statistics (BJS). Since its
inception, BJS has taken a leadership
role in the improvement of criminal
history record information and the development of appropriate policies for
handling this information. SEARCH is
a State criminal justice support organization comprised of one governor’s
appointee from each State, the District
of Columbia, and the territories of
Puerto Rico and the U.S. Virgin Islands, as well eight at-large Members
selected by the SEARCH Chair. For
over 3 decades, SEARCH has promoted the effective and appropriate use
of information, identification, and
communications technology for State
and local criminal justice agencies. For
the same period of time, SEARCH has
been vitally concerned with the privacy
and public access implications of the
automation and use of personally identifiable criminal justice record information.
3
CHRI consists of arrest and conviction information, as well as other types
of disposition information.

Those efforts and recommendations by BJS and SEARCH
made a direct contribution to the
development of law and policy
for the handling of CHRI in all
50 States.
By the late 1990s, however, it
had become apparent that
changes in technology, as well
as in the public’s attitude about
access to information and privacy, made it appropriate and
important to take a new look at
CHRI law and policy. In particular, the existing CHRI law
takes a “smokestack” approach:
one body of law for the comprehensive CHRI maintained by
law enforcement at a central
State repository (sometimes referred to as a “rap sheet”); an
entirely separate body of law
regulating the dissemination and
use of the very same records
(albeit, not as comprehensive or
complete) maintained in the
courts; another separate body of
law and policy for the collection, use, and dissemination of
this information by various
commercial compilers; and a
different set of laws for the media’s handling of this information. This smokestack approach,
combined with an eruption of
public concern about privacy,
and further combined with a
necessary and constructive effort sweeping the Nation to integrate criminal justice and
other governmental information
systems, set the scene for an indepth review of CHRI law and
policy.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 1

Goals and deliverables
The goal of BJS and SEARCH
was to craft a road map for the
development of a new generation of CHRI law and policy.
Specifically, the BJS/SEARCH
effort consists of four deliverables:
1. This report, which analyzes
existing law and policy for
handling CHRI; identifies
the technological and societal developments that
may be changing the criminal justice privacy environment; and makes initial
recommendations to address
the next generation of
criminal justice information
law and policy.
2. A first-ever, public opinion
survey about public access
to CHRI undertaken by the
Opinion Research Corporation and Dr. Alan F.
Westin.4
3. A national conference —
the proceedings of which
will be published separately
— to address and highlight
emerging criminal justice
information privacy issues,
which was held in Washington, D.C., on May 31
and June 1, 2000.

4

The summary results of this survey,
along with interpretive commentary, is
being published separately by BJS in a
forthcoming companion report titled
“Privacy, Technology and Criminal
Justice Information: Public Attitudes
Toward Uses of Criminal History Information, Summary of Survey Findings,” (NCJ 187633). Hereafter,
Privacy Survey Report.

Page 2

4. Targeted standards applying
the recommendations of the
National Task Force on Privacy, Technology and
Criminal Justice Information,5 as set forth in this report, to specific types of
criminal justice record information and integrated
systems. Work in this area
began with the development
of design principles for
safeguarding the privacy of
personal information in integrated criminal justice
systems (to be published
separately). Additional
projects to promote the next
generation of criminal justice information privacy law
and policy recommended in
this report are under development.
To assist in conducting the project, BJS and SEARCH convened a Task Force of
preeminent academics, criminal
justice officials (including representatives from law enforcement, the courts, corrections,
and prosecution), private-sector
compilers and resellers of
criminal justice record information, the media, and the criminal
justice record user community.6
The Task Force held three,
multiple-day meetings: Asilomar in Pacific Grove, California, on January 13-14, 1999;
Boston, Massachusetts, on May
11-12, 1999; and Victoria, British Columbia, Canada, on October 18-19, 1999. The
observations and recommenda5
Hereafter, Privacy Task Force or
Task Force.
6
Biographies of Task Force participants are included as Appendix 1.

tions in the report reflect the
Task Force’s consensus views,
but do not necessarily reflect the
views of any particular member
of the Task Force or of his or
her institutional affiliations.

Key factors changing the
criminal history record information environment
The Task Force identified the
following technological, cultural, economic, and other
“change drivers” that are moving the Nation toward a new
information environment and
impelling the consideration of
new criminal justice record information privacy policies.
•

Public concern about privacy. In the late 1990s, the
American public registered
the strongest concerns ever
recorded about threats to
their personal privacy from
both government and business. In a 1999 study conducted by Dr. Alan F.
Westin, 94 percent of respondents said they are concerned about the possible
misuse of their personal information. Of the concerned, 77 percent said they
were “very concerned.”

•

The “Information Culture.” A new and emerging
culture of information access and use facilitated by
personal computers, browsers, search engines, online
databases, and the Internet,
has helped to create a demand for, and a market in,
information, including
criminal justice information,

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

while, at the same time,
fostering in many a sense of
lack of control over one’s
personal information and a
loss of privacy.
•

•

•

profound impact upon the
approach that criminal justice agencies take toward
obtaining and using information — a “data-driven,
problem-solving approach.”
These changes are: a new,
more cooperative, community-based relationship between criminal justice
agencies and citizens; and
added criminal justice
agency responsibilities to
provide information to surrounding communities,
Federal, State, and local
agencies, other police departments, and other organizations. This new approach
also creates privacy risks
through a wider circulation
of criminal justice information.

Technological change.
Revolutionary improvements in information, identification, and
communications technologies (including increasingly
advanced software applications and Internet-based
technologies), and the increased affordability of
these technologies fuels the
appetite for information and
creates new players in the
criminal justice information
arena.
System integration. Initiatives to integrate criminal
justice information systems
operated by law enforcement, courts, prosecution,
and corrections, as well as
initiatives to integrate these
systems with information
systems maintaining other
types of personal information, create powerful new
information resources. At
the same time, these integration initiatives may create uncertainty about the
types of privacy laws and
policies that apply to these
new systems and which dilute existing policies designed to keep information
separate.
New approach that closely
resembles a “Business
Model” for the criminal
justice system. Two fundamental changes in the
way the criminal justice
system operates have had a

•

Noncriminal justice demand. A persistent and
ever-increasing demand by
noncriminal justice users to
obtain CHRI has had a pervasive and important impact
on the availability of information.

•

Commercial compilation
and sale. Changes in the information marketplace —
which feature the private
sector’s acquisition, compilation, and sale of criminal justice information
obtained from police and,
more particularly, courtbased open record systems
— are making information
similar to that found in
criminal history records
more widely available to
those outside the criminal
justice system.

•

Government statutes and
initiatives. A host of new
government initiatives and
laws, aimed at providing
criminal justice information
to broader audiences, on a
more cost-effective and
timely basis, has also fueled
the availability of criminal
justice information.

•

Juvenile justice reform.
Demands for juvenile justice records, particularly
those involving violent offenses that result in treating
juvenile information in a
way which very much resembles the handling of
adult records, is also putting
pressure on traditional information and privacy policies.

•

Intelligence systems.
Criminal justice intelligence
systems are being automated, regionalized, and
armed with CHRI and other
personal information to create detailed personal profiles for law enforcement
use.

Content of project report
This project report begins with a
review of information privacy
law and policy. The report
identifies five interests critical
to a democracy and that are
served by information privacy:
(1) due process and fairness, (2)
individual dignity, (3) individual autonomy, (4) oversight and
trust in governmental institutions, and (5) the promotion of
privacy-dependent relationships.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 3

In reviewing the history of information privacy, the report
describes the development of
the code of fair information
practices in the early 1970s, a
code that continues to shape
both U.S. and worldwide privacy policy to this day.
The report provides further
background information with an
overview of the criminal justice
information system structure.
The report describes the Nation’s system for the interstate
exchange of CHRI, including
the role of the Federal Bureau of
Investigation (FBI), the central
State repositories of CHRI, the
Interstate Identification Index
(III), the National Crime Prevention and Privacy Compact
(which establishes formal procedures and governance structures for noncriminal justice use
of the III), and the Compact
Council. The report also enumerates the types of personally
identifiable information that are
encompassed within the term
“criminal justice record information,” including juvenile justice information, investigative
and intelligence information,
various kinds of original records
of entry, and, of course, the
criminal history record.
The report also sets forth the
constitutional and common law
standards that apply to CHRI.
The report emphasizes that the
courts recognize individuals
have a privacy interest in CHRI
which pertains to them, but that
this interest has seldom been
relied upon by the courts to
strike down or limit statutory
and regulatory standards for the

Page 4

collection, use, and dissemination of CHRI.
The report provides further
background by tracing the development of Federal and State
criminal history record legislation and regulation. In the period since 1967, the Congress,
the Justice Department, State
legislatures, and regulatory
bodies have devoted considerable attention to standards for
collecting, maintaining, using,
and disseminating CHRI. Both
BJS and SEARCH have been
active participants in the development of these standards. The
report notes that today, these
standards provide for the following: subject access and correction rights; restrictions on the
amalgamation of criminal history information with other
types of personal information;
various kinds of standards to
ensure the accuracy, completeness, and timeliness of CHRI;
fingerprint support of information entered into law enforcement criminal history systems
and obtained from those systems; various kinds of disposition reporting requirements;
sealing and purging standards in
the case of old information or
arrest information without a
disposition; security standards;
standards for criminal history
use or dissemination; widespread criminal justice access to
CHRI; limited noncriminal justice access to CHRI; and very
limited public access to CHRI.

The report also includes brief
case studies of three States that
have taken very different approaches to public access to law
enforcement CHRI: Florida,
which takes an “open record”
approach; Washington, which
takes an “intermediate” approach (providing significant
access to conviction information
but very limited access to nonconviction information); and
Massachusetts, a largely
“closed-record” State that permits access only to criminal
justice entities.
The bulk of the report focuses
on the “change drivers” described above. In particular, the
report gives attention to the
public’s concern about privacy
and the technological changes
that make previously inaccessible court records widely available.

Task Force recommendations
Finally, the report presents the
14 recommendations adopted by
the National Task Force on Privacy, Technology and Criminal
Justice Information.
Several points should be emphasized about these recommendations:
•

First, the purpose of these
recommendations is not to
prescribe the specifics of a
new generation of law and
policy for criminal justice
record information. Rather,

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

the purpose of the recommendations is to address the
conceptual and structural
outline of a new generation
of law and policy. Accordingly, the Task Force recommends that further work
on these specifics be undertaken by a statutorily
chartered study organization
with a 3-year sunset.
•

•

Second, in looking at the
approach to CHRI, the Task
Force recommends a global
policy to address criminal
history and juvenile justice
record information largely
without regard to whether
this information is held by
law enforcement agencies
(that is, the central State repositories), the courts, or
commercial compilers and
aggregators. The Task
Force’s rationale for this
approach is that the privacy
and information implications are largely unaffected
by whether the information
is sourced to courts, law enforcement, or commercial
compilers.
Third, the Task Force reaffirms the importance of using fingerprints to the extent
that technology, cost, and
availability make fingerprints available to law enforcement, the courts, and
the commercial sector. Only
with the use of fingerprints
can a reliable determination
be made that a criminal
history record pertains to
the person who is the subject of the search.

•

Fourth, the Task Force view
is that the creation of comprehensive profiles about
individuals is a threat to
privacy and, importantly, is
perceived by the public as a
threat to privacy. Accordingly, the Task Force recommends that criminal
justice record information
not be amalgamated with
other types of personal information (such as financial
or medical information) in
databases of criminal history and criminal justice records.

•

Fifth, the Task Force view
is that the national initiative
to integrate various criminal
justice record information
systems, in order to improve
the utility, effectiveness,
and cost efficiency of these
systems, is a positive development and should be encouraged. The Task Force
recognizes, however, that
the establishment of these
kinds of systems raises privacy and profiling issues
and, therefore, the structure
and content of integrated information systems should
be shaped to minimize these
threats.

Specifically, the Task Force
adopted the following recommendations, which were subsequently endorsed in January
2000 by SEARCH’s Membership Group (governors’ appointees):
I.

The Task Force recommends that a body be
statutorily created to consider and make policy

recommendations to the
Federal and State legislative, executive, and judicial branches of
government as they work
to balance the increasing
demand for all forms of
criminal justice information and the privacy risks
associated with the collection and use of such information. The Task
Force recommends that
the body look at information and privacy issues
arising from all types of
criminal justice information, including criminal
history record information, intelligence and investigative information,
victim and witness information, indexes and flagging systems, wanted
person information, and
civil restraining orders.
The Task Force further
recommends that such a
body be comprised of
public and private
stakeholders; that the
body be limited to an advisory role; and that it
have neither rulemaking
nor adjudicatory authority. Finally, the Task
Force recommends that
the body sunset after not
more than 3 years, unless
statutorily reauthorized.
II.

The Task Force recommends the development of
a new generation of
criminal justice information and privacy law and
policy, taking into account public safety, privacy, and government

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 5

oversight interests. This
law and policy should be
broad in scope, so as to
address the collection,
maintenance, use, and
dissemination of criminal
justice record information
by law enforcement agencies, including State central repositories and the
FBI, the courts, and
commercial compilers
and resellers of criminal
justice record information.
III.

IV.

Page 6

The Task Force recommends that the adequacy
of existing legal remedies
for invasions of privacy
arising from the use of
criminal history record information should be reexamined by legal scholars,
State legislatures, Congress, State and Federal
agencies, and the courts.
The Task Force recommends the development of
a new generation of confidentiality and disclosure
law and policy for criminal history record information, taking into
account the type of criminal history record information; the extent to
which the database contains other types of criminal justice information
(victim and witness information, or intelligence
or investigative information) and sensitive personal information
(medical or financial information, and so on); the
purpose for the intended

use of the information;
and the onward transfer of
the information (the redissemination of the criminal
history information by
downstream users).
V.

The Task Force recommends that intelligence
and investigative information also be addressed
by new privacy law and
policy, but that this process should begin with the
establishment of a Task
Force dedicated exclusively to a review of intelligence and
investigative systems, and
the law and privacy issues
related to those systems.

VI.

The Task Force recommends that legislators and
criminal history record information system managers develop, implement,
and use the best available
technologies to promote
data quality and data security.

VII. The Task Force recommends that criminal history record information,
whether held by the
courts, by law enforcement, or by commercial
compilers and resellers,
should, subject to appropriate safeguards, be supported by and accessible
by fingerprints to the extent legally permissible
and to the extent that
technology, cost, and the
availability of fingerprints
to both database managers

and users make this practicable.
VIII. The Task Force recommends that criminal history record information
should be sealed or expunged (purged) when the
record no longer serves an
important public safety or
other public policy interest. A sealed record
should be unsealed and
available for criminal justice and/or public use
only when the record
subject has engaged in a
subsequent offense or
when other compelling
public policy considerations substantially outweigh the record subject’s
privacy interests. During
the period that a criminal
history record is sealed,
use and disclosure should
be prohibited.
IX.

The Task Force recommends that individuals
who are the subject of
criminal history record information be told about
the practices, procedures,
and policies for the collection, maintenance, use,
and disclosure of criminal
history information about
them; be given a right of
access to and correction
of this information, including a right to see a record of the disclosure of
the information in most
circumstances; and enjoy
effective remedies for a
violation of any applicable privacy and information standards. In

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

addition, the Task Force
recommends that States
establish meaningful
oversight mechanisms to
ensure that these privacy
protections are properly
implemented and enforced.
X.

XI.

The Task Force recommends that where public
safety considerations so
require, the record of a
juvenile offender who
commits an offense
which, if committed by an
adult, would be a felony
or a violent misdemeanor,
be treated in the same
manner that similar adult
records are treated. Even
if a State opts to retain
stronger privacy and confidentiality rules for these
types of juvenile records,
these records should be
fingerprint-supported and
should be capable of being captured in an automated, national system.
The Task Force recommends that criminal justice record information
law and policy should restrict the combining of
different types of criminal
justice record information
into databases accessible
to noncriminal justice users and should restrict the
amalgamation of criminal
justice record information
in databases with other
types of personal information, except where
necessary to satisfy public
policy objectives.

XII. The Task Force recommends that where public
policy considerations require amalgamation of information, systems be
designed to recognize and
administer differing standards (including dissemination policies and
standards) based upon differing levels of data sensitivity, and allow the
flexibility necessary to
revise those standards to
reflect future changes in
public policy.

XIV. The Task Force recommends that new criminal
justice privacy law and
policy should continue to
give weight to the distinction between conviction information and
nonconviction information. The Task Force recognizes, however, that
there are certain instances
in which disclosure of
nonconviction information may be appropriate.

XIII. The Task Force recommends that the integration
of criminal justice information systems should be
encouraged in recognition
of the value of integrated
systems in improving the
utility, effectiveness, and
cost efficiency of information systems. Prior to
establishing integrated
systems, however, privacy implications should
be examined, and legal
and policy protections in
place, to ensure that future public- and privatesector uses of these information systems remain
consistent with the purposes for which they were
originally created. In addition, once an integrated
system is created, any
future uses or expansions
of that system should be
evaluated to assess the
privacy implications.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 7

II. Report purpose and scope
It hardly comes as a surprise
that Federal agencies collect
vast amounts of personal information, including information
collected through the criminal
justice system. It is also no surprise that this information collection activity serves critical
public safety and other public
values. Moreover, access to
public record information, including criminal justice information, promotes interests
critical to a democratic society,
including:
•

•

•

Promoting government
accountability. Access to
public records helps the
public monitor government
activities, thereby assisting
the public to hold elected
officials and nonelected
civil servants accountable
and protecting against secret
government activities.
Promoting first amendment rights. Access to
public record information
helps to create the informed
citizenry necessary for the
robust, wide-open public
debates that play an important structural role in securing and fostering free
speech and republican selfgovernment.
Promoting confidence in
the judicial and political
systems. Access to public
record information bolsters
public knowledge about,
and helps instill confidence

Page 8

in, the operation of the political system as well as the
judicial system.
•

Promoting private-sector
accountability. The use of
background checks that rely
on public record information allows the verification
of assertions made by individuals (or facts omitted by
individuals), thereby permitting prospective employers and business partners to
protect themselves and vulnerable populations which
may be in their care, including children, the disabled, and the elderly.

•

Promoting meritocracy. In
a mobile society where
merit (often initially represented by credentials) is often used rather than family
connections and lineage for
purposes such as employment, access to public records provides an important
means of verifying an individual’s credentials, including whether the
individual has a criminal record.

Because this information is
collected and used for the good
of society, why isn’t that the end
of the debate? Why not make all
information, including personal
information collected by Federal
agencies, publicly available?

The answer, of course, is that
there are powerful competing
values, interests, and concerns.
One such interest is privacy.
Privacy encompasses not only
secrecy but also fair information
practices regarding the use, access, accuracy, right to challenge inaccurate information,
and knowledge that record systems even exist.7 These information privacy interests were
given voice in the 1970s, at a
time when centralized and
automated record systems were
chiefly associated with governmental activities. During the
1970s, a set of broad fair information practice policies
emerged, with specific applications for criminal justice information. Since the 1970s, there
have been many changes, including technological, political,
and marketplace changes, that
have changed the information
environment.
This report identifies developments that may be outpacing
established privacy and fair information practices protections
for criminal justice information,
and which may necessitate a
new look at appropriate law and
policy for managing this information. The report is intended
to serve as a resource for State
and Federal policymakers, the
7

Other values and interests include
national security interests, secrecy requirements necessary to facilitate ongoing law enforcement investigations,
the protection of trade secrets, and so
on.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

courts, criminal justice agencies,
private-sector, self-regulatory
organizations, privacy advocates, and individuals interested
in privacy and criminal justice
issues.
For purposes of this report,
“criminal justice information” is
defined broadly to include all
information obtained, maintained, or generated about an
individual by the courts or a
criminal justice agency as a result of suspicion that the individual may be engaging in
criminal activity or in relation to
his or her arrest and the subsequent disposition of this arrest.
“Criminal justice information”
includes: criminal history record
information (CHRI); criminal
intelligence information; criminal investigative information;
disposition information; identification record information;
nonconviction information; and
wanted person information.8

separate Task Force or other
group devoted solely to that issue, particularly a group with
more representation from the
investigative and intelligence
communities than is reflected in
the membership of the Task
Force on Privacy, Technology
and Criminal Justice Information.

Criminal intelligence and criminal investigative information are
within the definition of criminal
justice information as it is addressed in this report. The Task
Force concluded after considerable deliberation, however, that
changes in criminal intelligence
and investigative information
systems raise complex and discrete privacy issues. Those issues merit examination by a
8
Technical Report No. 13: Standards
for the Security and Privacy of Criminal History Record Information, 3rd ed.
(Sacramento: SEARCH Group, Inc.,
1988) pp. 8-9. Hereafter, Technical
Report No. 13, 3rd ed. A glossary of
justice information terms is included as
Appendix 2.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 9

III. Information privacy standards: Background
Customarily, the term “information privacy” is used to refer
to standards for the collection,
maintenance, use, and disclosure of personally identifiable
information. A central component of “information privacy” is
the ability of an individual to
control the use of information
about him or herself.9
Information privacy is frequently distinguished from other
clusters of personal interests
that are nourished by the privacy doctrine, including surveillance privacy — the interest
in being free from governmental
and other organized surveillance
of individual activities under
circumstances where the individual has a reasonable expectation of privacy; and
behavioral privacy — the right
to engage in certain intimate and
sensitive behaviors (such as behaviors relating to reproductive
rights) free from governmental
or other control.10
Protection of information privacy is widely seen as serving at
least five interests that are critical to a democracy:
1. An interest in ensuring society (both public and private
9

See, for example, Alan F. Westin,
Privacy and Freedom (New York:
Atheneum, 1967) p. 7. Hereafter, Privacy and Freedom.
10
In Whalen v. Roe, 429 U.S. 589,
599, 600 (1977), the Supreme Court
discussed the various clusters of interests protected by the broad term “privacy.”

Page 10

sectors) makes decisions
about individuals in a way
that comports with notions
of due process and fairness.
Accuracy of CHRI and use
of that information which
includes providing notice to
the individual and giving
the individual an opportunity to respond, is consistent
with notions about fairness.
The absence of these protections may produce erroneous or unjustified
decisions about employment, credit, health care,
housing, or other valued
benefits or statuses.
2. An interest in protecting
individual dignity. When
individuals endure stigma,
embarrassment, and humiliation arising from the
uncontrolled use and disclosure of information about
them, they lose the sense of
dignity and integrity essential for effective participation in a free and
democratic society.
3. An interest in protecting
individual autonomy. When
individuals lack control
over personal information
about themselves, they lose
a sense of control over their
lives. The ability of individuals to control personal
information about themselves promotes personal
autonomy and liberty.

4. An interest in promoting a
sense of trust in, and a
check upon the behavior of,
institutions. When individuals lose the ability to selectively disclose their
sensitive personal information, they lose trust in the
public and private institutions that collect, hold, use,
and disclose this personal
information. (Public opinion
surveys indicate that the
public’s “distrust index”
(the extent to which the
public distrusts the government) is at all-time high
levels of approximately 80
percent.)11
5. An interest in promoting the
viability of relationships
critical to the effective
functioning of a democratic
society. Numerous relationships, such as the doctorpatient relationship, the
lawyer-client relationship,
or even the news media and
confidential source relationship, depend upon promises
of confidentiality in order to
promote the candid sharing
of personal information and
trust within the relationship.
The concept of information privacy as a distinct branch of privacy is relatively new. The
concept found full voice in the
late 1960s, amid rising concerns
about computers and growing
disenchantment with government, and articulated in writings
11

See note 75 infra.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

such as Alan Westin’s book,
Privacy and Freedom,12 with
later iterations in the 1972 National Academy of Science’s
report, Databanks in a Free Society,13 and the 1973 Report of
the Secretary of Health, Education and Welfare’s Advisory
Committee on Automated Personal Data Systems (HEW Report).14

3. There must be a way for an
individual to prevent information about him obtained
for one purpose from being
used or made available for
other purposes without his
consent.

These seminal works recognized
the importance of information
privacy and the need to balance
privacy with other competing
interests, such as public safety.
As part of this dialogue, the
HEW Report’s “Code of Fair
Information Practices” set forth
five basic procedural principles
for fair information practices:

5. Any organization creating,
maintaining, using, or disseminating records of identifiable personal data must
assure the reliability of the
data for their intended use
and must take reasonable
precautions to prevent misuse of the data.15

1. There must be no personaldata recordkeeping systems
whose very existence is secret.
2. There must be a way for an
individual to find out what
information about him is in
a record and how it is used.

12

Privacy and Freedom, supra note 9.

13

Alan F. Westin and Michael A.
Baker, Databanks in a Free Society:
Computers, Record-Keeping and Privacy (New York: Quadrangle Books,
1972). See also, Robert R. Belair, “Information Privacy: A Legal and Policy
Analysis,” in Science, Technology and
Uses of Information (Washington,
D.C.: National Science Foundation,
1986).
14

Records, Computers and the Rights
of Citizens, DHEW Publication No.
(OS) 73-97 (Washington, D.C.: Department of Health, Education and
Welfare, 1973), available at http://
aspe.hhs.gov/datacncl/1973privacy
/tocprefacemembers.htm.

4. There must be a way for an
individual to correct or
amend a record of identifiable information about him.

The HEW Code of Fair Information Practices was widely
influential when it was released,
and served as a basis for the
Federal Privacy Act of 1974.
The HEW Code of Fair Information Practices was further
examined and applied to specific recordkeeping relationships in the 1977 Report of the
Privacy Protection Study Commission.16 Balancing privacy
with competing interests has
also been widely accepted as a
means of accounting for privacy
concerns.17 Although some have

15

Ibid., p. 41.

16

U.S. Privacy Protection Study
Commission, Personal Privacy in an
Information Society (Washington, D.C.:
U.S. Government Printing Office, July
1977).
17

Charles D. Raab, “From Balancing
to Steering: New Directions for Data
Protection,” in Visions of Privacy:
Policy Choices for the Digital Age,
Colin J. Bennett and Rebecca Grant,

questioned whether the Code of
Fair Information Practices remains a viable approach,18 the
Code and balancing privacy
with competing interests continues to provide a framework for
fair information practices in the
United States.19

eds. (Toronto: University of Toronto
Press, 1999) pp. 68-93.
18

Ibid. Other privacy experts continue
to believe that Fair Information Practices and the “balancing of interests”
approach can continue to serve as the
basis for privacy law and policy, either
as currently constituted or with modifications. See, for example, David H.
Flaherty, “Visions of Privacy: Past,
Present and Future,” in ibid., pp. 19-38.
19
See, for example, Testimony of
Donna E. Shalala, Secretary, U.S. Department of Health and Human Services, before the Senate Committee on
Labor and Human Resources, September 11, 1997 (recommending that the
Congress pass health information privacy legislation based upon the 1973
Code of Fair Information Practices).
Not surprisingly, however, the Fair
Information Practices outlined in the
HEW Report have been expanded upon
in the nearly 30 years since they were
first promulgated. Today, influenced in
part by developments in Europe, discussion of fair information practices
also frequently focus, for example, on
procedural and substantive safeguards
surrounding the collection of information to ensure that information is used
only for purposes consistent with those
for which the information is collected,
and that the information collected is
relevant to the purpose for which it is
being collected.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 11

IV. Privacy protections for criminal justice information
A brief overview of the
structure of the criminal
justice information system

history record about a
particular individual.
— III Compact. In October
1998, the Congress enacted the Crime Identification Technology Act
(CITA),20 which includes as Title II, the
National Crime Prevention and Privacy
Compact Act (III Compact). Once ratified by
the States, the III Compact will permit the III
to be used by authorized, noncriminal justice requestors.21

Before examining the legal and
policy regime surrounding
criminal justice information,
this section briefly reviews the
structure of the criminal justice
information system as it relates
to CHRI (at both the Federal
and State levels), juvenile justice information, intelligence
and investigative information,
and original records of entry.
•

Criminal history record
information: Federal role.
At the Federal level, the FBI
functions as a criminal history record repository,
holding both Federal offender information and records of arrest and
dispositions under State
law.
— Interstate Identification
Index (III). During the
last 30 years, the FBI,
working with the State
criminal justice information community, developed the III. The III
consists of an FBImaintained index of all
individuals with State or
Federal criminal history
records, supported by a
National Fingerprint
File. Authorized requestors access the III
to determine whether
any State (or the FBI for
Federal offenses)
maintains a criminal

Page 12

State for a serious/
reportable offense (standards vary among the
States, but, customarily, reportable offenses are misdemeanors punishable by a
year or more in prison, plus
felonies). The repository
also maintains an automated
record of those individuals’
arrests, along with all available dispositions. This record is referred to as a
criminal history record or
“rap sheet.”

•

— Repository mission. The
central State repository’s principal mission
is to provide CHRI to
State and local law enforcement agencies. The
repositories also provide CHRI to the other
components of the
criminal justice system
— courts, prosecutors,
and corrections — as
well as certain noncriminal justice users.22

Criminal history record
information: central State
repositories. Every State
has established a “central
State repository” of criminal
history information and fingerprints, operated by a
State law enforcement
agency. Central State repositories maintain a fingerprint record of every
individual arrested in the

20

— Information maintained
by repositories. Traditionally, central State
repositories maintain
subject identification information (fingerprint

42 U.S.C. § 14601.

21

As of June 2001, 12 States (Montana, Georgia, Nevada, Florida, Colorado, Iowa, Connecticut, South
Carolina, Arkansas, Alaska, Oklahoma,
and Maine) had ratified the III Compact, which became effective on April
28, 1999, following the ratification of
the Compact by the first two States.
The Compact now applies between the
States that have ratified it and the Federal government. See, “Crime Prevention and Privacy Compact,” available at
http://www.search.org
/policy/compact/privacy.asp.

22

Robert R. Belair and Paul L. Woodard, Use and Management of Criminal
History Record Information: A Comprehensive Report, Criminal Justice
Information Policy series, NCJ 143501
(Washington, D.C.: U.S. Department of
Justice, Bureau of Justice Statistics,
November 1993) pp. 14-17. Hereafter,
Use and Management of CHRI.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

records), criminal history information (which
historically and traditionally consists of
identifying information,
arrests, and available
dispositions, but little or
no information about
third parties such as
witnesses, victims, or
family members),23 and
certain other information (such as pretrial
release information and
felony conviction flags).
Repositories virtually
never maintain other
types of personal information (employment
history, medical history,
military, or citizenship
status, and so on).24

ception for the very
largest local agencies,
have withdrawn from
the business of maintaining formal and
comprehensive criminal
history records (other
than booking information and other original
records of entry). Instead, local agencies
rely on the State repository and, through
the State repository, the
FBI to provide complete
and comprehensive
criminal history records.
•

Juvenile justice information. Juvenile justice information is, broadly speaking,
information on juveniles,
which, but for the age of the
juvenile, would be considered criminal justice information.25 Traditionally, the
repositories do not maintain
juvenile justice information;
for the few repositories that
do, it is frequently not integrated with adult records of
that individual. (As a practical matter, juvenile justice
information, until very recently, was not available on
any kind of reliable or organized basis. Rather, each
separate juvenile or family
court and each separate law
enforcement agency would
maintain juvenile records.
These records frequently
were not automated or fingerprint-supported. Moreover, traditionally, some of
these records were not
available by law (based on
sealing requirements), even

— Liaison with FBI. Repositories serve as a
contact point and liaison
with the FBI: sending
fingerprints and arrest
and disposition information to the FBI; responding to search
inquiries from the FBI;
and initiating search inquiries to the FBI on
behalf of authorized, inState requestors.
— Information maintained
by local agencies. Over
the past 30 years, local
agencies, with rare ex23

See, SEARCH Group, Inc., Increasing the Utility of the Criminal
History Record: Report of the National
Task Force, Criminal Justice Information Policy series, NCJ 156922
(Washington, D.C.: U.S. Department of
Justice, Bureau of Justice Statistics,
December 1995) pp. 23-27.
24

Ibid., pp. 22-23.

25

This age varies by State.

to criminal justice agencies.)
•

Investigative and intelligence information. Customarily, investigative and
intelligence information has
rarely been maintained at a
central State repository;
when maintained, it has not
been integrated with CHRI.
Historically, investigative
and intelligence information
was maintained only at the
local police agency or law
enforcement agency level; it
was not automated or fingerprint-supported; and it
was shared on a closely
held, need-to-know basis
within the law enforcement
community.26

•

Original records of entry.
Pieces of an individual’s
criminal history record, but
only infrequently an individual’s entire criminal
history record, are held in
“open record” files maintained by police agencies
and courts. These original
records of entry describe
formal detentions and arrests and include incident
reports, arrest reports, case
reports, and other information that documents that an
individual has been detained, taken into custody,
or otherwise formally
charged. In addition, records of court proceedings
26

See, Robert R. Belair, Intelligence
and Investigative Records, Criminal
Justice Information Policy series, NCJ
95787 (Washington, D.C.: U.S. Department of Justice, Bureau of Justice
Statistics, February 1985) pp. 43-49.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 13

maintained by the courts include indictments, arraignments, preliminary hearings,
pretrial release hearings,
and other court events that,
by law and tradition, are
open to public inspection.
Until very recently, both
types of open record systems were manual or, at
best, only partially automated; they were not comprehensive or reliable, and
related only to events occurring at the particular law enforcement agency or court.
As a consequence, these
systems were difficult and
expensive to use and largely
unsuitable for the compilation of a reliable or comprehensive criminal history
record file. Compilation of
these records into a criminal
history file on an individual
was also difficult because
these record systems were
incident-focused, rather
than individual-focused, and
were not comprehensive,
cumulative, or otherwise
linked on the basis of the
individuals involved in each
incident.
By the 1990s, these relatively
traditional elements of the
criminal justice information environment were changing.
Criminal justice information,
particularly including courtbased CHRI, was largely automated and was becoming more
publicly available. The role of
the central repositories as the
gatekeeper for CHRI was being
challenged not only by the
courts, but also by automated,
for-profit information brokers

Page 14

and suppliers and by local
criminal justice agencies. Fundamental changes in expectations about the availability and
utility of criminal justice information fueled accelerating pressures for more and easier access
to criminal justice information.

Constitutional and
common law standards
with respect to the privacy
of criminal history record
information
— Constitutional
standards
The Constitution remains
largely neutral with respect to
the privacy of CHRI. In particular, the Supreme Court has
held that the Constitution does
not recognize a privacy interest
in the dissemination by criminal
justice agencies of information
about official acts, such as arrests.27 In 1989, in Department
of Justice v. Reporters Committee for Freedom of the
Press,28 the Supreme Court did
recognize, however, that there is
a statutory privacy interest, under the Federal Freedom of Information Act (FOIA), in
automated, comprehensive
criminal history records.29 The
27

Paul v. Davis, 424 U.S. 693, 713
(1976).
28

489 U.S. 749 (1989).

Court held “as a categorical
matter that a third party’s request for law enforcement records or information about a
private citizen can reasonably
be expected to invade that citizen’s privacy, and that when the
request seeks no ‘official information’ about a Government
agency, but merely records that
the Government happens to be
storing, the invasion of privacy
is ‘unwarranted’” and therefore
exempt from disclosure under
FOIA’s privacy provision.30
In 1995, the Court again addressed the privacy risk posed
by computerized criminal history information. In Arizona v.
Evans,31 the Court found that the
“exclusionary rule” does not
require suppression of evidence
seized incident to an arrest resulting from an inaccurate computer record when the error was
caused by court, rather than police, personnel. In a concurring
opinion, Justice O’Connor noted
that “the advent of powerful,
computer-based recordkeeping
systems … facilitate[s] arrests
in ways that have never before
been possible. The police … are
entitled to enjoy the substantial
advantages this technology confers. They may not, however,
rely on it blindly. With the
benefits of more efficient law
enforcement mechanisms comes
the burden of corresponding
constitutional responsibilities.”32

29

The Court has used statutory law,
rather than constitutional law, to protect
privacy in other contexts as well. In
Jaffee v. Redmond, 518 U.S. 1 (1996),
for example, the Court, recognizing the
sensitivity of mental health information, held that Rule 501 of the Federal
Rules of Evidence recognizes a psychotherapist-patient privilege, which

extends to confidential communications
between a licensed social worker and a
patient in the course of psychotherapy.
30

489 U.S. 749, 780 (1989).

31

514 U.S. 1 (1995).

32

Ibid., at 17-18 (O’Connor, J., concurring).

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Justice Ginsburg, in dissent,
also expressed concern over the
impact of modern technology on
privacy: “Widespread reliance
on computers to store and convey information generates,
along with manifold benefits,
new possibilities of error, due to
both computer malfunctions and
operator mistakes … .
[C]omputerization greatly amplifies an error’s effect, and correspondingly intensifies the
need for prompt correction; for
inaccurate data can infect not
only one agency, but the many
agencies that share access to the
database.”33
During the 1999-2000 term, the
Supreme Court handed down
two decisions regarding statutory controls on access to public
record information, which,
while not decided on privacy
grounds, are likely to encourage
stronger privacy initiatives.
The first opinion, Los Angeles
Police Department v. United
Reporting Publishing Corp.,34
arose from a 1996 change in
California law governing the
release of arrest information.35
The change limited the release
of arrestee and victim address
information to those who certify
that the request is made for
scholarly, journalistic, political,
or governmental purposes, or
for investigative purposes by a
licensed private investigator.
The law specifically prohibits

33
Ibid., at 26 (Ginsburg, J. dissenting).
34

528 U.S. 32 (1999).

35

CAL. GOV. CODE § 6254(f).

the use of such information “directly or indirectly to sell a
product or service to any individual or group of individuals.”
United Reporting Publishing
Corp., a private publishing
service that had been providing
arrestee address information to
clients under the old statute,
filed suit, alleging that the statute was an unconstitutional
violation of its first amendment
commercial speech rights. The
Ninth Circuit, while finding that
arrestees have a substantial privacy interest in the information
at issue, nevertheless concluded
(as did the district court) the
California law was an unconstitutional infringement on
United Reporting’s first
amendment commercial speech
rights because the “myriad of
exceptions … precludes the
statute from directly and materially advancing the government’s
purported privacy interest.”36
On December 7, 1999, the Supreme Court voted 7 to 2 to reverse, reinstating the California
statute. In its opinion, the majority characterized United Reporting as a case dealing with
access to government records
rather than restrictions on free
speech.37 The Supreme Court
36

United Reporting Publishing Corp.
v. Los Angeles Police Department, 146
F.3d 1133, 1140 (9th Cir. 1998).
37
The Court’s decision did not address the commercial speech interests
at issue in the regulation of the use of
personal information in private records,
an issue that has also drawn the attention of the appellate courts. The Tenth
Circuit Court of Appeals, for example,
acted on first amendment commercial
speech grounds, to vacate a rule issued

also characterized the case as a
challenge to the “facial validity”
of the California statute and not
a challenge based upon the implementation or actual experience with the statute.38 For these
reasons the Court opined that
California could distinguish
among users and uses in crafting
rules for access to State-held
records. The Court left open the
possibility, however, that the
statute, as applied, might impinge on United Reporting’s
commercial speech rights.

by the Federal Communications Commission that required consumers to optin to most disclosures of their consumer
proprietary network information
(CPNI). U.S. West, Inc. v. Federal
Communications Commission, 182
F.3d 1224 (10th Cir. 1999), cert. denied,
530 U.S. 1213 (2000). CPNI is information that relates to the quantity,
technical configuration, type, destination, and amount of use of a telecommunications service subscribed to by
any customer of a telecommunications
carrier that is made available to the
carrier by the customer solely by virtue
of the carrier-customer relationship,
including most information contained
in telephone bills. See, 47 U.S.C. §
222(f)(1)(A)-(B).
38
In a related development, on December 13, 1999, the Supreme Court
issued an order in McClure v. Amelkin,
528 U.S. 1059 (1999), setting aside a
decision by the Sixth Circuit Court of
Appeals that struck down a Kentucky
law limiting access to motor vehicle
accident reports. The Sixth Circuit
struck down the law — which allows
access to accident victims, victims’
lawyers, victims’ insurers, and the
news media (but not for commercial
purposes) — after finding that the law
violates commercial free speech rights.
The Supreme Court sent the case back
to the Sixth Circuit and ordered the
lower court to restudy the case, taking
into consideration the Supreme Court’s
decision in United Reporting.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 15

In the second opinion, Reno v.
Condon,39 the Supreme Court
unanimously reversed the
Fourth Circuit Court of Appeals,
rejecting a tenth amendment40
challenge by the State of South
Carolina to the constitutionality
of the Driver’s Privacy Protection Act of 1994 (DPPA).41 The
DPPA provides that State departments of motor vehicles
(DMVs) “shall not knowingly
disclose or otherwise make
available to any person or entity
personal information about any
individual obtained by the department in connection with a
motor vehicle record.”42 The
DPPA does contain 14 exceptions pursuant to which States
may elect to disclose DMV records in certain instances.43
Violation of the DPPA may re39

528 U.S. 32, 120 S.Ct. 483 (2000).
The Fourth Circuit case was the first of
four decisions issued by the Courts of
Appeals on the constitutionality of the
DPPA; two decisions upheld the constitutionality of the DPPA, two held it
to be unconstitutional. See, Condon v.
Reno, 155 F.3d 453 (4th Cir. 1998)
(holding DPPA is unconstitutional);
Pryor v. Reno, 171 F.3d 1281 (11th Cir.
1999) (holding DPPA is unconstitutional); Travis v. Reno, 160 F.3d. 1000
(7th Cir. 1998) (upholding DPPA);
Oklahoma v. United States, 161 F.3d
1266 (10th Cir. 1998) (upholding
DPPA). The DPPA has also been challenged on first amendment grounds;
however, discussions of first amendment challenges are omitted here. See,
for example, Travis v. Reno and Oklahoma v. United States
40
“The powers not delegated to the
United States by the Constitution, nor
prohibited by it to the States, are reserved to the States respectively, or to
the people.” U.S. Const., Amend. X.
41

18 U.S.C. § 2721 et seq.

42

18 U.S.C. § 2721(a).

43

18 U.S.C. § 2721(b).

Page 16

sult in criminal fines and a civil
cause of action against a person
who knowingly violates the
statute.44 Although the Court’s
brief opinion was based on tenth
amendment rather than privacy
grounds, the decision potentially
opens the door for further Federal regulation of access to State
records on privacy grounds.45
— Common law standards
Common law privacy doctrines,
such as the widely recognized
privacy tort of public disclosure
of private facts, have proven
largely ineffectual when applied
to CHRI. Sovereign immunity,
civil and official immunity, and
44
45

18 U.S.C. §§ 2723(a), 2724(a).

The Court concluded that “the
DPPA does not require States in their
sovereign capacity to regulate their
own citizens. The DPPA regulates the
States as the owners of databases. It
does not require the South Carolina
Legislature to enact any laws or regulations, and it does not require State
officials to assist in the enforcement of
Federal statutes regulating private individuals. We accordingly conclude that
the DPPA is consistent with the constitutional principles enunciated in
[New York v. United States, 505 U.S.
144 (1992); and Printz v. United States,
521 U.S. 898 (1997)].” Reno v. Condon, 528 U.S. 32, 120 S.Ct. 666, 672
(2000). In addition, the Court disagreed
with the Fourth Circuit’s holding that
the DPPA exclusively regulated the
States, finding instead that the “DPPA
regulates the universe of entities that
participate as suppliers to the market
for motor vehicle information — the
States as initial suppliers of the information in interstate commerce and
private resellers or redisclosers of that
information in commerce.” Ibid. As a
result, the Court did not address the
“question whether general applicability
is a constitutional requirement for federal regulation of the States.”

the need to show tangible harm
arising from the alleged disclosure or misuse of criminal history records have proven to be
virtually insurmountable obstacles to common law privacy
actions.46 The limited nature of
common law and constitutional
privacy protections has meant
that safeguarding information
privacy interests has been left
largely to the legislative arena.

Federal criminal history
record legislation and
regulations
Beginning in the late 1960s and
extending throughout the 1970s,
information privacy standards
for criminal justice information
and, in particular, criminal history records, received considerable attention in statutory
provisions and U.S. Department
of Justice (DOJ) regulations.
Although the privacy protections that emerged from that
debate were not driven by constitutional requirements, constitutional values — such as the
presumption that an individual
is innocent until proven guilty
— have played a role in the development of the law and regulations governing the
management of CHRI.47
46

See, Technical Memorandum No.
12: Criminal Justice Information, Perspective on Liabilities (Sacramento:
SEARCH Group, Inc., August 1977)
(and as updated in 1981) pp. 5-20.
47

As the Privacy Protection Study
Commission noted in its 1977 report:
“Constitutional standards specify that
convictions, not arrests establish guilt.
Thus denial of employment [for example] because of an unproved charge, a
charge that has been dismissed, or one

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

In 1967, the Report of the President’s Commission on Law Enforcement and the
Administration of Justice spoke
of the need for an “integrated
national information system”
and recommended that there be
established a “national law enforcement directory that records
an individual’s arrests for serious crimes, the disposition of
each case and all subsequent
formal contacts with criminal
justice agencies related to those
arrests.” The report also emphasized that it is “essential” to
identify and protect security and
privacy rights to ensure a fair,
credible, and politically accept-

for which there has been an adjudication of innocence, is fundamentally
unfair.” Supra note 16, Appendix 3,
Employment Records, p. 50. The value
of arrest records as a decisionmaking
tool, particularly in the employment
context, has also been challenged on
the grounds that racial minorities are
arrested in disproportionately high
numbers. As a result, the Equal Employment Opportunity Commission and
several courts have found that inquiries
about arrest records can be a violation
of Title VII of the Civil Rights Act of
1964. See, for example, 29 C.F.R. §
1607.4(c)(1); and Gregory v. Litton
Sys., 316 F. Supp. 401 (C.D. Cal.
1970), aff'd as modified, 472 F.2d. 631
(9th Cir. 1972) (fact that an individual
suffered a number of arrests without
any convictions was not conclusive as
to wrongdoing and was irrelevant to
work qualifications and, because the
mere inquiry into arrest records tends to
have a chilling effect on minority job
applicants, inquiries about arrests may
violate Title VII). The U.S. DOJ requires that federally funded criminal
justice information systems distinguish
between nonconviction information
(including certain arrest information)
and conviction information. 20 C.F.R.
§ 20.21(b).

able national criminal justice
information system.48
For most of the last 30 years,
the U.S. DOJ, working through
the FBI, the Law Enforcement
Assistance Administration
(LEAA) and its successor agencies, including, in particular,
OJP, BJS, and the Bureau of
Justice Assistance (BJA), and
the State and local criminal justice information community,
including SEARCH and the FBI
Criminal Justice Information
Services Division’s Advisory
Policy Board (CJIS APB), have
worked toward the implementation of an automated national
system for the exchange of
criminal history records, along
with a set of comprehensive
privacy standards. Several
prominent features dominated
that environment.
Privacy standards for CHRI
have been left largely to statutory and regulatory initiative.
During the 1970s, when public
concern about privacy, automation, and governmental and private information systems was
running high, the Congress considered several legislative proposals that would have imposed
uniform, national information
and privacy standards for CHRI.
All of those proposals failed.49
48

Project SEARCH, Technical Report
No. 2: Security and Privacy Considerations in Criminal History Information Systems (Sacramento: California
Crime Technological Research Foundation, 1970) pp. 3-5 (quoting from the
President’s Commission Report).
49

See, Use and Management of
CHRI, supra note 22, p. 36. The FBI’s
basic statutory authority to maintain
and disseminate criminal history records is at 28 U.S.C. § 534. This provi-

While the comprehensive proposals for uniform, nationwide
standards failed, Congress was
not idle. In 1972, for example,
Congress authorized the FBI to
“exchange identification records” with State and local officials for “purposes of
employment and licensing,”
provided that the exchange of
information is authorized by
State statute and approved by
the Attorney General, and provided that the exchange of information is made only for
official use and is subject to the
same restrictions with respect to
dissemination as would apply to
the FBI.50
In 1973, Congress enacted the
so-called “Kennedy Amendment” to the Omnibus Crime
Control and Safe Streets Act of
1968, which provides that all
CHRI collected, maintained, or
disseminated by State and local
criminal justice agencies with
financial support under the Omnibus Crime Control and Safe
Streets Act must be made available for review and challenge by
record subjects and must be
used only for law enforcement
and other lawful purposes.51
LEAA implemented the Kennedy Amendment by adopting
sion authorizes the Attorney General to
“acquire, collect, classify and preserve
criminal identification, crime and other
records” and to “exchange such records
and information with and for the official use of, authorized officials of the
federal government, the States, cities
and penal and other institutions.”
50
Pub. L. No. 92-544, Title II, § 201,
86 Stat. 1115.
51
42 U.S.C. § 3789G(b), as amended
by § 524(b) of the Crime Control Act of
1973, Pub. L. No. 93-83 (1973).

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 17

comprehensive regulations —
known as the “DOJ regulations”
— intended to “assure that
CHRI wherever it appears is
collected, stored, and disseminated in a manner to insure the
completeness, integrity, accuracy and security of such information and to protect individual
privacy.”52 The regulations set
relatively detailed and ambitious
standards for data quality, while
giving States discretion to set
their own standards for dissemination, recognizing that incomplete or inaccurate criminal
history data, particularly arrest
information without disposition
information, could have negative implications for the record
subject and his or her participation in society.
In addition to regulation of the
handling of criminal history information by criminal justice
agencies, Federal law also
regulates private-sector uses of
criminal history information in
certain circumstances. The Fair
Credit Reporting Act (FCRA),
for example, regulates the compilation, disclosure, and use of
consumer reports, which may
include criminal history information.53

SEARCH Technical Report
No. 13
SEARCH has also been active
in the formulation of standards
for the security and privacy of
CHRI. Beginning in 1970, the
52

28 C.F.R § 20.01.

53

The Fair Credit Reporting Act is
discussed in greater detail in infra,
chapter V, p. 58.

Page 18

year after SEARCH was established, SEARCH published a
series of reports addressing privacy and security in computerized criminal history files, and
providing guidance for legislative and regulatory protections
for CHRI.54
In 1975, SEARCH published
the widely influential Technical
Report No. 13, SEARCH’s first
comprehensive statement of 25
recommendations for safeguarding the security and privacy of criminal justice
information.55 These recommendations influenced LEAA’s
development of the DOJ regulations discussed above, and the
Appendix to the DOJ regulations refers States to Technical
Report No. 13 for guidance in
formulating their State plans.56
Technical Report No. 13 has
been revised twice since 1975
— most recently in 1988 — to
reflect technological and societal changes that have had an

54
See, Technical Report No. 2: Security and Privacy Considerations in
Criminal History Information Systems,
supra note 48; Project SEARCH, Technical Memorandum No. 3: A Model
State Act for Criminal Offender Record
Information (Sacramento: California
Crime Technological Research Foundation, May 1971); and Project
SEARCH, Technical Memorandum No.
4: Model Administrative Regulations
for Criminal Offender Record Information (Sacramento: California Crime
Technological Research Foundation,
1972).
55

See, Technical Report No. 13:
Standards for the Security and Privacy
of Criminal Justice Information (Sacramento: SEARCH Group, Inc., 1975).
56
See, 28 C.F.R. Part 20, Appendix §
20.22(a).

impact on criminal justice information management and privacy.57

State legislation
The bulk of the criminal justice
information maintained in the
United States is maintained at
the State level; therefore, most
of the legislation on governing
this information is found at the
State level (with certain important exceptions, such as the DOJ
regulations discussed above).
Throughout the 1970s and into
the 1980s, States adopted statutes based in large measure on
the DOJ regulations and the
SEARCH recommendations. By
the early 1990s, approximately
one-half of the States had enacted comprehensive criminal
history record legislation, and
every State had enacted statutes
that address at least some aspects of criminal history records. The majority of State
laws followed the scheme in the
DOJ regulations that distinguishes between information
referring to convictions and current arrests (arrests that are no
older than 1 year and that do not
yet have the disposition) and
“nonconviction data,” which
includes arrests more than 1
year old without a disposition or
arrests with dispositions favorable to the accused.

57

Technical Report No. 13, 3rd ed.,
supra note 8. The second revision occurred in 1977, at which time the commentary to the 1975 report was
expanded, but the original recommendations were unchanged. Ibid., p. 1.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Under the DOJ regulations and
many State laws, conviction
information can be made available largely without restriction.
Nonconviction data, on the
other hand, can not be made
available under the DOJ regulations unless authorized by a
State statute, ordinance, executive order, or court rule.58 Furthermore, the DOJ regulations
provide that when CHRI is disseminated to noncriminal justice
agencies, its use “shall be limited to the purpose for which it
was given.”59
Today, a relatively stable and
uniform approach to protect the
privacy of CHRI is in place
throughout the United States.60
Five fundamental principles, in
many ways reflective of the
HEW Code of Fair Information
Practices, characterize the U.S.
approach to protecting the privacy of CHRI:
1. Subject access and correction. As of 1999, 51 of the
53 jurisdictions surveyed
(the 50 States plus the District of Columbia, Puerto
Rico, and the U.S. Virgin
Islands) give record subjects
a right to inspect their
criminal history records,
and 44 jurisdictions permit
record subjects to challenge
58

28 C.F.R. § 20.21(b).

59

28 C.F.R. § 20.21(c)(1).

60

BJS supports a biennial survey,
conducted by SEARCH, to assess State
privacy practices. See, Paul L. Woodard and Eric C. Johnson, Compendium
of State Privacy and Security Legislation: 1999 Overview, NCJ 182294
(Washington, D.C.: U.S. Department of
Justice, Bureau of Justice Statistics,
July 2000). Hereafter, Compendium.

and/or offer corrections for
information in their criminal
history records.61

virtually every State, all
criminal histories
maintained by a central
State repository must be
supported by a fingerprint record and, with
certain exceptions, requests must be accompanied by a fingerprint.
Fingerprint support ensures that the record
maintained at the repository relates to the
correct person, and that
the repository’s response similarly relates
to the correct person.
The principal exception
for law enforcement requests occurs in instances where the law
enforcement agency
does not have the individual in custody and,
therefore, cannot provide a fingerprint, or in
situations requiring a
quick turnaround. In
those instances, a
“name-only” check
(customarily, not just a
name but also other
demographic information, such as gender,
date of birth, race, and
other physical indicators) is permitted.

1. Restrictions on the collection and/or integration of
criminal history information. Most States have
adopted formal or informal
restrictions that segregate
CHRI from other types of
personal information. Thus,
CHRI seldom includes juvenile justice information;
customarily never includes
investigative or intelligence
information; and customarily never includes medical
information, employment
information, financial information, military or citizenship status information,
or other types of personal
information. Although repositories continue to segregate CHRI in this manner,
end-users of information increasingly are able to combine CHRI obtained from
the State repositories with
noncriminal history record
information obtained from
commercial information
vendors and other sources in
order to create a more detailed picture of the individual.
1. Data quality and data
maintenance safeguards.
As of 1999, 52 of 53 jurisdictions have adopted standards for ensuring the
accuracy and completeness
of CHRI.62
•

Fingerprint versus
“name-only” access. In

61

Ibid., p. 16.

62

Ibid.

•

Disposition reporting.
Repositories attempt to
obtain disposition information from the
courts. In recent years,
the percentage of arrests
maintained at the repositories that include
available dispositions
has increased substantially; however, incom-

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 19

plete records remain a
problem.63
•

Sealing and purging. As
of 1999, 42 States have
adopted laws that permit the purging (destruction) of
nonconviction information and 27 jurisdictions
have adopted standards
for the purging of conviction information if
certain conditions are
met. In addition, 33
States have adopted
laws and regulations to
permit the sealing of
nonconviction information and 30 States have
adopted laws and standards to permit the
sealing of conviction information.64

2. Security. As of 1999, 42
jurisdictions have adopted
formal standards for techni63

As of 1999, the most recent year for
which figures are available, 18 States
and the District of Columbia report that
80% or more of arrests within the past
5 years in the criminal history database
had final dispositions recorded, while
32 States and the District of Columbia
report that 60% or more of the arrests
in the past 5 years have final dispositions attached. Overall, the figures are
lower when arrests older than 5 years
are factored in. When arrests greater
than 5 years old are included, only 15
States report that 80% or more arrests
in their entire criminal history database
have final dispositions attached, while
32 States report that 60% or more arrests have dispositions attached. Sheila
J. Barton, Survey of State Criminal
History Information Systems, 1999,
Criminal Justice Information Policy
series, NCJ 184793 (Washington, D.C.:
U.S. Department of Justice, Bureau of
Justice Statistics, October 2000) p. 2.
Compendium, supra note 60, p. 16.

64

Page 20

cal, administrative, physical, and/or personnel security.65 As a practical matter,
however, security standards
are in place for all 52 jurisdictions that have established central State
repositories. The extent and
nature of those standards,
however, vary substantially.
3. Use and disclosure. As of
1999, all 53 jurisdictions
have adopted laws or regulations setting standards for
the use and/or dissemination
of CHRI.66 As a practical
matter, every State makes
all CHRI available for
criminal justice purposes.
Outside of the criminal justice system, however, conviction information is
widely available but nonconviction information remains largely unavailable or
available only to certain
types of users (licensing
boards and certain kinds of
employers who employ individuals in highly sensitive
positions, such as school
bus drivers or child care
workers).67 (Of course,
sealing and purging provi65

Ibid.

66

Ibid.

67
Traditionally, law and policy has
distinguished sharply between conviction and nonconviction information. In
many jurisdictions, conviction information is available to broad segments
of noncriminal justice employers and
other authorized users, if not the general public, through central repositories.
By contrast, nonconviction information, even in 1999, is almost never
publicly available from central repositories, with rare exceptions in some
States for special categories of offenses, such as sex offenses.

sions also work effectively
to provide dissemination
and confidentiality safeguards.)
•

Criminal justice access.
Law and policy in every
State provides that
criminal justice requestors can obtain all
information in the
criminal history record
unless the information
has been sealed by statute or court order. Most
States, however, have
some process for sealing or purging CHRI
when it is no longer
considered relevant.

•

Noncriminal justice access. The repositories
provide CHRI to noncriminal justice requestors authorized by
State law, such as licensing boards and
certain types of employers. In most States,
authorized noncriminal
justice requestors receive less than the full
record — most often
limited to convictiononly information.

•

Public access. Except in
a few “open record”
States, such as Florida
and Wisconsin, the general public is restricted
in its ability to obtain
CHRI from the central
State repository, with
the exception of certain
classes of information,
such as sex offender
registry information.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Access to criminal history record information in “open,” “intermediate,” and “closed”
record States: Three case studies
Florida: An “open records” State

In 1977, the Florida Department
of Law Enforcement (FDLE)
adopted a policy of making all
State-generated criminal history
records available upon request
by any member of the public for
any purpose, upon payment of
the applicable fees, which are
designed to offset the costs of
public record access requests.
The policy, which is designed to
implement the State’s public
record law, is interpreted in
conjunction with Chapter 943 of
the Florida Statutes, which
regulates the collection, maintenance, and dissemination of
criminal justice information.
Section 943.053(2) effectively
restricts the applicability of the
State public records law to
Florida-generated records by
providing that criminal justice
information obtained from the
Federal government and other
States shall only be disseminated in accordance with Federal law and policy, and the law
and policy of the originating
States. Similarly, section
943.054(1) restricts the ability
of FDLE to make available any
information derived from a
system of the U.S. DOJ to only
those noncriminal justice purposes approved by the Attorney
General or the Attorney General’s designee.
During fiscal year 1998-1999,
FDLE responded to 1,484,273
requests for criminal history

record checks. Criminal history
checks for sensitive employment, licensing, and firearms
purchases identified 264,148
individuals with criminal histories. Noncriminal justice recipients of criminal history records
fall into two broad categories.
The first category is comprised
of agencies and organizations
with approved statutory authorizations to receive information
from the FBI as well as FDLE.
As of September 30, 1999, this
category included 221 agencies
with FBI-assigned originating
agency identifiers (ORIs) signifying approval of their access
authority by the U.S. Attorney
General. This category is comprised primarily of State departments and agencies
authorized to access information
for employment background
checks, but the list also includes
licensing bureaus, universities,
State commissions, and the
agency responsible for running
the State lottery. For the fiscal
year ending June 30, 1999, these
agencies filed 271,230 records
requests for approved licensing
and employment purposes.
The second category is comprised of agencies and organizations without statutory
authorization that are eligible to
receive information only from
FDLE files pursuant to the public records law. There is a $15
fee for processing requests
made either by letter or elec-

tronic submission. Requestors in
this second category can request
a search of Florida-generated
criminal records for any purpose, by paying the appropriate
fee. These inquiries are typically
“name only,” although fingerprints will be compared if supplied by the requestor.
Responses to these requests include all unsealed, Floridagenerated criminal history records in the FDLE computerized files. As of September 30,
1999, this category includes
approximately 15,913 agencies
and organizations that filed
1,001,307 criminal record access checks under the public
records law during fiscal year
1998-1999. These requests were
filed by all levels and types of
agencies for a wide variety of
purposes, although FDLE officials report the most common
reason was employment
screening. Most of these agencies are regular users that have
been assigned account numbers
to facilitate billing and processing. Other requests are received on a one-time-only or
irregular basis from agencies or
individuals for undetermined
purposes.
In addition to requests for an
individual’s entire criminal history record, FDLE administers
databases of sexual offenders
and sexual predators (as defined
under Florida law) that the public can search over the Internet.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 21

Searches can be conducted online, instantly, on the basis of
county, city, ZIP code, and/or
pattern for last name. FDLE
estimates that these databases,
which contain records on approximately 15,650 offenders,
received 347,245 hits during
fiscal year 1998-1999.
Sources:
§ Florida Department of Law
Enforcement.
§ Florida Department of Law
Enforcement, Annual Performance Report, Fiscal
Year 1998-1999.
§ Florida Department of Law
Enforcement Internet site:
http://www.fdle.state.fl.us
§ Paul L. Woodard, A Florida
Case Study: Availability of
Criminal History Records,
The Effect of an Open Records Policy (Sacramento:
SEARCH Group, Inc.,
1990).

Page 22

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Washington: An “intermediate records” State

The Washington State Patrol
(WSP) is responsible for the
maintenance of the Washington
repository of CHRI.
Certified criminal justice agencies may request and receive
CHRI without restriction for
criminal justice purposes.
Noncriminal justice entities and
individuals may receive access
to only conviction information.
Depending upon the purpose of
the request, WSP may respond
under two different statutes, the
Criminal Records Privacy Act
(Chapter 10.97 Revised Code of
Washington (RCW)) or the
Child and Adult Abuse Information Act (RCW §§ 43.43.830.845). Responses to information
requests made using Washington Access to Criminal History
(WATCH), an online system,
are immediate. Paper requests
take 3-10 weeks for processing.
Fees, which are waived for nonprofit organizations in certain
circumstances, range from $10
for a “name-only” search to $25
for a fingerprint-supported
search. WSP estimates that,
from 1996 through 1999, it has
responded to 1,128,392 noncriminal justice requests for
CHRI.
Requests made pursuant to the
Criminal Records Privacy Act,
which provide the requestor
with conviction information,
can be made by anyone for any
purpose, without the consent of
the record subject. If there is a

record, the requestor will receive a report detailing all State
of Washington convictions and
pending arrests under 1 year old
without disposition. The record
will also reflect whether the individual is a registered sex offender or kidnapper. Secondary
disclosure of CHRI obtained
pursuant to the statute, however,
is restricted. WSP estimates
that, from 1996 through 1999, it
has responded to 392,218 requests for CHRI by noncriminal
justice agencies under this Act.
Eligibility for access to CHRI
under the Child and Adult Abuse
Information Act is “limited to
businesses or organizations licensed in the State of Washington; any agency of the State;
or other governmental entities
that educate, train, treat, supervise, house, or provide recreation to developmentally disabled
persons, vulnerable adults, or
children under 16 years of age.”
If a record exists, it will include
“State of Washington convictions and pending arrest offenses under one year old of
crimes against children or other
persons, crimes of financial exploitation, civil adjudications,
and sex offender and kidnapper
registration information.” The
State requires that the requestor
provide a copy of the report to
the record subject. Use of records obtained by employers
pursuant to this Act is limited
by RCW 43.43.835(5) to
“making the initial employment

or engagement decision.” Further dissemination or use of the
record is prohibited. Violators
are subject to civil damages.
WSP estimates that, from 1996
through 1999, it responded to
692,734 requests from businesses/organizations/employers.
This includes volunteer and employee record checks. WSP does
not maintain statistics specifically regarding the number of
employers who requested information.
WSP does not make sex offender information publicly
available over the Internet, although some local departments
do so. WSP does make some
sex offender information available for certain employment
background checks. WSP disseminates limited information
on sex offenders to the general
public in response to written
requests. Based upon the risk
level of the offender, local law
enforcement may notify neighbors and community members
or, in the case of high-risk offenders, issue press releases.
WSP estimates that it responded
to 36 written requests for information on specific sex offenders
during 1999. These were specific requests for a list of
sex/kidnapping offenders
through the WSP Public Disclosure Office. Information provided includes name, date of
birth, registering agency, and
the date of registration.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 23

Sources:
§ Washington State Patrol.
§ Washington State Patrol
Internet site: http://
www.wa.gov/wsp/crime
/crimhist.htm
§ Devron B. Adams, Update
1999: Summary of State Sex
Offender Registry Dissemination Procedures, Fact
Sheet series, NCJ 177620
(Washington, D.C.: U.S.
Department of Justice, Bureau of Justice Statistics,
August 1999) p. 7.

Page 24

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Massachusetts: A “closed records” State

The Massachusetts Criminal
History Systems Board (CHSB)
was created in 1972 by the
Criminal Offender Record Information Act (CORI) and is
governed by a 17-member board
comprised of representatives of
the criminal justice community.
Criminal justice requests for
criminal history records are
handled electronically, while
public access requests, which
are restricted, are processed using the U.S. mail and email.
Public access requests must include the name and date of birth
of the person who is the subject
of the inquiry. There is a $25
fee for processing requests,
which must be typed and accompanied by a self-addressed,
stamped envelope. Not all
criminal history records are
available to the public. The determination of public access
depends upon a number of factors, including the charge, the
sentence, current status, and
length of time that has passed
since sentence completion. Specifically, in order for the information to be publicly accessible,
the record subject must have
been:
• Convicted of a crime punishable by a sentence of 5
years or more; or
• Convicted of any crime and
sentenced to a term of incarceration.

In addition, at the time of the
request for access to the individual’s criminal history record,
the record subject must:
• Be incarcerated; or
• Be on probation; or
• Be on parole; or
• Have been convicted of a
misdemeanor, having been
released from all custody
(that is, incarceration, probation, or parole) or supervision for not more than 1
year; or
• Have been convicted of a
felony, having been released
from all custody (that is, incarceration, probation, or
parole) or supervision
within the last 2 years; or
• Have been sentenced to the
custody of the Department
of Correction, having finally
been discharged therefrom,
either having been denied
release on parole or having
been returned to penal custody for violating parole, for
not more than 3 years.
CHSB estimates that it received
12,373 public access requests
during 1999.
CHSB certifies applicants for
access to non-publicly available
criminal history information if
the requestor: (1) qualifies as a
criminal justice agency; (2)
qualifies as an agency or individual authorized to have access
by State law; and/or (3) it has
been determined that the public
interest in disseminating such
information clearly outweighs

individual privacy interests.
There are approximately 6,700
noncriminal justice agencies in
Massachusetts authorized to
access criminal records. Parents,
for example, can seek access to
all conviction and pending case
information on prospective daycare providers with the written,
notarized consent of the record
subject. Parents are prohibited
from disclosing any results of
the criminal history check to
third parties. In addition, Massachusetts law prohibits a person from requesting or requiring
a record subject to produce a
copy of his or her record, unless
authorized to do so by CHSB. In
1999, CHSB processed 659,808
requests for access to criminal
history information that is not
publicly available.
Sex offender information is
subject to separate rules. Massachusetts makes information
available about registered sex
offenders classified by the Massachusetts Sex Offender Registry Board (SORB) as posing a
moderate or high risk (after the
offender has an opportunity for
administrative evidentiary proceedings). Registry information
may be obtained in person at
local police departments or by
requesting information from the
SORB by mail.
The form of public inquiries is
limited. If a member of the public makes an in-person request,
he or she may:

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 25

1. Inquire whether a specifically named individual or a
person described by sufficient identifying information to allow the police to
identify the individual is a
sex offender; or
2. Inquire whether any sex
offenders live or work
within the same city or town
at a specific address, including, but not limited to, a
residential address, business
address, school, after-school
program, daycare center,
playground, recreational
area, or other identified address; or
3. Inquire whether any sex
offenders live or work at a
specific street address
within the city or town
where the person is requesting sex offender information; or
4. Where the police department is located in a city or
town with more than one
ZIP code area, the inquiry
may ask whether any sex
offenders live or work
within a specified ZIP code.
In Boston, such inquiry may
be made by specified police
district.

eye and hair color, the sex offenses committed and the dates
of conviction and/or adjudication, and a photograph of the
offender, if available. If a written request is submitted to the
SORB, the requestor will be
provided with a report identifying whether the person is a sex
offender with an obligation to
register; the offenses for which
he/she was convicted or adjudicated; and the dates of such
convictions or adjudications.
Responses to both personal and
mail requests are provided free
of charge and all information
provided includes language
cautioning that the misuse of
sex offender information for
purposes of harassment or discrimination is prohibited.
Sources:
§ Massachusetts Criminal
History Systems Board.
§ Massachusetts Sex Offender
Registry Board Internet site:
http://www.state.ma.us
/sorb

Only option one (inquiries about
named individuals) is available
in the case of written requests to
the SORB.
If an in-person request results in
the identification of a sex offender, the requestor will be
provided with the offender’s
name, home address, work address, age, sex, height, weight,

Page 26

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

V. Change drivers and trend lines: The basis for a new
look at privacy and criminal justice information
By the late 1990s, 10 interrelated and fundamental developments were outflanking the
generation of privacy and information safeguards that
emerged in the 1970s and the
1980s.
These trends and change drivers
have overtaken traditional rules
for access and use, arguably
requiring new rules to reestablish the balance between
privacy and disclosure of criminal justice information.68 On one
side of the equation, there is
growing public concern about
privacy in general, and the confidentiality of personal information in particular. On the other
side, there are a number of cultural-, technological-, and policy-driven factors that tend to
promote greater access to criminal justice information. The
Task Force concludes that many
of these change drivers are irreversible. What is not irreversible, however, is the degree to
which these change drivers will
inform future privacy standards
for criminal justice information.
By identifying the change drivers set forth below, the Task

Force hopes to encourage effective debate as to a new generation of criminal justice
information privacy standards.
•

Public concern about privacy. In the late 1990s, the
American public registers
the strongest concerns ever
recorded about threats to
their personal privacy from
both government and business. Ninety-four percent of
respondents said in a 1999
survey that they are concerned about the possible
misuse of their personal information. Of the concerned, 77% said they were
“very concerned.”69

•

The “Information Culture.” A new and emerging
culture of information access and use facilitated by
personal computers, browsers, search engines, online
databases, and the Internet
has helped to create a demand for, and a market in,
information, including
criminal justice information,
while at the same time fostering in many a sense of
lack of control over one’s
personal information and a
loss of privacy.

68

These trends and change drivers reflect elements of cause and consequence. It is, of course, not as
important to assign degrees of causality
to these developments as it is to identify and understand these developments
and the nature of the challenge that
they pose to established criminal justice
information policy and privacy standards.

69

IBM Multi-National Consumer Privacy Survey, October 1999, p. 71,
available at http://www.ibm.com
/services/e-business/priwkshop.html.
Hereafter, IBM Consumer Privacy
Survey.

•

Technological change.
Revolutionary improvements in information, identification, and
communications technologies (including increasingly
advanced software applications and Internet-based
technologies), and the increased affordability of
these technologies, fuels the
appetite for information and
creates new players in the
criminal justice information
arena.

•

System integration. Initiatives to integrate criminal
justice information systems
operated by law enforcement, courts, prosecution,
and corrections — as well
as to integrate these systems
with information systems
maintaining other types of
personal information —
create powerful new information resources. At the
same time, these integration
initiatives may create uncertainty about the types of
privacy laws and policies
that apply to these new
systems, and dilute existing
policies designed to keep information separate.

•

New approach that closely
resembles a “Business
Model” for the criminal
justice system. Two fundamental changes in the
way the criminal justice
system operates — (1) a
new, more cooperative,

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 27

community-based relationship between criminal justice agencies and citizens;
and (2) added criminal justice agency responsibilities
to provide information to
surrounding communities,
Federal, State, and local
agencies, other police departments, and other organizations — have had a
profound impact upon the
approach that criminal justice agencies take to obtaining and using
information. This new approach — a “data-driven,
problem-solving approach”
— also creates privacy risks
through a wider circulation
of criminal justice information.

•

•

Noncriminal justice demand. A persistent and
ever-increasing demand by
noncriminal justice users to
obtain CHRI has had a pervasive and important impact
on the availability of information.

•

•

Commercial compilation
and sale. Changes in the information marketplace,
which feature the private
sector’s acquisition, compilation, and sale of criminal justice information
obtained from police and,
more particularly, courtbased open record systems,
are making information
similar to that found in
criminal history records
more widely available to
those outside the criminal
justice system.

Page 28

•

Government statutes and
initiatives. A host of new
government initiatives and
laws, aimed at providing
criminal justice information
to broader audiences, on a
more cost-effective and
timely basis, has also fueled
the availability of criminal
justice information.
Juvenile justice reform.
Demands for juvenile justice records, particularly
those involving violent offenses, which result in
treating juvenile information in a way that very much
resembles the handling of
adult records, is also putting
pressure on traditional information and privacy policies.

— Public opinion survey
results
Periodic surveys, including
those conducted by Harris Interactive and Opinion Research
Corporation in association with
Dr. Alan F. Westin,70 repeatedly
indicate that the public is deeply
concerned about privacy.
The growing traction of privacy
as an issue can be illustrated by
the following statistics from
public opinion surveys concerning consumer privacy issues:
•

A 1999 Wall Street Journal/NBC News survey
asked respondents this
question: “Which one or
two issues concern them the
most about the next century?” With 29 percent of
respondents, the potential
“loss of personal privacy”
topped the list, finishing
ahead of concerns about issues such as terrorism,
overpopulation, world war,
and global warming.71

Intelligence systems.
Criminal justice intelligence
systems are being automated, regionalized, and
armed with CHRI and other
personal information to create detailed personal profiles for law enforcement
use.
70

Information privacy
concerns at a historic high
level
Today, concern about information privacy in the United States
is at a high-water mark. This
concern is evidenced in public
opinion survey results, government attention to the privacy
issue, and media treatment of
government and private-sector
initiatives that are viewed as an
impingement on privacy or fair
information practices.

As previously noted, one of the responsibilities of the National Task
Force was to provide advice with respect to the first-ever national opinion
survey of the public’s attitudes about
privacy and criminal justice information. The results of that survey, which
was developed and administered by
Opinion Research Corporation concurrent to the preparation of this report and
conducted once this report was largely
finished, is being published separately
by BJS as a companion report titled
“Privacy, Technology and Criminal
Justice Information: Public Attitudes
Toward Uses of Criminal History Information, Summary of Survey Findings” (NCJ 187633).
71

Albert R. Hunt, “Americans Look
to 21st Century With Optimism and

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

•

In the late 1990s, the
American public registered
the strongest concerns ever
recorded about threats to
their personal privacy from
both government and business. In a 1999 survey, 94%
of respondents said they are
concerned about the possible misuse of their personal
information. Of the concerned, 77% said they were
“very concerned.”72

•

In that same 1999 survey,
72% of Internet users said
they were “very” concerned
about threats to their personal privacy today when
using the Internet, and 92%
said they were “very” or
“somewhat” concerned.
However, 66% believed that
the “benefits of using the
Internet to get information,
send email, and to shop far
outweigh the privacy problems that are currently being
worked on today.”73

•

A mid-1990s survey indicated that although a narrow
majority of survey respondents worried primarily

Confidence,” Wall Street Journal
(September 16, 1999) p. A9. On the
other hand, in 1995, when an Equifax/Harris survey gave respondents a
list limited to nine consumer issues to
rate in importance, privacy finished
exactly in the middle (fifth) in terms of
being “very important,” at 61%. Rated
higher in being very important were
controlling the cost of medical insurance (84%); staying out of excessive
debt (83%); reducing insurance fraud
(74%); and controlling false advertising
(71%). See, infra, note 74.
72

IBM Consumer Privacy Survey, supra note 69, p. 71.
73

Ibid., pp. 72, 77.

about government invasions
of privacy (52% in 1994
and 51% in 1995), a substantial minority expressed
primary concern about activities of business (40% in
1994 and 43% in 1995).
And, almost two-thirds of
the public disagreed with
the statement that “the Federal Government since Watergate has not been
seriously invading people’s
privacy (64% in 1990 and
62% in 1995).”74
•

Surveys suggest that the
driving factors behind privacy attitudes, both in general and in specific
consumer areas, are the individual’s level of distrust
in institutions and fears of
technology abuse.75

•

A large percentage of the
public feels that consumers
have “lost all control over
how personal information
about them is circulated and
used by companies.”76

•

Seventy-two percent said
they have read or heard a
great deal or a moderate
amount about invasion of
privacy in the past year.
One-quarter of the public
(25% in 1991 and 1995)
said they have personally
been victims of what they
felt was an invasion of their
privacy,77 and 29% (in
1999) said they had been
victims of a business invasion of their consumer privacy.78

•

There has also been a major
increase in privacy-asserting
behaviors by U.S. consumers. The percentage of people who said they have

§

Medium (distrustful on 2 questions): 42%
Low (distrustful on 1 question):
23%
Not (no distrustful answers): 6%

74
Louis Harris and Associates, Equifax-Harris Mid-Decade Consumer
Privacy Survey (1995) p. 9.
75
Ibid., p. 12. The Harris/Westin Distrust Index, first used in 1978 and
tested throughout the 1990s, combines
measurement of distrust in institutions
(government, voting, and business)
with fear that technology is almost out
of control. The surveys have found that
a respondent’s score on the Distrust
Index correlates with a majority of that
respondent’s positions on privacy in
general and the industry-specific questions on each survey.

The higher the Distrust Score, the more
a respondent will express concern
about threats to privacy, believe that
consumers have lost all control over
uses of their information by business,
reject the relevance and propriety of
information sought in particular situations, call for legislation to forbid various information practices, etc.
In 1995, for example, the American
public divided as follows on the Distrust Index:
§
High (distrustful on 3-4 questions): 29%

§
§

In 13 of the survey’s 16 questions asking about general privacy concerns and
measuring specific privacy attitudes,
the strongest privacy positions were
registered by the High Distrustful respondents; the next strongest by the
Medium Distrustful; and so on through
the Low to Not Distrustful. In survey
terms, this is confirmation of the direct
relationship between the Distrust orientation and positions on privacy issues. Ibid.
76
IBM Consumer Privacy Survey, supra note 69, p. 70.
77
Louis Harris and Associates, Inc.,
1996 Equifax/Harris Consumer Privacy Survey (1996) p. 4.
78
IBM Consumer Privacy Survey, supra note 69, p. 74.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 29

refused to give information
to a business or company
because they thought it was
not needed or was too personal has risen from 52% in
1990 to 78% in 1999. Also
in 1999, 53% of respondents said they have asked a
company not to sell or give
their name and address to
another company, and 54%
said they had decided not to
use or purchase something
from a company because
they were not sure how their
personal information would
be used.79
— Activity at the Federal
and State level to protect privacy

of the Gramm-Leach-Bliley
Act (G-L-B Act).81 It requires that financial institutions take steps to protect
the privacy of nonpublic financial information about
consumers, including providing notice and an opportunity to opt-out of most
disclosures of nonpublic
personal information to
nonaffiliated third parties.
The enactment of the G-L-B
Act, however, has not ended
the debate. Many members
of Congress believe that still
stronger protections are
needed.
•

Senator Richard Shelby (RAL) included language in
the Department of Transportation Appropriations
Act for fiscal year 200082
that requires the States to
adopt an opt-in mechanism
for use of personal information in motor vehicle records for marketing
(excluding insurance rate
setting), survey, or solicitation purposes, and for any
use of driver’s license photographs.

This high level of public concern about privacy issues has
not gone unnoticed by the Federal government and States. Recent congressional activity
suggests that Congress likely
will be increasingly active on a
range of privacy issues.80 For
example:
•

Perhaps the most prominent
piece of privacy legislation
to be enacted during the
106th Congress was Title V

•

Other domestic privacy issues receiving congressional
attention include health information privacy issues,
online privacy, the use and
disclosure of the Social Security number, access to
public record/government
repository information, and
the possible creation of a
privacy study commission.

79

Ibid., p. 87.

80

This is not to say that Congress also
has not been criticized as being insensitive to privacy concerns. Congress,
for example, passed legislation requiring a unique national health identifier
for every American (to facilitate health
care), as well as a requirement that all
States use an individual’s Social Security number as the person’s driver’s
license number (to combat illegal immigration). Congress later reversed
itself in both cases, following complaints about the adverse privacy implications of these measures.

Page 30

81

Pub. L. No. 106-102.

82

Pub. L. No. 106-69, § 350.

Privacy is an issue that cuts
across political and ideological
boundaries. On February 10,
2000, for example, Senator
Shelby, Senator Richard Bryan
(D-NV), Representative Ed
Markey (D-MA), and Representative Joe Barton (R-TX)
held a news conference to announce the formation of the bipartisan, bicameral
Congressional Privacy Caucus
(CPC). The purpose of the CPC
is to: (1) educate Members of
Congress and staff about individual privacy issues; (2) provide a forum for the discussion
of individual privacy issues; and
(3) advocate for personal privacy protections.
The State legislatures have also
been active on privacy issues.
During 2000, at least 1,622 consumer privacy bills (focusing on
financial services, health, insurance, direct marketing, telecommunications, and
online/Internet services) were
introduced in State legislatures
and 422 bills were enacted.
Thirty-nine States enacted legislation, with health, finance,
and insurance-related measures
being the most common enactments.83 In another example,
groups as diverse as the American Civil Liberties Union
(ACLU) and Phyllis Schlafly’s
Eagle Forum have supported
health information privacy legislation.

83
Privacy & American Business,
“Privacy Legislation in the States –
2000” (January 2001).

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

At the same time, the Federal
executive branch has launched
numerous privacy protection
initiatives. The Federal Trade
Commission (FTC), the Federal
Communications Commission,
the U.S. DOJ, the U.S. Department of Health and Human
Services, the Office of Management and Budget, the Office
of the Vice President, the Federal financial regulatory agencies, the National Highway
Transportation and Safety Administration (on intelligent vehicle-tracking systems), and the
U.S. Department of Commerce
have all published privacyrelated regulations or guidelines; conducted privacy studies;
initiated privacy-related, administrative actions; and/or
promoted information privacy
initiatives.
State officials have also been
active on the privacy issue. The
National Association of Attorneys General, for example, has
voted to make privacy one of
their top priorities and several
Attorneys General have already
taken legal action against companies they believe to be misusing consumer data.84 In
addition, the Governor of
Washington issued an Executive
Order requiring State agencies
to implement a set of privacy
protections for public records to
the maximum extent permitted
by State law.85
84
Gail Appleson, “Drive to Protect
U.S. Consumer Privacy, ” Reuters
(March 24, 2000, 3:47 PM ET).
85

Governor Gary Locke, “Public Records Privacy Protections,” Washington
State Executive Order 00-03 (April 25,
2000).

— Privacy issues are
receiving increasing
media attention, often
requiring companies
and government
agencies to modify
their practices
Media coverage and its aftermath is also illustrative of increasing concern over
information privacy issues.
Typically, this cycle begins with
media reports highlighting government or private-sector information practices that raise
privacy issues. Once these practices become well-publicized,
an ensuing firestorm of public
pressure frequently forces the
private- or public-sector entity
responsible to modify or terminate the practices that offended
public sensibilities. To date,
although a few of the more
prominent privacy firestorms
have involved information that
may have been used by law enforcement to some degree for
intelligence or investigative
purposes, the most notable of
these “firestorms” have not involved criminal justice information.
Examples of private-sector privacy firestorms during the past
2 years include: Internet advertising giant DoubleClick; Image
Data, a small New Hampshire
company test marketing the use
of DMV photographs for antifraud and identity theft prevention purposes; America Online
(AOL); and supermarkets and
pharmacies, such as Giant and
CVS.

•

DoubleClick. During its 4year life, Internet advertising giant DoubleClick has
collected clickstream information from its participating Web sites and then used
that data to help those Web
sites customize the banner
and pop-up advertisements
that visitors see. DoubleClick could not identify the
visitor, only the visitor’s
computer. The privacy firestorm began in November
1999 when DoubleClick
spent $1.7 billion to purchase Abacus Direct, the
largest database of consumer catalogue activity.
DoubleClick’s plan, which
drew intense criticism, was
to marry its clickstream data
with Abacus’ offline data to
identify specific consumers
(not just their computers),
and then create a profile of
the consumer’s interests and
buying activity.
Not only did DoubleClick
receive a torrent of adverse
media coverage, it also received over 100,000 consumer complaints in
response to an online protest
organized by the Center for
Democracy and Technology. In addition, the FTC,
as well as the attorneys general of Michigan, Connecticut, New York, and
Vermont, announced an investigation of DoubleClick’s activities; several
class-action lawsuits had
been filed; and Internetindustry players, such as
search engine AltaVista Co.
and Internet home delivery

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 31

service Kozmo.com Inc.,
took steps to distance themselves from DoubleClick. If
that had not been enough,
the company’s stock price
fell by more than 25 percent
during the firestorm, but rebounded somewhat following the company’s
announcement on March 2,
2000, that it would not go
forward with the profile
plan.86
•

Image Data. One of the
largest privacy firestorms of
1999 began in January 1999
when the Washington Post
reported that Image Data, a
small New Hampshire company, had developed a
product designed to combat
check and credit card fraud
and identity theft, using
State DMV photographs.
Image Data had entered into
contracts with several
States, whereby Image Data
was permitted to digitize
DMV photographs of individuals and store the photographs in a database. Under
Image Data’s plan, merchants would be able to access this database, using a
small screen installed near
the merchant’s cash register,
to verify the identity of the
purchaser when the customer presented the mer-

86

“DoubleClick Cries ‘Uncle’ …Sam
(Sort of),” Privacy Times, Evan Hendricks, ed., Vol. 20, No. 5 (March 3,
2000) pp. 5-6. See also, Bloomberg
News, “DoubleClick in Settlement
Discussions” CNET News (Mar. 23,
2000), available at
http://aolcom.cnet.com/news
/0-1005-200-1582990.html.

Page 32

chant with a check or credit
card.

lic outcry that ensued, all
three States terminated their
contracts with Image Data.
South Carolina, the only
State that had transferred
photos before the story
broke, sought to retrieve
any photos already transferred. Image Data is reported to be moving
forward with its program on
an “opt-in” basis, giving
consumers the option of
having their driver’s license
photograph added to the
Image Data database.

Image Data had entered into
agreements with South
Carolina, Colorado, and
Florida to obtain driver’s license photographs and other
information and was testing
its program in South Carolina when the Post story
broke. A public outcry ensued with State officials receiving a torrent of angry
telephone calls protesting
the plan (a class-action lawsuit was even filed in Florida). Public ire appears to
have been a product of several factors. As one South
Carolina woman described
it: “We were livid [upon
hearing about the Image
Data program]. In my
opinion, a South Carolina
driver’s license is a need,
not a want. We have no
choice but to give our information in order to have
one. Then they turn around
and sell it to a company, as
personal as it is: my weight,
my height, my address —
my God, my image. There
are endless possibilities as
to what could be done with
it.” 87 As a result of the pub87
Robert O’Harrow, Jr., “Drivers Angered Over Firm’s Purchase of Photos,”
Washington Post (January 28, 1999)
pp. E1, E8. See also, Robert O’Harrow,
Jr., “Posing a Privacy Problem?
Driver’s License Photos Used in AntiFraud Database,” Washington Post
(January 22, 1999) pp. A1, A22; Robert
O’Harrow Jr. and Liz Leyden, “Sale of
License Photos Sparks Uproar, Colorado Governor Vows to Prevent Transfer to Private Firm,” Washington Post
(January 30, 1999) p. E1; Robert
O’Harrow, Jr., “Gov. Cancels Sale of

In the months subsequent to
the initial story, reports
arose alleging that the Secret Service and other Federal agencies intended to
use the Image Data database
of photographs for counterterrorism, immigration control, and other law enforcement activities. Both the
Secret Service and Image
Data have denied this
charge, stating that while
Federal authorities expressed interest in the technology (and Congress
“earmarked” funds for the
program in 1997), the database developed by Image
Data was never a part of
these discussions.88
•

America Online. America
Online announced a new
privacy policy incorporating

Fla. Driver License Photos to Private
Firm,” Washington Post (February 2,
1999) p. E3.
88

See, David McGuire, “Feds Deny
Alleged Misuse of Photo Database,”
Newsbytes (September 7, 1999), available at http://www.infowar.com/class
_1/99/class1_090899a_j.shtml.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

“Eight Principles of Privacy,” following wellpublicized reports of privacy breaches of AOL subscriber information,
including the proposed sale
of subscribers’ home telephone numbers and the case
of Timothy McVeigh (no
relation to the convicted
Oklahoma City bomber of
the same name). McVeigh
was discharged from the
Navy for violating its policy
on homosexuals as a result
of personal information the
Navy obtained from AOL
about McVeigh, without a
search warrant or
McVeigh’s consent.
•

CVS/Giant Pharmacies. In
February 1998, the Washington Post reported that
two pharmacy chains —
CVS and Giant — used, or
planned to use, an outside
contractor to send prescription refill notices and drug
promotional materials to
pharmacy patrons using
prescription information
supplied by the pharmacies.
Within days of the initial
media report, both companies took out full-page advertisements announcing the
cancellation of the programs, amid a flurry of
editorial criticism and customer complaints. CVS has
since been sued, with the
plaintiff alleging that CVS
breached its fiduciary duty
as well as its duty of confidentiality to its pharmacy
customers. A State court
rejected a motion to dismiss
by the defendants, concluding that there is enough

in the complaint for a jury
to resolve, and the case is
still pending.89

laundering and other illegal
activities that may be occurring through financial institutions. It is intended to
detect patterns of illegal activity often characterized by
large cash deposits and
withdrawals that are outside
the normal and expected
activity.” Some opponents
characterized the measure
as turning bank tellers into
government informers and
citizens into criminal suspects.

Media glare and public outrage
over privacy missteps is not
limited to the private sector.
Examples of governmental privacy missteps over the past few
years include the “Know Your
Customer” proposal of the Federal Deposit Insurance Corporation (FDIC); the OASIS
proposal of the Health Care Financing Administration
(HCFA); a U.S. Postal Service
proposal regarding private mailboxes; and a Social Security
Administration initiative to provide individuals with online access to their Social Security
earnings records.
•

Know Your Customer.
One of the most controversial Clinton Administration
proposals, from a privacy
perspective, was the FDIC’s
proposed “Know Your
Customer” (KYC) regulations. The proposed KYC
rule would have required all
banks to develop a written
program designed to enable
the bank to “provide for
identification and transaction monitoring procedures
and identify transactions
that would be subject to
suspicious activity reporting
requirements.” According to
the FDIC, the proposed
regulation was intended to
protect the integrity of the
banking system and to “assist the government in its efforts to combat money

89
Weld v. CVS, Superior Court of
Massachusetts (Suffolk) No. 98-0897.

Opposition to the proposed
KYC rule was widespread,
including an Internet-based
campaign against the measure. The FDIC was deluged
with criticism about the
proposal, including a flood
of complaints from individuals. The agency received over 250,000
comments on the proposed
rule; all but a small handful
of the comments received
were hostile to the proposal.
Hostility toward the proposed KYC rule came not
only from the grass roots
level, but also on Capitol
Hill where a half-dozen bills
designed to prohibit the implementation of the rules
were introduced. In March
1999, the FDIC and the
other agencies that sponsored the measure announced they were
withdrawing the measure in
its entirety.
•

Outcome and Assessment
Information Set. The
HCFA was caught in a privacy storm in the spring of
1999 as a result of its

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 33

planned “Outcome and Assessment Information Set”
(OASIS) for home health
care patients, which HCFA
planned to have all home
care facilities complete
about their patients. Following adverse press coverage and criticism from
privacy advocates, Vice
President Gore, and numerous Congressmen, the
agency postponed implementation of the project
while it revamped the program. Changes were designed to ensure that: (1)
only essential information
would be collected; (2) the
information gathered would
be properly protected; (3)
disclosures of the information would be limited to the
minimum extent necessary
to carry out the mission of
HCFA; and (4) Medicare
beneficiaries would be fully
informed as to why information was being collected
and how it would be used.
•

U.S. Postal Service. In
March 1999, the U.S. Postal
Service issued a regulation
requiring users of commercial mail receiving agencies
(CMRAs), such as Mailboxes, Etc., to use the acronym “CMRA” in the
address, thereby identifying
that the address is at a
CMRA (as opposed to a
U.S. Postal Service post office box or a regular commercial or residential
address). Mail not complying with this rule would not
be delivered. The regulation
was designed to help prevent the use of CMRAs as a

Page 34

tool for criminal activity.
The regulation also required
that CMRAs demand personal identification from all
box renters and complete a
form for submission to the
Post Office, which included
the box holder’s Social Security number and other
personal information. The
Post Office would then
make that form available to
anyone who requested it.

information to taxpayers
quickly and easily. SSA
also noted there were severe
penalties for fraudulently
accessing SSA records and
that in order to request a report, the individual had to
supply five separate data
elements: name, Social Security number, date of birth,
place of birth, and mother’s
maiden name.
This did not stem the criticism. Some privacy advocates, while supportive of
the idea of online access,
noted that all five of the
data elements required for
access were publicly available information, jeopardizing the security of the
information and the privacy
of taxpayers. Senators with
key oversight responsibilities for SSA voiced reservations over the plan, and
SSA was swamped with
tens of thousands of calls
from citizens complaining
about threats to their privacy. On April 9, two days
after the USA Today story
first appeared, SSA “temporarily” suspended the online
access initiative. Service has
never been reinstated.90 Instead, SSA has returned to
its prior practice of allowing
individuals to request
PEBES statements using the
Internet and mailing responses several weeks later.

After complaints from citizens, privacy advocates, and
several members of Congress, the Postal Service
modified its regulation. It
delayed the requirement that
“CMRA” be included in the
address. The post office also
relaxed the registration requirements, announcing it
would not make applications by small businesses
publicly available and that it
would advise CMRAs not to
require Social Security
cards as a form of identification. Some privacy advocates found these revisions
insufficient and continued
to oppose the regulation.
•

Social Security Administration (SSA). An April
1997 USA Today report that
the SSA was making Personal Earnings and Benefit
Estimates (PEBES) available to individuals over the
Internet sparked another
privacy furor. When the
story broke on April 7,
1997, SSA initially defended the online disclosure
of PEBES, which had begun
approximately a month before, as a way to provide the

90

See, “SSA Pulls Plug on Web Page
Offering Americans’ Earnings,” Privacy Times, Evan Hendricks, ed., Vol.
17, No. 8 (April 17, 1997) pp. 1-2.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

— Other indications of the
importance of privacy
concerns: The European Union Data Protection Directive,
omnibus proposals in
the United States, and
self-regulatory initiatives

negotiate contractual arrangements that satisfy the terms of
the Directive or otherwise meet
specific exceptions or tests (for
example, consent of the data
subject; important public interest test; protection of the vital
interests of the data subject; or
public information test).93

The European Union Data
Protection Directive

The U.S. Department of Commerce spearheaded the Clinton
Administration’s efforts to reach
an understanding with the EU
regarding the Directive’s impact
on transfers of personal data
from the EU to the United
States. In July 2000, the Commerce Department and the
European Commission finalized
and formalized the “Safe Harbor” agreement, after years of
negotiations and several public
discussion drafts.

The European Union (EU) enacted the “Directive on the Protection of Individuals with
Regard to the Processing of Personal Data and on the Free
Movement of Such Data” (the
Directive)91 in 1995, and it became effective on October 25,
1998. The Directive is a comprehensive, omnibus privacy
measure that regulates the processing of personal data.
The Directive places restrictions
on the export of personal data to
countries outside the EU that are
deemed to lack “adequate” privacy protections.92 European
Union officials do not believe
the United States has “adequate” privacy protections;
therefore, U.S. companies
wishing to move personal data
across borders from EU countries to the United States have to
91

Directive 95/46/EC.

92

Under Article 2 of the Directive,
“personal data” are broadly defined to
include: “[A]ny information relating to
an identified or identifiable natural
person (‘data subject’); an identifiable
person is one who can be identified,
directly or indirectly, in particular by
reference to an identification number or
to one or more factors specific to his
physical, physiological, mental, economic, cultural or social identity.”

Although the Safe Harbor accord explicitly states that it is
not intended to have applicability beyond international trade,
the Directive and the Safe Harbor process are having an impact on the domestic privacy
debate in the United States. It is
too soon to determine the extent
of the impact; however, at least
two factors are at work. First,
the Directive and the Safe Harbor discussions have generated
considerable media coverage,
further raising the profile of privacy issues in the United States.
Second, the Directive has increased the pressure on the
United States to strengthen its
privacy laws. Privacy advocates,
for example, have questioned
whether the Safe Harbor accord
93

will result in two sets of privacy
protections in the United States,
one for information pertaining
to citizens of the EU and a second, lower, standard for Americans.
Omnibus legislation
The EU Directive and growing
public concern over information
privacy is also evidenced in a
growing trend at the State level:
the active consideration of omnibus privacy legislation.
•

In California, for example,
State Senator Steve Peace
(D-El Cajon) introduced
Senate Bill 129, “The Personal Information and Privacy Act of 1999,” which,
as originally introduced,
would have prohibited the
collection, use, and disclosure of any type of personally identifiable information
without the consent of the
individual subject.
— The original bill also
would have required organizations to inform
individuals how and
what type of information is collected and the
purposes for which it is
used; the types of organizations to which the
information is disclosed; and the choices
and means the organization offers to limit the
use and disclosure of
the information.
— The final version of the
bill, which was signed
into law by Governor
Gray Davis in September 2000, was more

Directive, Article 26.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 35

limited in scope than
the original bill, creating a privacy ombudsman with various
responsibilities, including, among others,
accepting complaints
about organizations
from private citizens.
The bill also imposes
certain requirements on
State agencies.94
•

Similar efforts, while ultimately largely unsuccessful,
were undertaken during the
1999-2000 legislative session in both Massachusetts
and New York. The Massachusetts legislation, with the
support of then-Governor
Paul Cellucci and thenLieutenant Governor (now
Governor) Jane Swift,
would have addressed a
wide range of privacy issues
ranging from how retailers
and marketers handled personal information to surveillance of employees in
the workplace. In New
York, a package of over a
dozen bills designed to
safeguard the personal information of consumers,
rather than a single bill,
were introduced with the
support of Assembly
Speaker Sheldon Silver (DManhattan) and Attorney
General Eliot Spitzer.

Self-regulatory initiatives
Finally, in part as a result of the
pressure generated by media,

advocacy group, and legislative
and international scrutiny, and
in part because consumers increasingly expect companies to
provide adequate privacy, the
private sector has launched several efforts to develop and implement voluntary privacy
guidelines. The Individual Reference Services Group (IRSG),
a trade association for companies that sell identification and
location information products,
has developed a set of selfregulatory principles for their
member companies.95 In another
example, the Online Privacy
Alliance has developed crosssectoral privacy guidelines for
companies that obtain personal
information about consumers
arising from online/e-commerce
activity. BBBOnline and
TRUSTe have developed privacy “seals” to be displayed by
Internet sites adhering to certain
privacy standards.
These self-regulatory programs
and others require or encourage
companies to provide consumers with notice about a company’s information and privacy
practices; a degree of choice in
how much information the consumer wishes to provide or
whether the consumer wishes to
provide any information at all;
some access and correction
rights; data quality protections;
security protections; and confidentiality safeguards. Increasingly, these voluntary programs
also provide for verification of
company compliance and some
type of remedy for consumers

who are aggrieved by a violation of these self-regulatory
guidelines.96

The Information Culture
There is a considerable and
growing public demand for a
wide array of information, including criminal justice information. This demand is fueled
by, and also fuels, technological
advances that make it possible
to gather and store increasingly
larger amounts of information
from an increasingly larger
number of sources, in ever
faster, more reliable, and more
efficient ways. Information, including criminal justice information, also frequently marries
traditional text with a variety of
nontext formats including audio,
video, and digital imaging.
As a practical matter, the public’s exposure to criminal justice
information was, for the most
part, once confined to personal
experience, media reports, and
mugshots posted in the local
post office. Today, large segments of the public expect to be
able to use criminal justice information about individuals to
better inform themselves about
others, including their neighbors
and their caregivers.97 In addi96
A comparison of the privacy protections provided by leading selfregulatory codes, certain Federal privacy laws, and the Federal justice information system privacy regulations
(DOJ regulations) are included as Appendix 3.
97

94

Codified at CAL. BUS. & PROF.
CODE §§ 350-352 and CAL. GOV’T
CODE § 11019.9.

Page 36

95
The IRSG is discussed in further
detail in infra, p. 60.

Approximately 90% of the public
would allow some access to conviction
records by potential employers, while
38% would favor access by individuals

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

tion, information, including
criminal justice information, is
increasingly searchable and accessible through the Internet or
other electronic means.
The process builds upon itself.
Technological advances make
information available to the
public in a new, more efficient
way. Then, as the public becomes acclimated to the new
technology, it comes to expect
the benefits and comes to anticipate and expect new advances that will build further
upon this technology, making
even more information more
readily available. The public
increasingly expects information on demand and expects increasingly sophisticated
databases and search engines to
assist them in meeting their
needs. This includes, but is not
limited to, criminal justice information. Members of the public, while concerned about
protecting their own privacy,
expect to be able to access information to protect themselves
and their children from risks
that may be posed by offenders
and others. As one commentator
observed: “Given a choice between privacy and accountability, all of us can be relied upon
to choose privacy for ourselves
and accountability for everybody else.”98

wanting to learn if a neighbor has a
criminal record. Privacy Survey Report,
supra note 4, p. 5.
98

Chris Gaither, “Big Brother is Your
Friend,” Wired News (September 20,
1999) (quoting science fiction author
David Brin).

This shift in attitudes is apparent
in the activities of business,
government, and individuals
and applies not only to criminal
justice information, but also to
information sectors throughout
the economy. “If the shift to an
information society means anything, it means thinking about
information as one of the most
important resources in society.”99 Businesses increasingly
seek to gather information about
their customers, storing this information electronically in “data
warehouses” where it can be
retrieved later for analysis for
purposes ranging from inventory control to targeted marketing. Government, including the
courts, criminal justice agencies,
and noncriminal justice agencies, increasingly views personal information as a means to
improve decisionmaking in areas ranging from child support
enforcement, immigration control, and gun control, to bail decisions.
The Task Force views this move
toward an “Information Culture” as an important factor in
criminal justice information
policy.

Changes in technology
Computers have been used to
capture and manage criminal
justice information since at least
the late 1960s. Until recently,
however, computerized criminal
justice information systems
99

James Boyle, Shamans, Software,
and Spleens: Law and the Construction
of the Information Society (Boston:
Harvard University Press, 1996) p. 174.

merely created what amounted
to an automated “file cabinet.”
Whoever owned the automated
file cabinet had responsibility
for managing the system; as a
practical matter, the “owner”
enjoyed substantial discretion in
setting rules for the collection,
retention, use, and disclosure of
information maintained in that
automated file cabinet. Today’s
powerful and nimble information systems, however, facilitate
a far different environment. Users can access information from
remote locations and from multiple databases. In doing so, users can create their own
multidimensional, crosssectoral, customized, personal
information reports. Today,
those who maintain these databases are less able to control
how information in them are
used. With the ability to draw
and assemble information from
the various databases, information users may be able to create
customized, comprehensive information products for use in
various settings.
These customized reports could
include a mix of criminal justice
and noncriminal justice information about an individual.
These reports could support
criminal justice applications, but
could also be deployed in noncriminal justice settings. The
evolution of these types of personal reports will be influenced
and shaped by current and future law governing information
collection, use, and disclosure.
This information management
revolution is occurring contemporaneously with a revolution in

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 37

identification technology —
such as DNA, livescan, and
Automated Fingerprint Identification Systems — that gives
users the potential not only for a
richer, customized information
product, but also for a product
with a much higher degree of
reliability and integrity (that is,
an assurance the information
truly relates to the person who is
the intended subject of the inquiry).
The Internet is a dramatic and
new feature on the information
landscape. The Internet is an
inexpensive and relatively userfriendly technology, which not
only provides robust information management capabilities,
but also does so on a real-time,
communications platform. Furthermore, the Internet creates
remarkable opportunities for
national and international publication — and remarkable risks
to privacy. Recently, several
States have placed all or parts of
their sexual offender databases
on the Internet. A few States,
including Texas and Washington, make conviction information available over the Internet.
These information technology
advances hold enormous promise for criminal justice users and
authorized, noncriminal justice
users to obtain comprehensive,
reliable, and customized information about individuals on a
near-instantaneous basis. These
advances, however, also create
or, at a minimum, exacerbate
privacy risks. The online availability of an individual’s criminal history and criminal justice
record information, along with

Page 38

the potential to obtain juvenile
justice information, combined
with information about educational background, financial
status, medical information,
immigration, and citizenship
status is certain to ignite a new
privacy debate about who
should get access to this kind of
information; for what purposes;
and subject to what privacy
safeguards and restrictions.
It is a cliché to say we are living
in the “Information Age” or in
an “information society” or that
we are in the midst of an “Information Revolution.” Nevertheless, it is undeniable that
technological advances in computing and communications are
significantly impacting the way
in which information is viewed
by the public, by the courts and
criminal justice agencies, and by
government agencies generally.
One way to conceptualize the
manner in which technology is
received and integrated by society is to think of a new technology as a physical object moving
into a steel web representing
society’s existing rules and arrangements.
“Technology never
breaks through this social web, which is an
extremely dense intertwining of economic,
legal, organizational,
social, and cultural constraints. Rather, a new
technology makes a
slow and gradual passage through the web.
In the process, both the
technology is shaped in

its forms of application
and accepted capabilities and the strands of
the web are altered.
Sometimes the strands
open fairly widely to
accommodate new
forms of technological
use; sometimes, they
hold fairly firm to block
certain uses of the technology or substantially
alter its application.”100
The strands of the “steel web,”
representing the way information is viewed by society, are
being reshaped by the new information technologies.
One of the most significant
technologies that has been
making its way through the
“steel web” of society is the
computer. Today, the computer
is a central fixture in American
life. Computers are used for
everything from word processing, to data storage, to inventory
control at supermarkets, to advanced mathematical research.
The centrality of computers is
just as applicable in the criminal
justice recordkeeping arena. As
recently as 1986, the thenDirector of the Federal Bureau
of Prisons was able to refer to
computers as “the ultimate
status symbol.”101 Today, in
100
Alan F. Westin, preface to Donald
A. Marchand, The Politics of Privacy,
Computers, and Criminal Justice Records: Controlling the Social Costs of
Technological Change (Arlington, Va.:
Information Resources Press, 1980) p.
vi. Hereafter, The Politics of Privacy.
101

Norman A. Carlson, “The Federal
Bureau of Prisons and Data Quality,” in
Data Quality Policies and Procedures:
Proceedings of a BJS/SEARCH Con-

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

contrast, it is the rarest of office
worker who is without a computer on his or her desktop. In
addition, advances in computing
and telecommunications technologies have acclimated the
public to automatic teller machines, credit cards, electronic
commerce over the Internet, and
a host of other innovations that
depend on the ready transfer of
information.
Increases in the speed of computers and communications
technologies are also having an
effect. While speed “for its own
sake is hardly impressive,” it “is
important because is allows men
to do things they otherwise
would not have done, for lack of
will, time, or energy. The development of computers signifies not just an increase in the
speed of calculation, but offers
as well a quantum leap in the
amount and kinds of things that
can be done within a human
framework.”102
This ability to do things that
otherwise would not have been
done due to “lack of will, time,
or energy” has important implications for the privacy of criminal justice information.
Technological innovations have
removed (and are removing)
many of the de facto protections

ference, NCJ 101849 (Washington,
D.C.: U.S. Department of Justice, Bureau of Justice Statistics, November
1986) p. 46. Hereafter, Data Quality
Policies and Procedures.
102
Marchand, The Politics of Privacy,
supra note 100, p. 10 (quoting Kenneth
C. Laudon, Computers and Bureaucratic Reform (New York: Wiley,
1974) p. 6).

— the nondiscoverability —
that once protected the privacy
of an individual’s criminal justice information, not by any intentional design, but because
there was a “lack of will, time,
or energy” to obtain it.
Court records and police blotter
information, for example, traditionally have been public documents available (with the
exception of certain sealed records) to anyone who went to
the courthouse to view them. In
the past, this imposed a number
of barriers and “transaction
costs” on someone seeking to
obtain arrest or conviction information:
•

First, it was necessary to
know in which of the Nation’s thousands of courts or
police stations to look for
the record.

•

Second, it was necessary to
actually go to the courthouse or police station
(which might be across the
street or across the country)
to view the records.

•

Third, it took time to determine if the court or police
station had a record.

•

Fourth, it took time for police or court staff to retrieve
the record.

•

Fifth, if there was a record,
further research might be
necessary elsewhere to determine whether the case
was prosecuted, or how the
case was resolved on appeal.

In addition to the time involved,
there were additional costs,
which could be significant, for
copying the records. Thus,
while the records technically
were open to the public, accessing the information imposed
transaction costs that had the
effect of limiting public access.
Advances in technology, however, are eliminating these barriers to access and the de facto
privacy protections that they
once afforded to those with arrest or conviction records.
Courts and police departments
are automating their records,
and many are making this information available in an electronic format on a wholesale
basis. Thus, in doing so, they
permit private companies to assemble databases of criminal
justice information that include
information from jurisdictions
across the country — “one-stop
shopping” for criminal justice
information. Some States go
further. Texas and Washington,
for example, make conviction
information (and some arrest
information) available to the
public over the Internet. As of
May 1999, 15 States allow the
public to access sex offender
databases over the Internet as
well.103 These databases allow
103
Devron B. Adams, Update 1999:
Summary of State Sex Offender Registry Dissemination Procedures, Fact
Sheet series, NCJ 177620 (Washington,
D.C.: U.S. Department of Justice, Bureau of Justice Statistics, August 1999).
In addition to the 15 States that grant
public access to searchable sex offender databases via the Internet, 10
States have Internet sites that are either
accessible only to law enforcement or
are limited information about the reg-

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 39

the public to search not only by
name, but also by geographic
location, such as ZIP code, so
that it is possible to identify sex
offenders in a neighborhood,
whether the party conducting
the search knows their names or
not.
With the reduction of the
“transaction costs” for such inquiries, it is possible to conduct
background checks in an increased number of circumstances and by a wider number
of people. Background checks,
while once largely the province
of licensing boards, banks, securities firms, and government
agencies screening for sensitive
national security positions, are
now possible (or even required)
for a much larger, and continually growing, roster of positions,
including bus drivers, school
janitors, daycare workers, nursing home workers, volunteer
coaches, and Boy Scout troop
leaders.104 In the case of sex offender registries, there need not
be an employment or volunteer
relationship at all.
This trend is reflected not only
in the increasing commercial
sale of such information but also
in the law. Employers may be
found liable under common law
istry itself rather than individual offenders; 5 States without Internet sites
are planning to develop them, and the
remaining 20 States and the District of
Columbia report having no sex offender registry site on the Internet and
provided no information as to whether
one was planned. Ibid.
104

See, for example, Valerie Strauss,
“Ackerman Orders Volunteer Screening,” Washington Post (October 8,
1999) pp. B1, B4.

Page 40

theories of negligent hiring if
they hire an individual without
conducting a background check
and the individual then commits
an on-the-job crime.105 Increasingly, State and Federal statutory law authorizes State central
repositories to disclose CHRI
for background checks for positions involving financial responsibility or for the interaction
with potentially vulnerable
populations, such as children
and the elderly.106
It has been said the “strains that
technology places on our values
and beliefs, finally are reflected
in economic, political, and
ideological conflict. That is,
they raise questions about the
proper goals of society and the
proper ways of pursuing those
goals.”107 That is true of the way
in which the Information
Revolution is affecting the collection, use, and disclosure of
criminal justice information.
The fact that technology has
reduced the transaction costs
involved in accessing criminal
justice information, removing
traditional de facto barriers that
once created protections, raises
difficult questions about the
proper use of criminal justice
information in this new environment, including spawning a
105

See, infra, p. 53 (more public access/demand).
106

See, infra, p. 61 (Federal and State
initiatives).
107

Marchand, The Politics of Privacy,
supra note 100, p. 15 (quoting Emmanuel G. Mesthene, “The Role of
Technology in Society” in Technology
and Man’s Future, Albert H. Teich, ed.
(New York: St. Martin’s Press, 1972)
p. 148).

debate as to whether we should
reexamine our approach to
“public record information.”108
In 1998, Congress, recognizing
the vital role criminal justice
information, identification, and
communication technologies
must play, enacted the Crime
Identification Technology Act of
1998 (CITA).109 CITA authorizes $1.25 billion over 5 years
for grants to the States to upgrade criminal justice and
criminal history record systems;
improve criminal justice identification; promote the compatibility and integration of
national, State, and local systems for a variety of purposes;
and capture information for statistical and research purposes to

108
While court records and other
original records of entry have traditionally been publicly available, not all
information held by the Federal and
State governments is publicly available.
CHRI contained in the State repositories, for example, is only available for
certain purposes in many, although not
all, States. In addition, the Federal
Privacy Act, Freedom of Information
Act, and other Federal and State laws
restrict public access to a variety of
information held by government agencies, including sensitive personal information, such as tax returns and
health information. In May 1998,
President Clinton issued an order to the
heads of executive departments and
agencies to review their compliance
with the Federal Privacy Act to account
for changes in technology. See, William Jefferson Clinton, “Memorandum
for the Heads of Executive Departments and Agencies. Subject: Privacy
and Personal Information in Federal
Records,” (May 14, 1998).
109
Pub. L. No. 105-251, §§ 101-102
(October 9, 1998), 112 Stat. 1871 (to be
codified at 42 U.S.C. § 14601).

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

improve the administration of
criminal justice.110
The areas identified in CITA are
reflective of a re-shaping of
criminal justice information environment. The important theme
of CITA — the integration of
State, Federal, and local systems, so that the criminal justice
information systems will be
compatible — is discussed in
detail later in this report.
— Information
technologies
The importance of information
technologies in the collection,
organization, and dissemination
of information, including criminal history information, can
hardly be overstated. The increased power, utility, and affordability of computer power
have revolutionized the way
information is handled in the
United States.
In recent years, the price of
computer memory and other
hardware has decreased,111
making computers accessible
not only to the largest members

of the criminal justice community, but now also to the smallest.112 Where the criminal justice
community’s exposure to the
computer was once limited to
mainframes maintained by the
FBI and central State repositories, today computers can be
found in even the smallest of
local police departments and in
patrol cars as well.
Technological advances have
made computers smaller, faster,
and capable of storing everincreasing amounts of data in
seemingly ever-decreasing
amounts of space. Disk drive
capacity now doubles at least
once a year and, according to
experts, this time frame is
shrinking significantly.113 The
ready availability of computers
at all levels of law enforcement,
as well as society at large, has
spurred advances in computer
programming and data retrieval,
making it possible for users to
customize systems to meet their
own institutional needs.
This increased programming
and search flexibility, in turn,
has supported the creation of
“data warehouses” where large

110

Pub. L. No. 105-251, §§ 102(a),

(e).
111

Owen M. Greenspan, et. al., Report
of the National Task Force on Court
Automation and Integration, NCJ
177601 (Washington, D.C.: U.S. Department of Justice, Bureau of Justice
Assistance, June 1999) p. 24. Hereafter,
Task Force on Court Automation. “In
1975 an IBM mainframe cost approximately $10 million and provided 10
million instructions per second (MIPS),
or about $1 million per MIPS. In 1998,
a Pentium® personal computer cost
approximately $2,500 and provided
roughly 300 MIPS, at a cost of $6-$10
per MIPS.” Ibid., at n. 26.

112
While the cost of memory and
other computer hardware has declined,
technology costs incurred by courts and
criminal justice agencies may not have
declined overall. Agencies have shifted
from an environment where there was
only a mainframe, or perhaps no computers at all, to the current environment
where there must be a computer of
some sort at practically every workstation. In addition, as the volume of users
and workstations increase, the need for
technical support has also increased.
113

Task Force on Court Automation,
supra note 111, p. 35.

amounts of information are accumulated and available to be
searched on the basis of a multitude of discrete selection criteria. Today, it is possible to
gather and store large amounts
of data about data subjects and
to enrich that data with information obtained from outside
sources to create detailed information profiles about individuals. It is also possible to search
those profiles to identify files on
the basis of almost any common
characteristic. Although it once
may have been possible to
search a database using only an
individual’s name or identification number, for example, today
databases can be searched using
addresses, telephone numbers,
or even random words. In addition, data-matching programs
permit the comparison of multiple databases for overlapping
data.
This was, of course, not always
the case. The criminal history
record system, while predating
the computer, is a relatively new
innovation. At the beginning of
the 20th century there was
hardly such a thing as a criminal
history record, let alone a criminal history record system.114 In
1924, criminal history recordkeeping and fingerprinting took
a step forward when Congress
directed the FBI to create an
“identification division” to acquire, maintain, and use fingerprint information.115 This new
identification division began

114

“Use and Management of CHRI,
supra note 22, p. 20.
115

Ibid. p. 21.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 41

with 800,000 fingerprints obtained from various sources, and
maintained on manual fingerprint cards.116 Over the succeeding years, the FBI
accumulated paper fingerprint
cards and information files by
the millions. Each individual’s
file was fingerprint-supported
and also retrievable by name or
FBI number.117 These records
occupied huge warehouses and
required armies of clerks to
maintain and update.
By the 1960s, the early computer brought the first movement toward the automation to
criminal history records. The
expense of early computers restricted their use to only the
largest institutional players,
such as the FBI. Computers
proliferated slowly to include
State repositories and the largest
of police departments. These
early systems, however, were
little more than automated file
cabinets, with manual input requirements and limited retrieval
capabilities. Automated systems
were used for new entrants into
the criminal justice system,
while records on offenders
whose records pre-dated the
inauguration of the computer
system were still maintained in
the traditional paper format.
In addition to changing the
manner in which State repositories organize and maintain
criminal justice information,
advances in information technologies have affected the way
information is reported to the

repositories by the courts and
law enforcement agencies. Until
recently, the automation of arrest and disposition reporting to
State repositories has lagged
behind the automation of disclosures from the State repositories
in response to inquiries from
law enforcement and the courts.
Increasingly, however, computer technology is being used
to automate the reporting process, thereby speeding the reporting process and saving
resources.118
Historically, arrest information
has been reported to the repositories and the FBI on fingerprint
cards that also included space
for textual information about the
record subject. State law frequently requires that cards for
reportable offenses be submitted
within 24-48 hours of arrest or
“promptly” or “without undue
delay.” However, even if these
laws are complied with, mail
delays and normal data processing resulted in a delay of a
week or more from the date of
arrest until the information was
entered into the repository systems. Increased automation at
the local level and direct computer-to-computer transmissions
now create the potential for realtime transmission of data from
the local law enforcement
agency to the State repository.
The same is true of disposition
reporting information from the
courts, which is increasingly
automated with the advent of
automated case management

116

Ibid.

117

Ibid., p. 22.

Page 42

118

Ibid., p. 43.

systems, particularly in highvolume jurisdictions.119
— Identification
technologies
Means of identification
Technological advances have
had a profound impact on identification capabilities. People
are identifiable in many ways,
including name, Social Security
number, or other account number, and by physical characteristics. With the exception of
physical characteristics, all of
these identification methods are
inherently unreliable in the
criminal justice context. Names
can be shared by many people
and Social Security numbers
can be falsified; this makes reliance on such names and numbers unreliable in many
instances, which opens the door
to fraud, mistake, and abuse.
Physical characteristics, called
“biometric identifiers,” are
unique characteristics for purposes of personal identification.120 Examples of biometric
identifiers include fingerprinting, DNA, retinal scanning,
voice spectrography, and hand
geometry scanning.121 Although
biometric identification is a
119

Ibid., p. 44.

120

Robert R. Belair and Robert L.
Marx, Legal and Policy Issues Relating
to Biometric Identification Technologies (Sacramento: SEARCH Group,
Inc., 1990) p. 1. Hereafter, Biometric
Identification Technologies.
121

Ibid. There are many other potential biometric identifiers including, for
example, vein prints, poroscopy (pore
prints), cheiloscopy (lip prints),
otoscopy (ear prints), dentition prints,
and sweat prints. Ibid., pp. 39-42.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

more reliable means of personal
identification, virtually none of
the identification documents
used in the United States is supported by biometric identifiers.122
Identification cards are the most
common form of identification
device. In recent years, efforts
have been made to reduce the
ability to falsify or counterfeit
identification documents and to
increase their utility to law enforcement. Some of these
changes simply involve the use
of inks and other materials that
are more difficult to alter or
counterfeit. Other innovations
include MICR lines or magnetic
strips, which contain identification information and are more
difficult to tamper with than
paper identification. It is also
possible to include digitized
fingerprints and other biometric
identifiers on the magnetic strip
or in an embedded chip, to further enhance reliability. These
magnetic strips, as well as bar
codes, can also be “swiped” or
“scanned” through reading devices by law enforcement to
quickly access the stored data.
Biometric identifiers are used in
the criminal justice field not
only to link suspects to crime
scenes, but also as a reliable
means of verifying identity for
background checks. There is
increasing pressure, however, to
move to a name-only identification regime to produce both
faster and less-expensive background checks. Such a move to
name-only checks, however, is
122

Ibid.

not without potential privacy
and accuracy problems. First,
name-only checks can result in
multiple hits for individuals
with common names, such as
John Smith. Second, as noted
previously in discussing traditional identification documents,
falsification is a problem. If an
individual assumes a false identity (identity fraud is an increasingly common crime), it is
possible that the identity in
question is that of a real person,
not an identity that was simply
made up by the applicant.123 If
this is true, and the applicant
commits a crime, it could lead
to the issuance of an arrest warrant and other problems for an
innocent person.
Fingerprinting
Fingerprinting is the best-known
and most widely used means of
biometric identification. Attempts to use fingerprints for
identification purposes, while
first the subject of scientific inquiry in the 17th century, can be
traced back to ancient China and
Egypt.124 Today, fingerprinting
is a critical tool for law enforcement efforts to solve crime
and fingerprinting criminal suspects is commonplace. The FBI,
for example, receives approximately 50,000 fingerprints per
day, about one-half of which

come from criminal matters.125
Outside the criminal justice setting, fingerprints are also the
most widely used and recognized means of biometric identification. Children are frequently
fingerprinted. In addition, job
applicants and applicants for
many types of licenses are fingerprinted, not only as a means
of identification, but also to facilitate reliable criminal background checks.
In the criminal justice context,
Automated Fingerprint Identification Systems (AFIS), which
first emerged in the late 1960s,
are an example of the power of
information technology advances.126 In an early AFIS,
manual fingerprint records were
scanned into a computer system,
converted into digital records,
and stored. In order to search
the AFIS database, the fingerprint that is the subject of the
search was digitized and compared to the existing fingerprints
already digitized and on file. If
the system made a potential
match, a fingerprint examiner
compared the fingerprints and
made an actual identification
determination. This technology
was complemented in the 1980s
by the emergence of automated,
direct-read fingerprint devices.
Direct-read fingerprint devices
take an inkless photograph of an
125

123
In addition to the use of biometric
identification, information products,
frequently drawing from information
contained in public records, can also
assist in detecting identity fraud.

Vicki Smith, “FBI Touts Fingerprint Database: Says Police Will Get ID
and History within Two Hours,” The
Associated Press (August 10, 1999),
available at http://www
.abcnews.go.com/sections/us
/dailynews/fbi990810.html.

124
Biometric Identification Technologies, supra note 120, p. 13.

126
Biometric Identification Technologies, supra note 120, p. 2.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 43

individual’s finger or thumb and
convert that fingerprint or
thumbprint into a digital record.
These inkless photographs take
only seconds to produce and
result in a clearer image than the
traditional method of “rolling”
the finger on a fingerprint card
to create an inked impression.127
The impact of AFIS, further
enhanced by the increased efficiency and clarity of direct-read
technology, has been substantial. In San Francisco, for example, prior to AFIS, police made
approximately 60 identifications
of crime scene prints each year
by manually searching fingerprint files.128 In slightly less than
4 years from San Francisco’s
implementation of an AFIS,
police had searched over 12,000
crime scene fingerprints and
made 2,500 criminal identifications, a dramatic increase.129
Potential privacy concerns also
result from the increased efficiency brought by this new information technology. Although
fingerprint searches used to be a
time-consuming process, today
large databanks can be searched
in a very short time and with
little or no additional effort by

127

Ibid. The appendix to the 1990 report contains a detailed and technical
analysis of AFIS.
128
Ken Moses, “Maintaining and Using Juvenile Fingerprints,” in Juvenile
and Adult Records: One System, One
Record? Proceedings of a
BJS/SEARCH Conference, NCJ 114947
(Washington, D.C.: U.S. Department of
Justice, Bureau of Justice Statistics,
January 1990) p. 50. Hereafter, Juvenile and Adult Records.
129

Ibid.

Page 44

staff. This means law enforcement can conduct “cold
searches” (that is, searches
where there are no suspects or
leads, other than fingerprints
found at the scene).130 Another
result of AFIS is an increasing
demand from law enforcement
to expand the pool of fingerprints on file and accessible to
an AFIS, thereby increasing the
possibility of a match. Some
criminal justice sources have
argued in favor of expanding
AFIS systems to include juvenile fingerprints.131 Other potential expansions of source
records for AFIS searches include child fingerprinting programs, fingerprints taken for
professional licensing, fingerprints taken for security clearance applications, and
employment background
checks, to name a few.
The FBI launched the next generation of AFIS technology in
July 1999: the Integrated Automated Fingerprint Identification
System (IAFIS). Under IAFIS,
fingerprint images (rather than
traditional fingerprint cards)
will be taken at local law enforcement agencies by livescan
or cardscan equipment, processed by a local AFIS, and then
transmitted electronically to the
State repository for processing.
If a positive identification is not
made at either the State or local
130

U.S. Congress, Office of Technology Assessment, Criminal Justice, New
Technologies, and the Constitution,
Special Report, OTA-CIT-366 (Washington, D.C.: U.S. Government Printing
Office, May 1988) p. 19.
131
Moses, Juvenile and Adult Records, supra note 128, p. 51.

level, the fingerprint data and
any relevant textual data will be
transmitted electronically to the
FBI for processing and the FBI,
in turn, will electronically
transmit a response to the local
booking station. It is estimated
the entire process can be completed in 2 hours or less, permitting local law enforcement to
identify prior offenders and fugitives, even if they have provided false identification
information, prior to their initial
bail hearing or release from
booking.132
Retinal scans, voice spectrography, and hand geometry
While fingerprinting is, by far,
the best known and most widely
used biometric identifier, there
are other techniques, although
they are more likely to be used
for controlling an individual’s
access to information or locations than for criminal investigations. Retinal scans record the
unique vasculature (blood vessels) in the fundus, or posterior
orbit of the eye. In voice spectrography, a spectrograph produces a graphic representation
of the sound emitted by a human voice. Hand geometry systems, another means of
biometric identification, measure characteristics, including
finger lengths, finger density,
hand width, the silhouette of the
entire hand, a profile view of the
knuckles and back of the hand,
and skin translucency. These
results can then be digitized and

132
Use and Management of CHRI,
supra note 22, p. 47.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

stored for future identification.133
DNA testing
Although fingerprinting is the
traditional and most widespread
method of biometric identification, with a long pedigree and
years of public acceptance in the
criminal justice system, Deoxyribonucleic Acid (DNA) testing
is a newer and, in many ways,
more versatile, biometric identification innovation. DNA is
unique among biometric identifiers: unlike fingerprints and
other biometric identifiers,
DNA can reveal more about an
individual than simply his or her
identity. This fact therefore
raises unique privacy concerns.
DNA has been called “the single
greatest advance in the search
for truth since advent of crossexamination.”134 That comment
was made in 1988, shortly after
the first time DNA testing was
used, in a 1987 British case involving the rape and murder of
two young girls.135
Since then, DNA has exploded
onto the public scene, not only
for its vast potential as an identification and crime-solving
tool, but also as the key to advances in medicine and cloning.
In the dozen years since DNA
was first used to solve a crime,
133
SEARCH Group, Inc., “Biometric
Technologies are Promising for Criminal Justice,” Interface (Spring 1991) p.
33.
134
Biometric Identification Technologies, supra note 120, p. 27 (quoting a
1988 comment by New York State
Judge Joseph Harris).
135

Ibid.

its stock as an identifier has
risen. A 1990 SEARCH report
on biometric identifiers recognized the potential of DNA
testing as “enormous.”136 Policymakers have agreed, with
State after State (led by the
General Assembly of Virginia
in 1988) establishing DNA
testing laboratories and databases.
As with fingerprinting, DNA
testing is not an effective means
of identification unless there is
an identified sample to compare
with the unidentified DNA.
Standards for collecting and
maintaining these samples raise
civil liberties and privacy concerns. The potential uses of
DNA beyond identification raise
additional concerns because,
unlike fingerprints, DNA can be
used to identify familial relationships as well as potential
genetic defects or a genetic disposition for disease.137 The information privacy concept of
minimizing the information
collected and retained about an
individual to that which is necessary to the task can be put at
risk unless DNA testing systems
are carefully designed to capture
only the information necessary
for identification purposes (or
136
137

Ibid., p. 26.

Despite the identification benefits,
there is some public apprehension
about being voluntarily tested. In Florida, for example, a free DNAidentification pilot program for school
children was not well received, despite
the fact that parents, not the State,
would receive and control the sample.
Jeffrey McMurray, “Florida Police
Find Mystery in Parents’ Snub of DNA
Testing,” Washington Post (March 14,
1999) p. A22.

other purpose for which the
sample was originally collected). Privacy issues also arise
from the retention of the underlying biological sample (rather
than the digitized results of
DNA identification analysis),
because the biological sample
could be analyzed subsequently
for disease traits or other purposes beyond the original identification purpose for which the
sample was collected.138
Civil libertarians are particularly
concerned about the privacy
risks posed by DNA databases.
Barry Steinhardt of the ACLU,
when asked to comment on efforts to perfect a chip that could
be used to quickly produce a
unique genetic profile from
DNA discovered at a crime
scene, expressed the concern
this way: “Anything that makes
it easier and cheaper to create a
DNA databank is dangerous
because it will increase the impetus to DNA test… . We don’t
oppose specific technologies,
but what we are concerned
about is the creation of the databanks.”139

138
Destruction of the underlying samples has been “met with harsh criticism
from law enforcement representatives,”
arguing that by destroying the samples
law enforcement would, as one official
put it, “be destined to start over every
time there’s a technological change.”
Declan McCullagh, “What to do with
DNA Data?” Wired News (November
18, 1999) available at http://www
.wired.com/news/politics
/0,1283,32617,00.html.
139

Robin Lloyd, “Lab on a Chip May
Turn Police Into DNA Detectives,”
Washington Post (March 1, 1999) p.
A9.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 45

States are building DNA databases, typically by requiring
felons, particularly those convicted of violent crimes, to
submit DNA samples to the
State database. In December
1998, then-New York City Police Commissioner Howard
Safir recommended that DNA
samples be taken of all arrestees, declaring “The innocents
have nothing to fear… . Only if
you are guilty should you worry
about DNA testing.”140 Safir’s
proposal has been adamantly
opposed by the New York Civil
Liberties Union, which argues
that mere arrest is insufficient
grounds for collection of a DNA
sample.141 This debate is also
taking place on the national
level, as the Federal government
considers whether to develop
such a comprehensive DNA
database. The National Commission on the Future of DNA
Evidence, which was appointed
by the Attorney General to
study issues related to the evidentiary use of DNA, has concluded that the practice is
currently impractical due to a
lack of staffing and other resources in crime laboratories
nationwide and a backlog of
samples currently awaiting
analysis.142
140
“DNA Samples in All Arrests?”
Washington Post (December 15, 1998)
p. A16. The International Association
of Chiefs of Police has also called for
the collection of DNA samples from all
arrestees. J.D. Abolins, “International
Police Group Wants DNA Sample
From ALL Suspects,” 2 ISPI Privacy
Reporter (Summer 1999).
141

Ibid., Post article, p. A16.

142
National Institute of Justice, “Recommendation of the National Commission on the Future of DNA Evidence to

Page 46

— Communication
technologies, including
the Internet
The communications
revolution
The third area in which advances are generating both
benefits to criminal justice and
risks to privacy is communications technology. The past decade has witnessed an explosion
of new technologies that allow
people (and systems) to communicate faster, easier, and
from more locations than ever
before.143 These changes are
affecting the way criminal justice information is communicated between various criminal
record repositories, between the
courts and the repositories, bethe Attorney General Regarding Arrestee DNA Sample Collection,” available at http://www.ojp.usdoj.gov
/nij/dna/arrestrc.html. Some States
are moving forward with additional
testing. New York State, for example,
passed a law in 1999 increasing the
number of offenses with a DNA sample
requirement upon conviction from 21
to 107, a change the Governor estimated would increase the number of
samples collected in New York each
year from 3,000 to 30,000. Gary
Tuchman, “New York to expand DNA
testing of convicts,” CNN (October 20,
1999) available at http://www.cnn
.com/US/9910/20/dna.database
/index.html.
143
These developments can be attributed, at least in part, to the explosion in
competition between telecommunications companies as a result of deregulation. Another factor in this arena is
the growing competition between telecommunications companies, cable system operators, and Internet Service
Providers as applications of these technologies become increasingly interrelated.

tween repositories and law enforcement, and with other
criminal justice agencies. ThenSenate Minority Leader Thomas
Daschle (D-SD) summarized the
importance of improved communications this way: “Revolutionary technological
improvements in communications systems allow localities
separated by great distances to
share information instantaneously. This communication
between law enforcement agencies can make the difference
between locating suspects and
getting them off the streets, or
leaving them free to commit
more crimes.”144
Information distribution is no
longer tied to a fixed distribution point, such as where a telephone wire has been run.
Laptop computers outfitted with
wireless communications packages now permit law enforcement officers to access a wide
array of Federal, State, and local
databases from remote locations, without the assistance of
dispatchers.145
Electronic mail, or “email,” is
another part of the communications revolution. Data can now
be transmitted around the world
almost instantly. Users can send
one another not only directly

144

144 Cong. Rec. S3,943 (April 30,
1998) (statement of Senator Tom
Daschle, D-SD).
145
Kelly J. Harris, Law Enforcement
Mobile Computing: Armed with Information, Technical Bulletin series (Sacramento: SEARCH Group, Inc., 1997,
No. 1) p. 1.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

keyed-in messages, but also attach files, thereby allowing potentially privacy-sensitive
information to be externally
distributed in a matter of keystrokes. Communications advances also make it increasingly
possible for systems to share
larger volumes of data electronically and to do so at faster
rates. In addition, while data
was once primarily processed in
text format, it is increasingly
possible to easily transmit,
process, store, and integrate
audio, video, and digital data,
creating a richer and more complete data environment.
Increased speed and highquality fiber-optic networks allow such tasks as automated
arrest and disposition reporting
to take place more quickly and
easily than before. It also permits larger quantities of data to
be transferred from one computer system to another because
data entry (by keystroke or
scanning) now only needs to be
done once, thereby relieving
“downstream” recipients of the
need to determine whether some
of the data received is of enough
value to make the data entries.
The widespread maintenance
and dissemination of information in electronic form has
raised a host of concerns about
how to best protect the confidentiality, accuracy, and integrity of information in electronic
form. This is typically accomplished through a combination
of physical, administrative, and
technical measures designed to
control access to data and to
control the ability of authorized

users to access and disseminate
information. When information
is transferred between systems
over the Internet or other nonsecure means, there is added potential that the transmission
would be intercepted. Encryption is one means to protect the
confidentiality of information at
risk of being intercepted by an
unauthorized party. Encryption
is the “transformation of plaintext into an apparently less
readable form (called ciphertext) through a mathematical
process. The ciphertext may be
read by anyone who has the key
that decrypts (undoes the encryption of) the ciphertext.”146
Federal and interstate communications systems: National Crime Information
Center, National Law Enforcement Telecommunications System, and other
resources
The National Crime Information
Center (NCIC) is an automated
database of criminal justice and
justice-related information
maintained by the FBI, including “hot files” of missing or
wanted persons, stolen vehicles,
and identifiable stolen property.
Communications components of
the NCIC permit access to
NCIC files through central control terminal operators in each
State that are connected to the
NCIC via dedicated telephone
lines maintained by the FBI.
Local law enforcement agencies
146
RSA Laboratories, “Frequently
Asked Questions About Today’s
Cryptography: Glossary,” available at
http://www.rsasecurity
.com/rsalabs/faq/B.html.

and officers can access NCIC
through the State law enforcement network. In July 1999, the
FBI inaugurated the next generation of the NCIC — a project
known as “NCIC 2000.” NCIC
2000 upgrades the NCIC’s telecommunications system and its
hardware to permit the paperless
exchange of information. In addition, NCIC 2000 is able to
handle graphic information in
paperless imaging format, including material such as mug
shots, tattoos, and the signatures
of offenders.147
The National Law Enforcement
Telecommunications System
(NLETS) is a high-speed message system maintained by the
States through a not-for-profit
corporation. NLETS permits the
interstate exchange of criminal
justice information between local, State, and Federal criminal
justice agencies. NLETS supports inquiries into a variety of
State files, including criminal
history files, motor vehicle registration files, driver’s license
files, and other databases maintained by the States. NLETS
also interfaces with the NCIC,
the Royal Canadian Mounted
Police, the National Insurance
Theft Bureau, the National
Center for Missing and Exploited Children, and other national-level files.148
Among the funding priorities
designated in CITA are multiagency, multijurisdictional
communications systems among
147
Federal Bureau of Investigation,
Press Release, July 15, 1999.
148
Use and Management of CHRI,
supra note 22, p. xi.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 47

the States to share routine and
emergency information among
Federal, State, and local law
enforcement agencies. “A 1997
incident along the Vermont and
New Hampshire border underscored the need for multijurisdictional systems. During a
cross-border shooting spree that
left four people dead, including
two New Hampshire State
Troopers, Vermont and New
Hampshire officers were forced
to park two police cruisers next
to one another to coordinate
activities between Federal,
State, and local law enforcement
officers because the two States’
police radios could not communicate with one another.”149 As a
result of this incident, officials
from Vermont, New York, New
Hampshire, and Maine have
developed the “Northern
Lights” proposal, which would
allow these northern-border
States to “integrate their law
enforcement communications
systems to better coordinate interdiction efforts and share intelligence data.”150
The Internet
Perhaps the most important
technological development underpinning the need for a reassessment of the privacy
landscape — the Internet — is
actually a by-product of the
other advances in communications and information technology already discussed. The
number of American Internet

149
144 Cong. Rec. S12,042 (Oct. 8,
1998) (statement of Senator Patrick
Leahy, D-VT).
150

Ibid.

Page 48

users in 1998 was approximately 47 million.151 It is estimated that, as of September
2000, nearly 148 million
Americans had access to the
Internet, over 89 million of
whom were active users.152 This
explosive growth has caught
everyone’s attention. The public
is “surfing” the Internet in large
and increasing numbers, business is enthralled by the promise
of electronic commerce, and
Congress and the State legislatures are paying close attention
to developments to determine
what legislation is necessary to
regulate everything from Internet privacy to Internet decency
to Internet taxation.
The Internet is a growing means
for law enforcement to interact
with the public and a valuable
research tool. The FBI and other
law enforcement organizations,
such as the Los Angeles Police
Department, post their “most
wanted” lists on the Internet.153
Other law enforcement agencies
allow citizens to use the Internet
to make anonymous tips, report
nonemergency crimes, and file
initial police reports in certain

matters, including burglary,
theft, and vandalism.154
As of May 1999, 15 States have
posted sex offender and sexual
predator registration information from State sex offender
registries on the Internet in a
format accessible to and searchable by the public.155 These sites
commonly include the offender’s name, address, vital
statistics, offense (sometimes
including case number), and
sometimes a photograph as
well.156 These sites allow individuals to search by name or
geographic area (typically city,
county, or ZIP code).157 States
are not the only ones to sponsor
sex offender sites on the Internet. Local police also maintain
sex-offender sites either on their
own or in concert with local
newspapers.158
154

See, for example, http://
www.cji.net/sierraso/index
.html (Office of the Sheriff of Sierra
County, California); and http://
www.placer.ca.gov/sheriff/ (Sheriff’s
Department of Placer County, California).
155

See, supra note 103.

156

151

About.com, Internet Industry,
“How many people use the Internet?”
(August 1, 1999), available at
http://internet.about.com
/industry/internet/library
/archivebl/stats/blstats2a
.htm.
152
Nielsen//Netratings, “Average Web
Usage, September 2000,” available at
<www.nielsen-netratings.com.
153

See, for example,
http://www.fbi.gov/mostwant/fugitive
/fpphome.htm; and
http://www.lapdonline.org/.

See, for example,
http://www.dps.state.ak.us
/nSorcr/asp/ (Alaska);
http://www.fdle.state.fl.us
/Sexual_Predators/index.asp (Florida); http://www.state.in
.us/serv/cji_sor (Indiana);
http://www.ink.org/public
/kbi/kbiregoffpage.html (Kansas);
http://sex-offender
.vsp.state.va.us/cool-ICE/ (Virginia);
and http://www
.statetroopers.com/sexoff
/sexoff.shtml (West Virginia).
157

Ibid.

158

See, for example, http://www
.ccspd.org/search_output .html (Cook
County, Illinois); and

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

In addition to interacting with
the public, law enforcement is
also using the Internet to interact with fellow law enforcement
officers and to do law enforcement work. Internet sites such
as www.officer.com and
www.leolinks.com provide law
enforcement officers with access to a wide array of information on everything from hate
groups and terrorism, to computer crime, traffic enforcement,
statutes, other law enforcement
organizations, police unions,
and educational and training
opportunities.

Trend toward integrated
systems

systems to mean, “the electronic
sharing of information by two or
more distinct justice entities
within a system. The degree to
which information systems are
considered ‘integrated’ depends
upon who participates, what
information is shared or exchanged, and how data are
shared or exchanged within the
system.”159

different components of the
criminal justice system on a
particular level — the State police system, the State court system, the State prosecutors’
system, and so forth. Indeed,
local and municipal agencies
have been leaders in pioneering
horizontal integration.

It is also important to understand what integration is not.
Integration is not the mere linkage or connection of distributed
or dispersed databases. Nor is
integration the amalgamation of
private data in a particular information system.

The information exchanged by
integrated systems varies.
“Some systems may include
only adult criminal justice data,
whereas others may include juvenile, family, domestic relations, and social service data.
Some systems may address all
operating requirements, such as
… revenue management systems, whereas others may limit
the database to case management information requirements.
However, ‘information’ is increasingly more than just raw
data elements: it may include
images, audio, video, substance
abuse test results, DNA profiles,
and fingerprint minutiae.”160

Participants
Traditionally, each of the four
components of the criminal justice system — law enforcement,
prosecutors, courts, and corrections — maintained a discrete
information system designed to
meet that component’s particular information needs. There
was little, if any, linkage between these systems, and certainly no system architecture
that provided one system for all
components. In recent years,
however, the criminal justice
system has worked toward integrating these systems, using a
multipurpose architecture.
— Definition of integration
The BJA/SEARCH National
Task Force on Court Automation and Integration defines integration of justice information

http://oakparkjournal.com
/sexoffend-op.htm (Oak Park, Illinois).

Participation in integrated systems can occur in three principal
configurations: vertical integration of criminal justice users,
horizontal integration of criminal justice users, and the integration of criminal and
noncriminal justice databases.
Vertical integration refers to the
linkage of systems operated by
the same type of criminal justice
organization at various levels of
government; city police systems
are linked with county police
systems that are linked with
State police systems, which are
linked with Federal systems,
and so forth. Horizontal integration refers to the linkage of
159

Task Force on Court Automation,
supra note 111, p. 2. Although some
members of the Privacy Task Force
believed that this definition was too
narrow, the Task Force used this definition as the basis of its discussions.

Information exchanged

Method of information
exchange
The underlying technology of
an integrated system may also
vary. Information may be exchanged through a common database that is shared by
participating agencies. Information may also be shared by a
coordinated system, with data
maintained in separate databases
and exchanged via standardized
messages. In addition, hybrid
systems exist, which allow
160

Ibid., p. 3.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 49

agencies to maintain separate
databases while using a central
database that controls the level
of access afforded to different
users in the system.161
— Benefits and privacy
risks of integration
Integration has numerous benefits. Integration may reduce labor costs and operating
expenses by eliminating the
need for agencies to undertake
duplicative data entry and collection, eliminating the need to
maintain duplicate records, and
increasing efficiency. Furthermore, the data in an integrated
system may be more accurate
because it was only entered
once. The information may also
be available on a more timely
basis because information collected early in the process is
available for later processes
even before those later processes begin. This information
availability can improve the performance of the courts and
criminal justice agencies, and
thereby improve public safety.
Finally, and perhaps most importantly, data may be more
complete because the responsibility for collecting and reporting each data element is firmly
fixed with a particular agency.162

161

Ibid.

162

Ibid., p. 29. For a more extensive
discussion of the benefits of integration, see, ibid., pp. 29-34. See also,
Robert L. Marx, System Integration:
Issues Surrounding Integration of
County-Level Justice Information Systems, NCJ 156841 (Washington, D.C.:
U.S. Department of Justice, Bureau of
Justice Assistance, November 1996) p.
29.

Page 50

Integration, however, also poses
privacy risks. First, there is the
potential that integrated systems
may propagate inaccuracy if the
data are entered incorrectly in
the first instance. Second, an
integrated system may make
sensitive data about an individual, which is important to one
part of the criminal justice system, readily available to other
parts of the system, where that
information is not necessary or
useful to the needs of that institutional player. The corrections
system, for example, gathers
large amounts of detailed information concerning the lives
of inmates over the course of
their incarceration. An inmate’s
correction record might include
breaches of discipline and resulting disciplinary action; information about sexual activity;
sensitive medical information,
such as HIV status; drug use
and rehabilitation information;
mental health information; and
educational or employment information. Although this may be
important information for the
corrections facility where the
inmate is held, it is not necessarily relevant to law enforcement officials or others with
access to the integrated system.
A third privacy risk arising from
integration is that there will be
more information and increasing
demands for its use. As systems
are integrated, the data in those
systems become richer and,
therefore, more valuable to a
wider pool of potential users.
Although a system may have
been integrated to increase its

utility to law enforcement, corrections, prosecutors, and the
courts, “function creep” becomes a real possibility and privacy concern. How widely
should the information in these
integrated systems should be
made available is a key question. Access by law enforcement, courts, prosecutors, and
corrections are common suggestions. Should the list be expanded to include the defense
bar or the public defender’s office? What about access for
those outside the system, such
as child support enforcement
and welfare agencies?
A fourth privacy risk arises
when information subject to
strict rules in one sector is captured by an integrated system
operating in a more accommodating privacy environment.
Data coming from the privacysensitive central repository environment, for example, may be
captured in an integrated system
subject to the relatively privacylenient environment in the
courts. This raises a question as
to which privacy rules apply to
information in an integrated
system. Do the standards for the
integrated system reflect the
policies of the most privacyprotective participating agency,
the least privacy-protective, or
is a new privacy standard developed for the integrated system?
Or, in the alternative, do privacy
rules vary depending upon the
source of the information or the
purposes for which the information is accessed?

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

A new approach that
closely resembles a
“Business Model” for the
criminal justice system
In recent years, there has been a
shift in the way courts and
criminal justice agencies view
their mission. Increasingly,
agencies focus on their interaction with the public and seek to
accomplish their missions
through active crime prevention
efforts in addition to the more
traditional approach of reacting
to crimes once they occur. In
addition to the well-known
“community policing” model,
there “are literally hundreds of
examples of this trend, from
offender-victim reconciliation
projects in Vermont and Minneapolis to ‘beat probation’ in
Madison, Wisconsin; from
neighborhood-based prosecution
centers in Portland, Oregon, and
New York City, to community
probation in Massachusetts.”163
These programs come in a variety of forms; the term “community courts,” for example,
encompasses a wide range of
specialized courts, including:
teen courts, drug courts, misdemeanor courts, and family
courts.164
These programs rely, in part, on
the ability to exchange information with the community about
crimes, suspects, and criminals

163
Todd R. Cleary and David R. Karp,
“The Community Justice Movement,”
in Community Justice: An Emerging
Field, David R. Karp, ed. (New York:
Rowman & Littlefield, 1998) p. 3.
Hereafter, Community Justice.
164

Ibid., p. 9.

in a quick, accurate, and efficient manner. The importance of
information to the new criminal
justice model has been described this way:
The new age of community justice is made
possible by the power
of information. Using
geo-coded data, crime
control services are organized around locations of crime events,
offenders, and victims.
Data, both official data
about crimes and offenders and qualitative
data that come from interaction with offenders,
victims, and neighborhood residents, drive
problem-solving and
action. Information will
also provide evaluative
feedback about the successes of strategies. The
imaginative use (and
production of information) is one of the factors that sets aggressive
community safety
strategies apart from the
more mundane concept
of the local constable.165
A number of community organizations throughout the Nation
use the information-sharing aspects of community policing to
fight crime in their communities. Turn Around America, for
example, mobilizes neighborhoods in an effort to stop drug
trafficking. The group, which is
led by neighbors in conjunction
with law enforcement and others, is designed to address the
165

Ibid., p. 18.

economics of the drug trade —
separating the buyer from the
seller.166 This “separation” of
buyer and seller is accomplished
by marches through, and vigils
at, locations believed to be venues where drug dealing occurs.
These activities are designed to
spotlight venues where drug
trafficking occurs and discourage buyers who fear public exposure. Turn Around America
views positive relations and information-sharing with law enforcement as an important
element of their ability to succeed.167 Much of the building of
positive relations between such
community groups and the police can be achieved without the
disclosure of personal information. Although Turn Around
America claims to have drastically lowered crime in areas it

166
See, http://www
.drugfighters.com.
167
As noted in an article about the
Turn Around effort in Waxahachie,
Texas, “The relationship between the
community and police depends on trust,
shared information, cooperation, support, mutual respect and social interaction. If you try this approach in your
community, make every effort to keep
law enforcement officials aware of
your group’s concerns, goals and activities. Ask that a representative from
the police attend each of your planning
sessions. Make certain they understand
that your intentions are to enhance and
not replace the role of law enforcement
within the community. Look at contact
with local police as an education that
will ultimately benefit everyone.” Nathan Bickerstaff, “Community AntiDrug Group Development Shows
Community and Police Teamwork,”
available at http://www
.communitypolicing.org
/artbytop/w4/w4bicker.htm.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 51

has targeted,168 civil liberties
organizations, such as the
ACLU, have criticized the
group’s practices as harassment
and an invasion of privacy of
individuals who have not been
charged with a crime.169 Concern has also been raised over
the propriety of law enforcement organizations sharing information about suspected drug
traffickers with these groups.170

which specializes in misdemeanor cases, is one example.
“Contained in one building, the
Midtown Community Court
makes concrete use of a social
services center, a community
service program, community
mediation services, and a sophisticated information network
that tracks and relays cases as
they travel between departments.”171

In addition to more community
interaction, courts and criminal
justice agencies are interacting
with one another and noncriminal justice agencies in new ways
to process offenders, rehabilitate
offenders, and prevent future
crimes. Criminal justice agencies and the courts frequently
recognize new obligations that
make them responsible to,
and/or dependent upon, other
agencies. The Midtown Community Court in Manhattan,

This kind of interactivity and
accountability often means that
CHRI is being widely shared by
criminal justice agencies, not
only with other law enforcement
agencies, but also with social
welfare agencies, educational
institutions, and the public.
These new relationships and
initiatives are increasing the
amount and expanding the
scope of recipients of criminal
history information.

168

Turn Around America cites the
following statistics: “The … process
has proven effective all over the country with all types of communities in
ridding neighborhoods of drug trafficking and drastically lowering crime
and violence, for example: Taylor,
Texas, 80% crime reduction in targeted
area; Waxahachie, Texas, 93% clearance for major crime cases; East Palo
Alto, California, 86% drop in crime;
and Red Oak, Georgia, 98% drop in
911 calls.” See,
http://www.drugfighters.com.
169
See, Victoria Loe, “ACLU Scrutinizing Effort by Authorities to Shame
Drug Dealers” Dallas Morning News
(July 2, 1996) p. 1A; John Moritz,
“Morales Backs Disclosure of Drug
House Locations; Anti-Drug Activists
Want Addresses to Put Pressure on
Dealers, Customers,” Ft. Worth StarTelegram (December 24, 1996) p. 2.
170

Ibid.

Page 52

In Texas, for example, law enforcement agencies, prosecutors, and probation officers are
required to notify the school
district where a student is believed to be enrolled of the student’s arrest for designated
offenses. In addition, the school
district must be apprised of
whether the matter is prosecuted
or adjudicated, as well as the
final disposition of the matter.172
This information may serve as
the basis for the transfer of that
student from the general student
population into an “alternative
171

Community Justice, supra note
163, p. 9.
172

TEX. CRIM. PROC. CODE § 15.27.
This article imposes certain confidentiality requirements on the school district
personnel receiving the information.

education program” that provides instruction in core subjects as well as self-discipline,
supervision, and counseling.173
Other examples of these
changes, including the publication of sex offender information,
reporting of child protection
orders, and expanded disclosure
of CHRI for background checks
in the employment and firearms
purchasing contexts, are discussed at length elsewhere in
this report. One Task Force
member characterized these new
information flows as a “datadriven, problem solving approach” to crime and other social problems. These
mechanisms are designed with
prevention in mind: prevention
of sex offenses, of child abuse
and endangerment, of poor hiring decisions that could endanger people and create liability
for employers, and of firearms
purchases by those whom society deems a risk.
Another distinct development is
the privatization or outsourcing
of criminal justice information
functions. Privatization introduces a new player into the information equation — often a
private, for-profit company or
service bureau. Private contractors, however, can be contractually bound to observe the
same standards that are applicable to government agencies.
In September 1999, the U.S.
DOJ published a final rule
amending its regulations to
permit the criminal justice
173

TEX. EDUC. CODE § 37.008.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

agencies, subject to certain controls, to grant private entities
access to CHRI for the purpose
of providing services for the
administration of criminal justice.174 Criminal justice agencies
will be required to include a
security addendum approved by
the Director of the FBI to their
agreements with the privatesector contractor to “authorize
access to CHRI, limit the use of
the information to the specific
purposes for which it is being
provided, ensure the security
and confidentiality of the information consistent with applicable laws and regulations,
provide for sanctions, and contain such other provisions as the
Director of the FBI (acting for
the Attorney General) may require.”175 The regulations also
authorize criminal justice agencies to outsource certain dispatching, data processing, and
information service functions to
other government agencies pursuant to executive order, statute,
regulation, or interagency
agreement.176
The new prevention model
poses potential privacy risks.
Sex offender registries, for example, have been criticized by
civil libertarians on numerous
grounds, including the potential
harm to registrants from the
public disclosure of their status
as registrants. One potential risk
is that registrants may be the

174

64 Federal Register 52223 (September 28, 1999).
175

Ibid., at 52223 – 52224.

176

Ibid., at 52224.

targets of vigilantism and physically harmed.177 Another risk is
that offenders will lose their
jobs. In September 1999, Oregon voluntarily placed its plans
to provide public access to sex
offender registry information
over the Internet on hold pending an ACLU-assisted lawsuit,
in which 10 sex offenders each
claimed that “[i]f his name,
photograph, and identity is
broadcast over the Internet as a
sex offender, he will readily and
immediately lose his employment.” 178 Accuracy of registry
information is also a concern.179
177

Examples of vigilantism against
sex offender registrants reported by the
ACLU include the firebombing of a
registrant’s car in California, the beating of a man believed to be a paroled
sex offender in New Jersey, and the
destruction of the homes of registrants
in New Jersey and Washington by arson. ACLU, “Names Removed From
Missouri Sex Offender List,” Press
Release (August 27, 1997), available at
http://aclu.org/news/n082897a.html.
178
Robert Ellis Smith, “In the Courts:
Sex Offenders,” Privacy Journal Vol.
25, No. 11 (September 1999) p. 7.
179

Accuracy concerns, of course, are
not limited to sex offender registries.
Inaccurate criminal justice information
can have serious repercussions for the
individual, including loss of employment. A Maryland woman, for example, reportedly lost her job as a childcare director at a Maryland YMCA,
when, during a background check, her
name and Social Security number erroneously appeared during a search of a
Baltimore County computer in connection with four child protective services
cases. Although Baltimore County
family services later acknowledged and
corrected the error, the woman was not
reinstated by the YMCA. Evan Hendricks, “Maryland Woman Victimized
by Inaccurate Criminal Data,” Privacy
Times, Vol. 17, No. 23 (December 15,
1997) pp. 9-10.

In one instance, a Kansas family
was subjected to scorn, and
rocks thrown at their mobile
home, after local officials
posted notices that a sex offender lived at their address. In
reality, the sex offender had
lived at the address previously
and moved without notifying
authorities.180

More public access,
demand for criminal justice
records
Beginning in the late 1970s,
policymakers grew increasingly
interested in capturing, maintaining, and sharing criminal
justice and criminal history record information and grew less
interested in providing privacy
safeguards for arrestees and offenders. During this same period, as noted earlier, the
Supreme Court found that information about arrests and
convictions relates to public
events and is, therefore, not
subject to constitutional privacy
protections.181 The result,
throughout the 1980s and 1990s,
was a steady expansion of
statutory and regulatory provisions permitting the use and
disclosure of CHRI.
Today, criminal justice and
criminal history record information is available from State
central repositories not only for
criminal justice purposes, but

180
Robert Ellis Smith, “Inevitable,”
Privacy Journal, Vol. 23, No. 7 (May
1997) p. 4.
181
See, for example, Paul v. Davis,
424 U.S. 693, 713 (1976).

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 53

also for a wide variety of noncriminal justice purposes
authorized by law or regulation.
In particular, these purposes
include employment background screening, licensing eligibility checks, and a wide array
of noncriminal justice, governmental purposes.
Demand continues to grow. This
is particularly true of employers
and volunteer organizations,
such as the Boy Scouts, which
increasingly seek access to
CHRI for pre-employment
background checks. There are
two driving forces behind this
increased demand for access:
(1) a desire to make informed
hiring decisions that assess the
potential risk prospective employees may pose to the hiring
organization, its employees, or
its clients; and (2) a desire to
minimize potential legal exposure that could result from hiring individuals without
conducting a criminal history
check.
The potential for both harm to
individuals and resulting employer liability is illustrated by
recent negligent hiring cases.182
In one instance, a home health
care company in Boston hired a
home health care aide without
182

Under the tort of negligent hiring,
an employer can be held liable for
wrongful acts of an employee if the
wrongful act was a cause-in-fact of the
plaintiff's injury, provided that the failure of the employer to exercise due
care in the hiring, training, or supervision of the employee was a cause-infact of the act of the employee who
caused the injury. See, for example,
Miller v. Wal-Mart Stores, Inc., 580
N.W.2d 233 (1998).

Page 54

conducting a background check,
which would have revealed the
aide had six larceny-related
convictions, and that he did not
have the education or work experience stated on his employment application.183 Several
months later, the employee
murdered a 32-year-old quadriplegic man in his care and the
man’s 77-year-old grandmother,
allegedly in order to cover up
ongoing theft from the man. The
man’s parents sued, alleging
that the company was negligent
in allowing a convicted felon to
care for their son. A jury found
for the parents and awarded
$26.5 million in punitive and
compensatory damages.184
Negligent hiring cases are not
limited to positions that are
typically viewed as being sensitive either because of the trust
the position requires or the vulnerable nature of the population
served. A jury held a Florida
furniture store that did not conduct a background check liable
for $2.5 million in damages for
a person who was assaulted by a
store employee with a prior
criminal record.185 In another set

of cases, a pizza delivery chain
reportedly paid a total of
$375,000 to settle two lawsuits
by parents of young boys who
were allegedly molested by a
pizza delivery man who, unknown to the pizza company,
had a prior record for burglary
and grand theft.186 In addition to
the employer liability question,
these cases also raise policy
questions about the reintegration
of convicted persons into society after their sentence is complete, and if background checks
are expected not only of persons
in sensitive positions, but also
of those in positions traditionally viewed as being less sensitive, such as pizza delivery
persons.187
It is a rare legislative cycle,
however, that does not see the
enactment of new State laws
authorizing access to criminal
history information for noncriminal justice purposes, either
for specified noncriminal justice
users or the public at large. Unlike some negligent hiring cases,
however, most legislative
authorizations focus on positions that involve a particular

183

See, Ward v. Trusted Health, No.
94-4297 (Suffolk Super. Ct., Mass.
February 1999). See also, Mayer &
Riser, PLLC, “Worker Murders Man
and His Grandmother: Employer Liable
for Negligent Hiring,” available at
http://www.mayer
-riser.com/Articles/ap
/liability/neghiring0599.htm.
184
185

Ibid.

See, Tallahassee Furniture Co. v.
Harrison, 583 So.2d 744 (4 Fla. App.
1991), rev. denied 595 So.2d 558 (Fla.
1992). In addition to failing to conduct
a background check on the man, who
worked for the company’s owner as a
part-time laborer for several months

prior to being hired as a full-time deliveryman, the furniture store also failed
to conduct a job interview, request
references, or request that the man
complete an application form. Ibid.
186

See, Employment Data Services,
“Negligent Hiring the New ‘Entitlement,’” available at http://users
.javanet.com/~empdata
/negligent.html.
187

In addition to concerns about reintegrating the former offender into society, there is also the related risk that the
former offender will be unable to obtain gainful employment and will be
consigned to a permanent underclass.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

trust or regular interaction with
vulnerable populations, such as
the sick, the elderly, and children.188 In the 105th Congress,
for example, the Senate held
hearings on the need for access
to criminal history data for
nursing home workers; the
Congress enacted legislation
strengthening the National
Child Protection Act, which
authorizes background checks
for employees providing services to children, the elderly, and
the handicapped; and the Congress amended the Fair Credit
Reporting Act to permit consumer reports to include conviction information, regardless
of how long ago the conviction
occurred.
The FBI has reported that the
number of criminal history record access requests it receives
from noncriminal justice requesters now exceeds the number of requests from criminal
justice. Noncriminal justice requests include not only private
employers, but also other government agencies not associated
with the criminal justice system.
An Office of Technology Assessment (OTA) survey in 1979
of criminal history record system managers in 35 States found
20.6 percent of the total number
of access requests received by

188

Other policy considerations are the
basis for permitting access to noncriminal justice users. Manufacturers,
distributors, and dispensers of controlled substances are prohibited from
hiring individuals convicted of felonies
related to controlled substances, and are
expected to screen employees in other
circumstances. See, 21 C.F.R. §§
1301.76, 1301.90, 1301.93.

these repositories were by noncriminal justice agencies.189
As long ago as 1981, a
BJS/SEARCH report, Privacy
and the Private Employer, recognized that increased access to
criminal history information,
particularly for employment
purposes, was a nascent trend.
At that time, however, there was
little data regarding the number
of criminal history information
requests made to criminal justice agencies by private employers.190 The report
recognized that one means by
which employers could obtain
criminal history information
about applicants — in addition
to asking the applicant directly
or using a third party such as a
consumer-reporting agency —
was “to request the data directly
from criminal justice agencies,
usually local police departments.”191 The role of local police departments was
highlighted in the report, which
noted that many State statutes
regulating the disclosure of
criminal history information
regulated only disclosures by

189

Gary R. Cooper and Robert R. Belair, Privacy and the Private Employer,
Criminal Justice Information Policy
series (Washington, D.C.: U.S. Department of Justice, Bureau of Justice
Statistics, 1981) p. 14 (citing An Assessment of the Social Impacts of NCIC
and CCH, prepared by the Bureau of
Governmental Research and Service,
University of South Carolina, for the
U.S. Congress’ Office of Technology
Assessment (1979) p. 227). Hereafter,
Privacy and the Private Employer.
190

Privacy and the Private Employer,
p. 14.
191

Ibid.

the State repositories, not local
law enforcement.192
A 1998 survey determined that
approximately 35% of the fingerprint cards submitted by the
States to the FBI and processed
during fiscal year 1997 were for
noncriminal justice purposes.193
The survey found that in eight
States — Delaware, Florida,
Idaho, Massachusetts, Nevada,
New Jersey, Oregon, and
Washington — and the District
of Columbia, the number of requests for noncriminal justice
purposes exceed the number of
requests made for criminal justice purposes.194 A similar 1993
study found that only approximately 9% of the fingerprint
cards the FBI received from the
States that year were for noncriminal justice purposes, with
no States submitting more noncriminal justice requests than
criminal justice requests.195
There are several State law patterns and similarities in the
treatment of criminal history
record dissemination for noncriminal justice purposes. Most
States treat conviction information and open-arrest information
less than 1 year old (arrests with
no record of disposition) differently from nonconviction information. Typically, States
place few or no restrictions on
the dissemination of conviction
records, and a number of States
do not place restrictions on
open-arrest information less
192

Ibid., pp. 34-35.

193

Compendium, supra note 60, p. 8.

194

Ibid.

195

Ibid, pp. 8-9.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 55

than 1 year old. Nonconviction
records are restricted to a
greater degree, with dissemination frequently limited to specified types of noncriminal justice
users for specified purposes.196
The different approaches reflect
the fact that the widespread dissemination of nonconviction
information makes it more difficult for an innocent arrestee to
be reintegrated into society.197
Finally, the widespread reporting and dissemination of nonconviction data may exacerbate
the potentially disproportionate
adverse impact of the criminal
justice system on minority
populations.198

196

State statutes vary in their level of
detail. Many States rely upon executive
orders, regulations, and written and
unwritten repository policies to supplement and elaborate on their statutes.
Ibid., p. 8.
197

A Maryland woman, for example,
is reported to have lost her job running
a daycare center at a military housing
complex because a background check
revealed that the woman was arrested
for burglary and assault. According to
reports, the woman had been erroneously arrested in 1985. Her superiors
subsequently acknowledged that there
was a discrepancy, but did not offer to
rehire her. See, supra note 179.
198

See, supra note 47. See also, Michael A. Fletcher, “Criminal Justice
Disparities Cited,” Washington Post
(May 4, 2000) p. A2; Leadership Conference on Civil Rights and Leadership
Conference Education Fund, Justice on
Trial: Racial Disparities in the Criminal Justice System (Washington, D.C.:
May 4, 2000), available at http://www
.civilrights.org/policy_and
_legislation/pl_issues
/criminal_justice/.

Page 56

Some States authorize the use of
conviction information for any
occupational licensing or employment purpose, while other
States limit authorization for
background checks using conviction and, particularly, nonconviction information to
applicants for specific high-risk
occupations, such as child care,
sensitive government positions,
elder care, care of the disabled,
health care, banking, firefighters, and police.199 Similarly, the
“Bible Rider” authorized the
FBI to exchange conviction information with officials of federally chartered or insured
banking institutions and certain
segments of the securities industry and with nuclear power
plants.200
Another area where the States
are authorizing access to CHRI,
or even actively disclosing the
information, relates to sex offenders. As noted earlier, 15
States now post sex offender
registration information on the
Internet. Other States, such as
New York and California, offer
a “900 number” for citizens to
call to find out if an individual
is a registered sex offender.201
199

Compendium, supra note 60, p. 9.

200

This measure is popularly referred
to as the “Bible Rider” because it was
originally sponsored by then-Senator
Alan Bible (D-NV), who attached the
authorization for such exchanges of
information as a rider to an appropriations bill. Regulations have since been
published at 28 C.F.R. § 50.12.
201

Robert Teir and Kevin Coy, “Approaches to Sexual Predators: Community Notification and Civil
Commitment,” 23 New England Journal on Criminal and Civil Confinement
(Summer 1997) pp. 405, 409, n. 18.

This trend, spurred primarily by
public reaction to high-profile
abductions, rapes, and murders
of young children, is discussed
in more detail in the subsequent
discussion of Federal legislation
in this chapter.
The growing number of users
authorized to access CHRI for
various purposes is one that the
Task Force expects will continue to grow.

Changes in the
marketplace: Growing
commercialization of
records as private
companies sell criminal
justice records compiled
from public record
information
— The changing
marketplace
In the last few years a new marketplace has emerged to meet
the burgeoning noncriminal justice demand for criminal history
data and to take advantage of
changes in information technology. Today, private companies
routinely “harvest” public record information, including arrest and conviction information,
from newly automated court
dockets and, to a lesser extent,
police blotter systems.202 These
202

Court records contain far more information than simply indexes of
charges leveled against a criminal defendant and the disposition of those
charges. Criminal court records may
also include transcripts of preliminary
hearings and court proceedings, voir
dire information, exhibits submitted
into evidence, deposition information,
motions and pleadings, and other in-

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

companies then sell the criminal
history profiles to employers,
insurers, and other noncriminal
justice users. In addition, individual reference services “provide critical assistance to
Federal, State, and local government agencies to carry out
their law enforcement and other
missions.”203 Further, these
companies or their customers
may merge criminal record information with an individual’s
education, employment history,
credit history, and other records,
as well as with putative data to
create informal but, nonetheless,
powerful and comprehensive
reports.
Although court records have
always been in the public doformation generated as a case advances
through the criminal justice system.
These records can easily include sensitive personal information about the
defendants, victims, and witnesses in a
particular case. This information can be
generated not only as paper records, but
also in the form of computer-aided
transcription, videotaped depositions,
and in some jurisdictions, televised
trials. Court systems are increasingly
aware of the sensitive nature of the
information contained in court records.
In Washington, for example, the State
Judicial Information System Committee is conducting public meetings
around the State to discuss the impacts
and effectiveness of its data dissemination policy as part of its review of the
policy. “The policy review will focus
on the major issues that the requests for
information have raised over the last
four years and will revisit the extent to
which compiled information on individuals needs protection.” See, “Data
Dissemination Policy Review,” available at www.courts.wa.gov
/datadis/policy.cfm.
203
Federal Trade Commission, Individual Reference Services: A Report to
Congress (December 1997) p. 9.

main, these records were maintained on a court-by-court basis,
and were organized either
chronologically or by docket
number, or by name, sometimes
with a date of birth in an index
available to the public. In addition, these records were manual,
paper-boxed records requiring a
researcher to travel to the court
to physically access and inspect
the records. All of this had the
practical impact of limiting the
accessibility of these records to
those who had reason to believe
that a particular individual had
appeared in a particular court at
a particular time, and had the
resources and motivation to
conduct this kind of a search.
The automation of court records
and, to a lesser extent, of police
blotters and the emergence of
companies that harvest and disseminate arrest and conviction
records have changed the criminal justice information privacy
landscape. These companies,
frequently referred to as “individual reference services companies,” gather not only CHRI,
but also other types of personal
and public record information.
The companies make this information available to corporate
and professional users, as well
as government agencies and
individuals.
This information, compiled
from a variety of sources, can be
used for a wide range of purposes, which may or may not be
regulated by statute.204 Informa-

tion obtained from public record
sources, for example, is used for
preventing fraud; promoting
child support enforcement; locating witnesses for civil and
criminal cases, and missing
children, heirs, and beneficiaries; protecting consumers from
unqualified “professionals” or
potential predators; locating and
apprehending individuals eluding law enforcement; supporting
media research; and increasing
the ease with which the public
can access public records.205
Privacy in the Information Age
(Washington, D.C.: Brookings Institution Press, 1997) pp. 66-68. Some State
constitutional provisions, such as Article 1, Section 1 of the California Constitution, have been interpreted to apply
to both the public and private sector.
The California Supreme Court has held
that a plaintiff alleging an invasion of
privacy in violation of the State constitutional right to privacy must establish “(1) a legally protected privacy
interest; (2) a reasonable expectation of
privacy in the circumstances; and (3)
conduct by the defendant constituting a
serious invasion of privacy.” Even if
the plaintiff proves all three of these
elements, the defendant has an affirmative defense if the invasion of privacy
“substantially furthers one or more
countervailing interests” and the plaintiff is unable to show there are “feasible
and effective alternatives to [the] defendant’s conduct which have a lesser
impact on privacy interests.” Hill v.
National Collegiate Athletic Association, 865 P.2d 633, 657 (Cal. 1994). To
date, however, application of these
State constitutional privacy protections
has not resulted in significant information privacy protections beyond those
derived from the U.S. Constitution.
Cate, Privacy in the Information Age,
p. 68.
205

204

Over a dozen State constitutions
contain language protecting personal
privacy rights, usually from government interference. See, Fred H. Cate,

Piper & Marbury, L.L.P., White
Paper: Individual Reference Services
(Washington, D.C.: Individual References Services Group, December 1997)
p. 2. Hereafter, IRSG White Paper,

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 57

One member of the IRSG , the
Online Professional Electronic
Network (OPEN), for example,
makes a relatively comprehensive criminal arrest and conviction record search product
available to its business and professional subscribers that
“searches millions of online arrest records submitted by county
jail facilities from an everygrowing [sic] number of States.
Arrest record data includes
booking time, inmate ID, arresting agency and charge code
with description. Also available
through this search is the ability
to place orders for on-site
searches for conviction information in any U.S. County.”206
For this product, arrest records
can be searched using name or
Social Security number, while
conviction information searches
require name, Social Security
number, date of birth, and
county to be searched.207
Another reference services
company, identifying itself on
the Internet as the “Global Information Network,” offers several CHRI products, including: a
“county criminal court record
report,” from a potential pool of
3,300 counties; a “Statewide
criminal repository record report,” from approximately 30
State repositories (a release
form from the subject may be

available at http://www
.irsg.org/html/white_paper
.htm.
206

“OPEN Products,” available at
http://www.openonline.com
/productguide.htm
#criminalacrcmvoc.htm.
207

Ibid.

Page 58

required); and a “Federal criminal court record report” for actions in the Nation’s 94 Federal
District Courts.208 Typically,
county record searches are
completed within two business
days, Federal court searches
within three business days, and
State repository requests “usually take considerably longer …
the turn around varies by
State.”209 This vendor accepts
orders via a toll-free telephone
number; other companies selling
background checks permit ordering online.210
In addition to the commercial
sale of CHRI to the public, a
number of commercial vendors
also sell identification and location products that are used by
law enforcement agencies
ranging from the U.S. Marshals
to local sheriff’s departments
for the apprehension of fugitives.211 U.S. Marshals, for example, were able to apprehend
two fugitives using a system
offered by CDB Infotek, a
member of the IRSG. The Marshals entered the names of two
fugitives and the system returned information indicating a
nearby location. DBT, another
member of the IRSG, reports
that its products are used by
more than 1,000 law enforcement agencies and that law enforcement has used its products
to apprehend criminals ranging
208
See, for example, http://www
.searchinfo.com/criminal.html.
209

Ibid.

210

Ibid. For an example of a firm
permitting online ordering, see,
http://www.1800ussearch.com.
211
IRSG White Paper, supra note 205,
p. 12.

from child kidnappers to bank
robbers to jewel thieves.212
— The Fair Credit
Reporting Act
The Fair Credit Reporting Act
of 1970 (FCRA), as amended,
regulates the use of CHRI by
consumer-reporting agencies for
employment, credit, and certain
other purposes.213 Consumerreporting agencies are organizations that, for a fee or on a cooperative, nonprofit basis, are in
the practice of assembling or
evaluating personally identifiable information obtained from
third parties and bearing upon a
consumer’s credit worthiness,
character, reputation, personal
characteristics, or mode of living. This, of course, includes
criminal history information,
212

See, http://www.dbtonline.com. A
special agent of the Bureau of Alcohol,
Tobacco and Firearms characterized the
value of such services as “a tremendous
benefit to our law enforcement mission
and a real time saver … . The spontaneous retrieval of accurate data maintained in [the database] contributed to
effectively directing and positioning
our surveillance teams that resulted in
the surrender of two suspects. When
one of the suspects was believed to be
in a large apartment complex, your …
system was able to provide us complete
drivers license information for every
driver in the complex which totaled
over 700 and did so in less than 10
minutes. [It] is an incredible tool for
law enforcement providing us with a
capability to assimilate information
from your uniquely cross referenced
records.” Letter from Robert J.
Creighton, Special Agent in Charge,
Miami Field Division, Department of
the Treasury, Bureau of Alcohol, Tobacco and Firearms, to Database Technologies, Inc. (September 14, 1995).
213

15 U.S.C. § 1681 et seq.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

such as arrest and conviction
information.
Under the FCRA, a consumerreporting agency may only provide a consumer report to a
party when the agency has reason to believe that the party will
use the report to make a credit
determination, an employment
determination, an insurance underwriting determination, or
otherwise in connection with a
legitimate business need in a
transaction involving the consumer or pursuant to written
instructions of the consumer.214

214

Consumer-reporting agencies,
however, are forced to rely on the representations of permissible purposes
made by their customers. Therefore, if
a customer makes a false representation, he or she can obtain a consumer
report without actually having a permissible purpose. Although making
such a misrepresentation is punishable
under the FCRA, the penalty may not
always be sufficient to discourage the
conduct. Such appears to have been the
case in WDIA v. McGraw-Hill, C-1-93448 (December 1, 1998, S.D. Ohio). In
WDIA, a consumer-reporting agency
sued the parent company of Business
Week after a Business Week reporter
obtained a consumer report on thenVice President Dan Quayle for an article, after falsely representing that he
had a permissible purpose to receive
the report. WDIA sought $75,000 in
actual damages and $45 million in punitive damages. However, the court,
which ruled in WDIA’s favor on the
merits, awarded only $7,500 in actual
damages and no punitive damages at
all, noting that the news coverage was a
“vital public interest” and Business
Week promised not to engage in such
conduct in the future. The reporter is
reported to have claimed the ruling was
a “vindication.” Robert Ellis Smith, “In
the Courts: Business Week” Privacy
Journal, Vol. 25, No. 3 (January 1999)
p. 7.

As substantially amended in
1997, the FCRA includes all of
the safeguards expected in a
comprehensive, fair information
practice/privacy statute, including notice to consumers; consent, including opportunities for
opt-in/opt-out; accuracy, relevance, and timeliness standards;
confidentiality and use safeguards; security expectations;
consumer access and correction
rights; content restrictions; and
remedies, including administrative sanctions and private rights
of action. More specifically, the
FCRA provides consumers with
the following privacy rights:
•

A consumer-reporting
agency that furnishes a consumer report for employment purposes containing
public record information,
including criminal history
records, which is “likely to
have an adverse effect upon
a consumer’s ability to obtain employment,” must either provide the consumer
with notice at the same time
that the information is reported to the potential employer or “must maintain
strict procedures” to ensure
that the information is complete and up-to-date. 215

•

A consumer must be notified when information is
used to take an action
against him or her, such as
the denial of employment.
In such cases, the party denying the benefit must provide the consumer with
information on how to contact the consumer-reporting
215

15 U.S.C. § 1681k (FCRA § 613).

agency that provided the information.
•

Consumer-reporting agencies must, upon request,
provide a consumer with a
copy of that consumer’s
file, as well as a listing of
everyone who has requested
it recently. The cost to the
consumer of obtaining the
report cannot exceed $8,
and may be free if requested
in connection with a recent
denial of benefits or other
specified circumstances.

•

Consumers are permitted to
request a correction of information they believe to be
inaccurate. The consumerreporting agency must investigate unless the dispute
is frivolous. The consumerreporting agency must also
send a written investigation
report to the individual and
a copy of the revised report,
if changes were made. The
consumer may also request
that corrected reports be
sent to recent recipients. If
the dispute is not resolved
in the consumer’s favor, the
consumer has the option of
including a brief statement
to the consumer’s file, typically for distribution with
future reports.

•

Consumer-reporting agencies must remove or correct
unverified or inaccurate information from its files,
typically within 30 days after the consumer disputes
the information.

•

In most cases, a consumerreporting agency may not
report negative information
that is more than 7 years old

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 59

(including arrest information); 10 years for bankruptcies. A 1998 amendment to
the FCRA permits the inclusion of criminal conviction
information, without time
limitations.
•

Consumers can sue for violations or seek assistance
from the FTC and other
Federal agencies responsible for the enforcement of
the FCRA.

require signatory and complying
companies to:
•

•

— The Individual
Reference Services
Group
In 1997 the major companies in
the individual reference services
industry, joined by the three
national consumer-reporting
systems, established the Individual Reference Services
Group (IRSG). Companies in
the individual reference services
industry provide public record
information, including CHRI
(obtained primarily from the
courts), to government agencies,
companies, law firms, private
investigators, and, in some instances, the public. The IRSG
adopted self-regulatory principles (IRSG Principles) that became effective at the end of
1998.216 The IRSG Principles
216

Individual Reference Services
Group, “Individual Reference Service
Industry Principles” (December 15,
1997), available at http://www
.irsg.org/html/industry
_principles_principles.htm. The
IRSG Principles apply to information
products that assist users to identify
individuals, verify identities, and locate
individuals for various purposes. These
identification and location products are
beyond the scope and protections of the
FCRA because they do not bear on one

Page 60

•

•

•

Make efforts to educate
their customers and the
public about their services,
the privacy issues associated with those services, the
IRSG Principles, and the
societal benefits from the
responsible flow of information.
Acquire individually identifiable information from
only reputable sources in
the public and private sector
and take measures to understand the information collection practices of those
sources.
Take reasonable steps to
ensure the accuracy of the
information in their products, and to either correct
inaccurate information or
refer the individual to the
agency that created the information.
Limit the distribution of
nonpublic information according to specified criteria
based on the nature of the
information requested and
the intended use of that information.
Maintain systems and facilities to protect information from unauthorized
access by means of physical, electronic, and administrative safeguards.

of the seven characteristics (credit
worthiness, credit standing, credit capacity, character, general reputation,
personal characteristics, or mode of
living) set forth in the FCRA definition
of “consumer report,” which is set forth
at 15 U.S.C. § 1681a(d).

•

Have an information practices policy statement notifying individuals of their
information practices.

•

Provide individuals with a
means for limiting the general public’s access to nonpublic information. The
companies may also provide
individuals with the ability
to limit access to other information in their databases.

•

Provide individuals with
information about the types
and sources of the public
record and publicly available information that the
companies include in their
information products and
services.

•

Limit the distribution of
information about individuals identified as being less
than 18 years of age.

— Privacy risks posed by
changes in the
marketplace
Changes in the marketplace,
particularly the emergence of
sophisticated private-sector
networks providing CHRI, raise
a number of privacy issues:
•

First, of course, privatesector resellers of criminal
histories encourage and facilitate the availability of
criminal history information
to the public or to noncriminal justice business users in a way that is fast,
convenient, and inexpensive.

•

Second, the commercial
marketplace for criminal
histories may exacerbate the

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

risk of communicating incomplete or inaccurate records. Records obtained
from police blotters or from
court sources are customarily less complete than records held by the State
criminal record repositories.
•

Third, there is certainly the
potential that the commercial-sector records will keep
and disclose records, regardless of how long ago
the underlying offense occurred. Although the FCRA
provides a 7-year limitation
for disclosures of arrest information by consumerreporting agencies, nonconsumer-reporting agencies
are subject to no such restriction. In addition, as
noted, the FCRA was
amended in 1998 to permit
the disclosure of conviction
information, regardless of
the date of the conviction.
As a result, it is legally possible to create a private
criminal history database
that will forever record and
report an individual’s interactions with the criminal
justice system.
Thus, private databases may
outflank State sealing and
expungement laws. Once a
criminal record has been
captured in a private database or published in the
newspaper (now also electronically searchable and
available on the Internet) or
published on the Internet,
court or other legal directives to seal or expunge
those records have limited
effect.

•

Finally, because private databases seldom are supported by fingerprints or
other biometric identifiers,
they run a risk of misidentification and of attributing
erroneous information to an
individual. On the other
hand, Task Force participants are aware of few examples of misidentification
arising from name checks
used in commercial criminal
history reporting systems.

Although commercial harvesting and reporting of criminal
histories may pose a privacy
risk, it should also be noted that
commercial systems meet a
burgeoning noncriminal justice
demand and facilitate use of
these records for numerous important public safety, anti-fraud,
and other economically and socially important purposes.217

Federal and State
initiatives
The Federal government is
spearheading numerous initiatives aimed at providing
authorized users with better and
more timely criminal justice
information. One inevitable effect of such efforts is to create at
least the potential for new and
217
IRSG White Paper, supra note 205,
p. 1. “Individual reference services
provide important societal benefits.
They help a broad range of people,
from welfare mothers seeking to enforce child support orders, to pension
beneficiaries and heirs, to fraud victims. These services also assist in important governmental functions, such as
tracing fraud, apprehending criminals,
and locating witnesses to crimes.” Ibid.

significant privacy risks. This
report describes several initiatives.
Perhaps the most important of
the new Federal initiatives is the
National Instant Criminal Background Check System (NICS),
which became operational in
November 1998. NICS, as
authorized in the 1993 Brady
Handgun Violence Prevention
Act, provides firearms dealers
with instantaneous information
about whether an individual has
a criminal history record background that makes the individual ineligible to obtain a
firearm. The NICS draws on
three Federal databases that include CHRI, information on
wanted persons, and certain
other kinds of sensitive information, including mental health
information, information on individuals who have received
dishonorable discharges from
the military, and citizenship
status information. The sensitivity and breadth of this information, combined with its
availability on a name-only basis, seems certain to add fuel to
the criminal justice information
privacy debate.
In 1998, as noted, Congress
amended the FCRA to remove a
provision that prohibited consumer-reporting agencies from
reporting “obsolete” conviction
information (that is, convictions
more than 7 years old).218

218

Consumer Reporting Employment
Clarification Act of 1998, Pub. L. No.
105-347, § 5. It has been suggested that
a similar FCRA obsolescence requirement for arrest information also be
eliminated.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 61

— The Security Clearance
Information Act of 1985
The Security Clearance Information Act of 1985 (SCIA)219
opens virtually all CHRI to the
Central Intelligence Agency, the
Office of Personnel Management, the U.S. Department of
Defense, and the FBI for background checks for security
clearances and for placement of
people in national security duties. This Act eliminated wide
disparities between State laws;
some gave the security agencies
broad access and others provided no access at all.220
SCIA, however, does not provide unlimited access. The General Accounting Office (GAO),
in a February 1999 report on the
military’s criminal history
screening practices, noted that
SCIA does not require States or
the FBI to provide the military
with access to criminal history
records for determining whether
an individual is suitable for
mere enlistment in the military.221 In addition, Federal
219
Pub. L. No. 99-169 (1985), codified in part at 5 U.S.C. § 9101.
220
Robert R. Belair, “Public Availability of Criminal History Records: A
Legal Analysis,” in Open vs. Confidential Records, Proceedings of a
BJS/SEARCH Conference, NCJ 113560
(Washington, D.C.: U.S. Department of
Justice, Bureau of Justice Statistics,
1988) p. 16.
221
Military Recruiting: New Initiatives Could Improve Criminal History
Screening, GAO/NSIAD-99-53
(Washington, D.C.: U.S. General Accounting Office, February 1999) p. 11.
Hereafter, Military Recruiting Report.
According to this report, the U.S. Department of Defense has proposed legislative changes to “give it the authority

Page 62

agencies cannot obtain sealed
data, thereby preserving State
prerogatives in the area. Furthermore, Federal agencies must
obtain the written consent of the
individual, and the information
obtained may only be used for
national security purposes.
— Sex offender statutes
In 1989, Jacob Wetterling, then
11, was abducted at gunpoint by
a masked man, never to be seen
again.222 In 1994, 7-year-old
Megan Kanka was raped and
murdered by a repeat sex offender who lived next door to
her, after he lured her inside
with promises to let her play
with a puppy. Polly Klaas and
Ashley Estelle suffered similar
fates at the hands of offenders in
California and Texas, respectively. These crimes brought
repeat sex offenders to the forefront of the national consciousness and led to a flurry of State
and Federal legislation.223
Texas State Senator Florence
Shapiro (R-Plano), who spearheaded the drive for sex offender legislation in Texas
following the abduction, rape,
to readily obtain access to State and
local criminal history information at
reasonable costs for the purpose of
accepting or retaining individuals into
service.” Ibid., p. 12, n. 12.
222
Patty Wetterling, “The Jacob Wetterling Story,” in National Conference
on Sex Offender Registries: Proceedings of a BJS/SARCH Conference, NCJ
168965 (Washington, D.C.: U.S. Department of Justice, Bureau of Justice
Statistics, May 1998) p. 3. Hereafter,
Sex Offender Registries Conference.
223
See, Teir and Coy, supra note 201,
p. 405.

and murder of 7-year-old Ashley Estelle, summed up the importance of such legislation this
way: “Legislatures and justice
agencies must remove barriers
that prevent the free flow of information between agencies so
criminal justice professionals
are not reluctant to do their job
out of fear of liability. Information is critical to our systems.
Secrecy is the sex offender’s
best friend, so we must shine a
light on everything they do.” 224
A string of recent Federal statutes seeks to turn on that light.
The Jacob Wetterling Crimes
Against Children and Sexually
Violent Offender Registration
Act, named after Jacob Wetterling, requires States to establish
effective registration systems
for convicted child molesters
and other sexually violent offenders. The most dangerous of
these offenders, “sexually violent predators” are subject to
more stringent registration standards. The Act requires States to
require designated sex offenders
to register and provide law enforcement with a current address for 10 years, with sexually
violent predators required to
provide more extensive registration information. The Act
also requires that this information be retained by the State
central repository and made
public in certain public safety
circumstances.225

224
Florence Shapiro, “The Big Picture
of Sex Offenders and Public Policy,” in
Sex Offender Registries Conference, p.
94.
225

42 U.S.C. § 14071.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

The Federal Megan’s Law,
named after Megan Kanka,
builds on the Wetterling Act.226
While the Wetterling Act, as
originally enacted, gave law
enforcement the option to release information about sex offenders who were perceived as a
threat to public safety, Megan’s
Law, like many of its State
counterparts, requires States to
release information about sex
offenders when it is required for
public safety. This “mandatory
community notification” is designed to inform parents and
members of the community
when a sex offender, who is
perceived to be a threat to public safety, moves into a neighborhood. Megan’s parents said
after their daughter’s rape and
murder that they had been unaware that her killer, who was
their neighbor, was a previously
convicted sex offender, and that
they would have been especially
vigilant if they had known a
convicted sex offender lived in
their midst.
The third of the Federal sex offender statutes, the Pam
Lychner Sexual Offender
Tracking and Identification
Act,227 establishes a national
database for the tracking of sex
offenders. The Act also requires
the FBI to administer sex offender registration programs in
226

104 P.L. 145, 100 Stat. 1345.

227

The Lychner Act was named in
memory of victims’ rights activist Pam
Lychner, who founded the victims’
rights organization Justice for All after
she was brutally attacked by a twiceconvicted felon. She later died, along
with her two daughters, in the crash of
TWA flight 800 in July 1996.

States that fail to have “minimally sufficient” programs. Finally, the Act changes the
Wetterling Act requirement that
offenders register for 10 years to
a lifetime registration requirement for aggravated offenders,
recidivists, and sexually violent
predators.228
— The Brady Handgun
Violence Prevention Act
The 1993 Brady Handgun Violence Prevention Act229 established the NICS for the purpose
of determining if an individual
is disqualified from the purchase of a firearm on the basis
of: indictment for or conviction
of a felony; being a fugitive
from justice; being an unlawful
user of, or addicted to, a controlled substance; having been
adjudicated as mentally defective or committed to a mental
institution; being an illegal
alien; having renounced U.S.
citizenship; being dishonorably
discharged from the military;
having been convicted of a misdemeanor of domestic abuse; or
being subject to a protective
order.230
When a Federal firearms
licensee conducts a NICS check,
a name search is conducted in
three different databases at the
national level to determine the
eligibility status of an applicant
to purchase a firearm: the
NCIC, III, and the NICS index.
The NICS index “contains about
228

42 U.S.C. § 14072.

229

Pub. L. No. 103-159 (November
30, 1993).
230

18 U.S.C. § 922(g) (Supp. 1997).

940,000 records of prohibited
persons, as outlined in the
Brady Act, such as individuals
who have received dishonorable
discharges from the armed
services, individuals who have
renounced their citizenship,
mental defectives,
illegal/unlawful aliens and
others.”231
Recognizing the potentially
sensitive nature of the
information that would be used
by the NICS, the Brady Act
requires establishment of security
and privacy safeguards: “After
90 days’ notice to the public and
an opportunity for hearing by
interested parties, the Attorney
General shall prescribe
regulations to ensure the privacy
and security of the information of
the [NICS] system.”232 Further,
the Act prohibits gun dealers
from disclosing nonpublic
information received as a result
of a background check except to
the purchaser or to law
231

National Instant Criminal Background Check System (NICS): The
First Seven Months (November 30,
1998-June 30, 1999) (Washington,
D.C.: Federal Bureau of Investigation,
Criminal Justice Information Services
Division) pp. 2-3. The 940,000 records
in the NICS index, which concern
mental defectives, the dishonorably
discharged, etc., are currently only a
small portion of the overall number of
records checked as a part of a Federal
NICS check, when compared to the
approximately 34.7 million criminal
history records in the III and the
700,000 records on wanted persons and
protective orders in the NCIC. Ibid., p.
3.
232

18 U.S.C. § 922 Historical and
Statutory Notes, National Instant
Criminal Background Check System §
(h) (Supp. 1997).

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 63

enforcement authorities, or
pursuant to a court order. The
Act also addresses the retention
and destruction of background
check records and firearms
purchaser applications. Further,
the Brady Act gives purchasers a
right to review denials and
correct erroneous information,
and prohibits the establishment
by Federal agencies of firearms
registration systems.

applications for firearm transfer
were rejected. The FBI’s
rejection rate was 1.8% (81,000
applications) and the rejection
rate for checks handled by State
and local agencies was 3%
(123,000 applications). In over
70% of the cases where an
application for firearms transfer
was rejected, a current felony
indictment or prior felony
conviction was the reason.235

On October 30, 1998, the U.S.
DOJ issued final regulations for
the NICS.233 The final rule
included provision for an “audit
log” that would be retained on a
temporary basis “solely for the
purpose of satisfying the
statutory requirement of ensuring
the privacy and security of the
NICS and the proper
administration of the system.”234
During 1999, NICS’ first full
year of operation, NICS
processed about 8.6 million
inquiries. The FBI conducted
about one-half of the presale
background checks for which
these inquiries were made, with
the other half being handled by
State and local agencies. In 1999,
approximately 2.4% (204,000) of

— The National Child
Protection Act

233

63 Federal Register 58303 (October 30, 1998), to be codified at 28
C.F.R., Part 25.
234

Ibid. On November 30, 1998, the
same day NICS became operational, the
National Rifle Association filed suit in
Federal district court arguing that the
FBI’s audit log, even if intended to be
“temporary,” was a violation of Section
103(I) of the Brady Act (prohibiting Federal agencies from establishing a national
gun registry). Both a Federal district
court and the Court of Appeals for the
District of Columbia Circuit have held in
favor of the government. See, National
Rifle Association of America v. Reno,
216 F.3d 122 (D.C. Cir. 2000).

Page 64

The National Child Protection
Act of 1993 (NCPA)236 authorizes States to make nationwide
background checks (based upon
fingerprint-based identification)
to determine if a care “provider
has been convicted of a crime
that bears upon the provider’s
fitness to have responsibility for
the safety and well-being of
children, the elderly, or individuals with disabilities.”237 The
NCPA, as originally enacted,
permitted use of the national
system only as authorized by
State law and approved by the
U.S. Attorney General.238 This,
as might reasonably be expected, resulted in inconsistencies among State laws. National
volunteer organizations, such as
the Boys and Girls Clubs of
America, found themselves with
State-authorized access in only
235

Lea Gifford, et. al., Background
Checks for Firearm Transfers, Bulletin
series, NCJ 180882 (Washington, D.C.:
U.S. Department of Justice, Bureau of
Justice Statistics, June 2000), pp. 1-3.
236
Pub. L. No. 103-209 (Dec. 20,
1993).
237

42 U.S.C. § 5119a(a).

238

Ibid.

six States, yet with volunteers in
all 50 States.239 As a result of
these concerns, Congress
amended the NCPA in 1998 to
permit qualified entities, such as
schools or youth-serving nonprofit organizations, to conduct
fingerprint-based background
checks using the national system regardless of whether State
law specifically authorizes them
to conduct such checks, provided that certain criteria are
met.240
The number of people/positions
potentially covered by the
NCPA is staggering. In the area
of child care alone, for example,
State criminal record check
statutes frequently cover daycare, foster and adoptive homes,
schools, social service/welfare
agencies, school bus/ transportation services, juvenile detention/residential facilities, those
with supervisory or disciplinary
power over children, youth organizations, youth camps, public recreation, or youth
programs.241 The American Bar
239
Testimony of U.S. Representative
Mark A. Foley (R-FL) before the
House Judiciary Subcommittee on
Crime regarding H.R. 2488, the Volunteers for Children Act (April 30,
1998).
240

Volunteers for Children Act, Pub.
L. No. 105-251, §§ 221-222 (October
9, 1998), 112 Stat. 1885 (amending 42
U.S.C. § 5119a).
241

Noy S. Davis, “Authorized Record
Checks for Screening Child Care and
Youth Service Workers,” in National
Conference on Criminal History Records: Brady and Beyond, Proceedings
of a BJS/SEARCH Group Conference,
NCJ 151263 (Washington, D.C.: U.S.
Department of Justice, Bureau of Justice Statistics, 1995) p. 85, figure 2.
Hereafter, Brady Conference.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Association Center on Children
and the Law estimates that
nearly 35 million adults have
contact with children through
these kinds of programs.242 The
NCPA also covers elder care
and care of the disabled. The
potential workload implications
and the potential numbers of
access requests for and disclosures of criminal history information are staggering.

Juvenile justice reform
Concerns regarding the frequency of juvenile crime, its
periodic violence and recidivism
have combined to generate pressure to open juvenile records to
greater use within both the
criminal justice and the noncriminal justice communities.
Concomitantly, these same
forces have generated pressure
to improve the quality of juvenile history records, including
making the records fingerprintsupported and assuring appropriate disposition reporting. Recent Federal legislation has
focused attention on the privacy
issues associated with juvenile
records by including initiatives
to rework the juvenile justice
information system to make it
look much more like the adult
system. The effort to improve
juvenile history records and to
make juvenile history records
more available is controversial
and adds to the emerging debate

242
Kimberly Dennis, “Report on National Study of Existing Screening
Practices by Child Care Organizations,” in Brady Conference, p. 90,
figure 1.

over privacy and criminal justice.
— A brief history of the
philosophy of the
juvenile justice system
The juvenile justice system was
one of the products of the “Progressive Movement” of the late
19th and early 20th centuries.
“To the Progressives, crime was
the result of external forces, not
of the exercise of an individual’s free will. Their goal was to
reform the offender, not punish
the offense.”243 The Illinois
State Legislature established the
Nation’s first independent juvenile court system in 1899, to be
a system in which “children
were not to be treated as criminals nor dealt with by the process used for criminals.”244 The
Illinois juvenile court, and those
subsequently created in other
States, adopted the British notion of parens patriae (the State
as parent) and the State came to
see its role as stepping in when
parents failed to carry out their
supervisory responsibilities.

243

Robert R. Belair, Privacy and Juvenile Justice Records: A Mid-Decade
Status Report, Criminal Justice Information Policy series, NCJ 161255
(Washington, D.C.: U.S. Department of
Justice, Bureau of Justice Statistics,
1997) p. 6. Hereafter, Privacy and Juvenile Justice Records Status Report.
244

Robert R. Belair, Privacy and Juvenile Justice Records, Criminal Justice
Information Policy series (Washington,
D.C.: U.S. Department of Justice, Bureau of Justice Statistics, 1982) p. 12
(quoting Eldefonzo, Law Enforcement
and the Youthful Offender, 3rd ed. (New
York: John Wiley & Sons, 1978) p.
147).

The U.S. Supreme Court, in a
1967 decision, characterized the
juvenile justice system this way:
“The early conception of the
Juvenile Court proceeding was
one in which a fatherly judge
touches the heart and conscience of the erring youth by
talking over his problems, by
paternal advice and admonition
and in which in extreme situations, benevolent and wise institutions of the State provided
guidance and help, to save him
from a downward career.”245
The child was seen as impressionable and malleable, not truly
responsible for his or her actions, and should not be saddled
with responsibility for his or her
actions in the same manner, and
with the lifelong impact, as
adult offenders.
The juvenile justice recordkeeping system was also designed with the protection of the
child in mind. A law review
commentary in 1909 stressed
that the importance of confidentiality for juvenile records
was to “get away from the notion that the child is to be dealt
with as a criminal; to save it
from the brand of criminality,
the brand that sticks to it for
life; to take it in hand and instead of first stigmatizing and
then reforming it, to protect it
from the stigma — this is the
work which is now being accomplished (by the juvenile
court).”246

245
In re Gault, 387 U.S. 1, 25-26
(1967).
246
Mack, “The Juvenile Court,” 23
Harvard Law Review 104, 109 (1909).

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 65

During the 1950s and 1960s this
view of the juvenile justice system came into question, with the
Supreme Court noting in 1966
that “While there can be no
doubt of the original laudable
purpose of juvenile courts,
studies and critiques in recent
years raise serious questions as
to whether actual performance
measures well enough against
the theoretical purpose to make
tolerable the immunity of the
process from the reach of constitutional guarantees applicable
to adults.”247 The Court answered its own question in the
negative, extending to juveniles
much the same right to adversarial-style due process as
adults.248
The following year the Court
went further, rejecting parens
patriae and extending to juveniles the four basic elements of
due process: the right to notice,
the right to counsel, the right to
cross-examine witnesses, and
the right against selfincrimination.249 In that same
case, In re Gault, the Court
questioned the confidentiality of
juvenile records, noting “the
summary procedures of Juvenile
Courts are sometimes defended
by a statement that it is the
law’s policy ‘to hide youthful
errors from the full gaze of the
public and bury them in the
graveyard of the forgotten past.’
This claim of secrecy, however,
is more rhetoric than reality.”250
247
Kent v. United States, 383 U.S.
541, 555 (1966).
248

Ibid.

249

In re Gault, 387 U.S. 1 (1967).

250

Ibid., at 24.

Page 66

Although the Supreme Court’s
extension of “adult” rights to
juveniles broke down one of the
walls around the juvenile justice
system, increased juvenile crime
(and increased media attention
to juvenile crime) created additional pressures for changes in
the juvenile justice system.
Public attitudes toward youthful
offenders hardened over the
years, with ever-decreasing tolerance for youthful offenders,
particularly violent offenders.
While the public might agree
that shoplifting was a “youthful
error,” youth gangs, and random
violence by juveniles are unlikely to be included in that
category.
A vigorous debate began as to
the extent to which the juvenile
recordkeeping system should be
integrated with that of the adult
system by either unifying the
records or at least linking the
adult and juvenile records.251
Those arguing for the maintenance of separate record systems believe the juvenile system
should continue to adhere to its
Progressive traditions with respect to juvenile justice records.
As one commentator observed:
“The juvenile justice system
should open its records to the
criminal justice system and the
public only if it is in the best
interest of the child, and I have
serious doubts that it ever would
be.”252
251
See generally, Juvenile and Adult
Records, supra note 128.
252
Howard N. Snyder, “Thoughts on
the Development of and Access to an
Automated Juvenile History System,”
in Juvenile and Adult Records, supra
note 128, p. 56.

The statistical growth of violent
juvenile crime during the late
1980s and early 1990s, and the
media attention accompanying
it, created a powerful counterargument for many. As Reggie
B. Walton, formerly the presiding judge of the criminal division of the District of Columbia
Superior Court put it: “To the
crime victim, and society as a
whole, it matters not whether
the offender is 16 or 17, or has
just turned 18. What is important is that a crime has been
committed, an injury has been
sustained, and protection against
further acts by the perpetrator
are taken if and when the offender is apprehended …
greater utilization of juvenile
records is warranted, so long as
measures have been taken to
guard against abuses.”253
Although the solution to the
problem is debatable, Judge
Walton’s assessment of public
opinion and the public’s fear of
crime, particularly juvenile
crime, appears right on the
mark. Anecdotal evidence of
youth violence is plentiful, including a recent string of school
shootings by juveniles. This
253
Reggie B. Walton, “Utilization of
Juvenile Records in Adult Proceedings,
A Judge’s Perspective,” in Juvenile and
Adult Records, supra note 128, p. 43.
Others, such as the National Council of
Juvenile and Family Court Judges, have
argued that the confidentiality surrounding juvenile justice proceedings
should be “reexamined and relaxed to
promote public confidence” in juvenile
courts. See, Hon. Gordon A. Martin Jr.,
“Open the Doors: A Judicial Call to
End Confidentiality in Delinquency
Proceedings,” 21 New England Journal
on Criminal and Civil Confinement
(Summer 1995) 393, 410.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

series of school shootings is a
tragic, well-publicized manifestation of juvenile crime,
which rose significantly during
the late 1980s and early 1990s
before beginning to decline.
Despite a series of high-profile
juvenile crimes, including the
high school shootings, the “substantial growth in juvenile violent crime arrests that began in
the late 1980s peaked in
1994.”254 In 1998, for the fourth
year in a row, the total number
of juvenile arrests for Violent
Crime Index offenses — murder, forcible rape, robbery, and
aggravated assault — declined.255 Even with these declines, however, the number of
juvenile Violent Crime Index
arrests remained higher than the
1988 level.256
— Recent legal trends
State legislatures took note of
media and public concerns. Beginning in the late 1970s, they
have instituted a number of reforms that have radically impacted the functioning of the
traditional juvenile justice system, including revising the circumstances under which
254

Howard N. Snyder, Juvenile Arrests 1997, Juvenile Justice Bulletin
series, NCJ 173938 (Washington, D.C.:
U.S. Department of Justice, Office of
Juvenile Justice and Delinquency Prevention, December 1998) p. 1. Hereafter, Juvenile Arrests 1997.
255
Crime in the United States, 1998
Uniform Crime Reports (Washington,
D.C.: U.S. Department of Justice, Federal Bureau of Investigation, 1999) p.
209.
256

Juvenile Arrests 1997, supra note
254, p. 1.

juveniles can be transferred for
trial in the adult system, increased centralization of juvenile records, increased
availability of juvenile records
outside the juvenile system, increased fingerprinting, and,
most recently, DNA testing of
juveniles.
First, the States have made it
easier to transfer juveniles from
the juvenile system to the adult
system by establishing a system
of discretionary and mandatory
circumstances under which
youth are transferred from the
juvenile system to the adult
system to be “tried as adults.” A
1995 GAO report found that
since 1978, 44 States and the
District of Columbia had
amended their statutes addressing the circumstances under
which juveniles could be tried in
criminal court. The GAO found
that in 24 States, these changes
have increased the population of
juveniles subject to transfer to
adult courts (primarily by decreasing the age at which juveniles may be transferred or by
increasing the number and types
of offenses subject to transfer);
in three States, these changes
have decreased the population
of juveniles subject to transfer;
and in 17 States, changes in the
law have neither increased nor
decreased the population subject
to transfer.257 The criminal history records relating to an offense for which a juvenile is
charged as an adult typically are
maintained in the adult CHRI
system and treated the same as
257

Privacy and Juvenile Justice Records Status Report, supra note 243,
pp. 8-9.

other adult records, a largely
uncontroversial practice.
Second, juvenile justice records
are being maintained on an increasingly centralized basis.
Juvenile justice records were
traditionally maintained on a
dispersed and local basis; however, the centralization trend
that reshaped the maintenance
of adult records in the 1960s
and 1970s has had an increasing
impact on juvenile records as
well. In 1988, only 13 of the 50
State repositories for adult records maintained juvenile record information. By 1995, 27
States had expressly authorized
a central repository for the collection and maintenance of juvenile criminal history
information, either by the adult
repository or a special juvenile
repository.258 In addition, in
1992, the Attorney General
authorized the FBI to begin accepting State-reported data concerning serious juvenile
offenses.259 The FBI decided to
disseminate this juvenile information under the same standards applicable to adult
records.260
A third trend in recent years is
the increasing availability of
juvenile justice record information outside of the juvenile system. In contrast to the situation
in the early 1980s, by the end of
1995 juvenile justice information is almost fully available to
adult courts for sentencing and
258

Ibid., p. 23.

259

Use and Management of CHRI,
supra note 22, p. 23.
260

Ibid.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 67

most other purposes.261 “In
roughly one-half the States,
prosecutors have a statutory
right of access to juvenile record
information and a BJS survey
indicates that prosecutors, in
most States, have little difficulty
in obtaining access.”262 There
are also signs that juvenile records are becoming available
outside the justice system. According to a 1996 Navy survey,
three States release the juvenile
records of applicants for enlistment to the military.263 Access
to these records is of interest to
the military because “juvenile
crime records are likely to be a
major source of criminal history
information for the population
targeted by military recruiters
— men and women generally 17
to 21 years old.”264

take fingerprints when arresting
a juvenile.265 Twenty-two States
limited the fingerprinting to offenses that would have been a
felony if committed by an adult,
five States authorized fingerprinting for offenses that would
be either felonies or misdemeanors if committed by an
adult, and 13 States made no
reference to the type of offense.266 With the advent of
DNA testing in the late 1980s,
State legislatures have rushed to
add new statutes authorizing the
collection of DNA samples of
juveniles, with at least 25 having done so by mid-1998.267

265

Privacy and Juvenile Justice Records Status Report, supra note 243, p.
28.
266

Ibid.

A fourth trend in the juvenile
system that has privacy implications is increased fingerprinting, photographing, and
obtaining DNA samples from
juveniles. Traditionally, photographs and fingerprinting were
undertaken only for the most
serious of offenses likely to go
before a juvenile judge; however, by 1995, 40 States had
expressly authorized police to
261

Privacy and Juvenile Justice Records Status Report, supra note 243, p.
28.
262

Ibid.

263

Military Recruiting Report, supra
note 221, p. 12. 18 U.S.C. § 5038 limits
the disclosure of Federal juvenile records to judicial inquiries, law enforcement needs, juvenile treatment
requirements, positions raising national
security concerns, and certain victim
inquiries. Ibid.
264

Ibid.

Page 68

267

See, for example, ALA. CODE § 1215-102 (Michie Supp. 1997); ALASKA
STAT. § 44.41.035 (Michie 1996);
ARIZ. REV. STAT. ANN. § 13-4438
(West Supp. 1997); ARK. CODE ANN. §
12-12-1109 (Michie Supp. 1997); CAL.
PENAL CODE § 290.2 (West Supp.
1998); FLA. STAT. ANN. § 943.325
(West 1996 & Supp. 1998); IDAHO
CODE § 19-5506 (Michie 1997); KAN.
STAT. ANN. § 21-2511 (Supp. 1997);
LA. REV. STAT. ANN. § 15:601 (West
Supp. 1998); ME. REV. STAT. ANN. tit.
25, § 1573 (West Supp. 1997); MICH.
COMP. LAWS ANN. § 28.173 (West
Supp. 1998); MONT. CODE ANN. § 446-103 (1997); N.H. REV. STAT. ANN. §
632-A:21 (Michie Supp. 1997); N.J.
STAT. ANN. § 53:1-20.20 (West Supp.
1998); N.M. STAT. ANN. § 29-16-3
(Michie 1997); OHIO REV. CODE ANN.
§ 2151.315 (West Supp. 1998); OR.
REV. STAT. § 181.085 (1997); 35 PA.
STAT. ANN. § 7651.306 (Purdon Supp.
1998); S.C. CODE ANN. § 23-3-620
(West Supp. 1997); TEX. GOV’T CODE
§ 411.150 (Vernon’s Supp. 1998);
UTAH CODE ANN. § 53-5-212.1 (1998);
VA. CODE ANN. § 16.1-299.1 (1998);
WASH. REV. CODE § 43.43.754 (West

These statutes typically, but not
always, limit the collection of
DNA samples to juveniles who
have committed specified offenses, typically sexual offenses, violent crimes, and other
felonies.268
All of these recent trends have
seriously eroded the Progressive
Model for the juvenile justice
system. The turn of the century
system, which still has substantial support, envisioned its role
as a firm hand that could provide an errant child with rehabilitation and a fresh start, with
sealed records being one means
of meeting that goal.269 Other
Supp. 1998); and WIS. STAT. ANN. §
165.76 (West 1997).
268
See, for example, MONT. CODE
ANN. § 44-6-103 (1997) (applies to
youth found to have “committed a sexual or violent offense”); 35 PA. STAT.
ANN. § 7651.306 (Purdon Supp. 1998)
(applies to a “person who is convicted
or adjudicated delinquent for a felony
sex offense or other specified offense”); ALASKA STAT. § 44.41.035
(Michie 1998) (applies to minors age
16 and above, “adjudicated as a delinquent for an act that would be a crime
against a person if committed by an
adult”).
269

There are a number of initiatives
around the country, such as Juvenile
Drug Courts, that attempt to rehabilitate
youthful offenders, under the watchful
eye of a judge, through innovative,
integrated social service programs for
the offender and his or her family. See,
for example, Robin J. Kimbrough,
“Treating Juvenile Substance Abuse:
The Promise of Juvenile Drug Courts,”
Juvenile Justice Vol. V, No. 2 (Washington, D.C.: U.S. Department of Justice, Office of Juvenile Justice and
Delinquency Prevention, December
1998) pp. 11-19. Such programs may
trigger additional privacy protections
depending on the entities involved and
the subject matter. Certain substance
abuse treatment records are subject to

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

societal concerns have weighed
against that model and in favor
of treating juveniles convicted
of violent crimes the same as, or
more like, adults. First and
foremost was the rise in juvenile
crime (now somewhat mitigated), particularly violent
crimes. These crimes make it
difficult for the public to accept
the notion that the perpetrator
should get a fresh start rather
than life imprisonment.
Some have argued that the majority of those juveniles in the
juvenile system desist from future criminal acts (or what
would be criminal acts if committed by adults), and that perhaps the test for access to the
juvenile’s records by the adult
system and the public should be
whether the juvenile offender
comes within the purview of the
adult system within a certain
number of years of having
reached the age of majority.270
Others have raised concerns that
it is unfair to a first-time adult
offender with no juvenile record
to be treated the same way as an
adult who had a juvenile record,
which is kept from the court so
that offender could get a “fresh
start.”
Federal confidentiality protections. See,
42 C.F.R. Part 2. In addition, if educational institutions are involved, privacy
protections in the Family Educational
Rights and Privacy Act of 1974, Pub L.
No. 93-380 (codified at 20 U.S.C. §
1232g), requires educational institutions to grant students or parents access
to student records and establishes limits
on disclosure to third parties.
270

Mark H. Moore, “The Public Policy Considerations of A Merged Record,” in Juvenile and Adult Records,
supra note 128, p. 48.

Although the trend in recent
years has been toward greater
access to juvenile records, the
debate is ongoing and the central policy questions surrounding the juvenile recordkeeping
system remain largely unresolved. Final resolution of these
and other policy questions are
likely to be influenced by juvenile crime statistics and the
public’s reaction to the crimes
those statistics represent, as well
as the success of rehabilitation
efforts directed at youthful offenders.

Criminal intelligence
information systems
Innovations in the development
and operation of criminal intelligence systems are another
change driver encouraging a
reexamination of privacy protections for criminal justice information.
The terms “criminal investigative information” and “criminal
intelligence information” are
often used interchangeably.
They relate, however, to two
distinct, although related, concepts.271 Criminal investigative
information is defined to mean
“information on identifiable
individuals compiled in the
course of an investigation of
specific criminal acts.”272
Criminal intelligence information, in contrast, is defined as
“information on identifiable

individuals compiled in an effort to anticipate, prevent, or
monitor possible criminal activity.”273 Criminal intelligence and
investigative systems may
gather the same types of information about individuals; the
principal difference is the purpose for which information is
gathered.274 Criminal intelligence information-gathering
efforts are frequently the more
controversial, as they involve
collection of information not
about a person’s connection
with an actual crime, but rather
a person’s possible connection
to criminal activities.
Both the importance and sensitivity of this information have
long been recognized. Criminal
intelligence information, for
example, is an essential tool in
controlling organized crime activity, as well as gang activity,
drug trafficking, and terrorism.
At the same time, the privacy
sensitivity of criminal intelligence information and its potential impact on freedom of
association rights has been recognized. The growth of criminal
intelligence-gathering efforts
slowed during the 1970s following a series of congressional
273

271
Intelligence and Investigative Records, supra note 26, p. 9.

Ibid. at Standard 2.1(e). Federal
regulations define “criminal intelligence information” to mean “data
which has been evaluated to determine
that it: (i) Is relevant to the identification of and the criminal activity engaged in by an individual who or
organization which is reasonably suspected of involvement in criminal activity, and (ii) Meets criminal
intelligence system submission criteria.” 28 C.F.R. § 23.3(b)(3).

272
Technical Report No. 13, 3rd ed.,
supra note 8, Standard 2.1(d).

274
Intelligence and Investigative Records, supra note 26, p. 10.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 69

hearings chaired by then-U.S.
Senator Frank Church (D-ID).
These hearings exposed a number of criminal intelligence
system abuses that occurred
during the civil unrest of the
1960s and early 1970s, as well
as during the Watergate period.
In 1975, LEAA issued regulations governing the gathering of
criminal intelligence information that covered any criminal
intelligence system receiving
funding through the Omnibus
Crime Control and Safe Streets
Act of 1968.275 The LEAA
criminal intelligence regulations
require that information be
“relevant” and that the individual or organization in question
be “reasonably suspected of involvement in criminal activity.”276 Since this congressional
and regulatory activity, a number of salient developments
have occurred with important
privacy implications:
1. First, criminal intelligence
and investigative information systems have become
automated. Traditionally,
criminal intelligence and
investigative information
systems consisted of little
more than notebooks and
other manual files. In the
past 25 years, however, the
automation of this information has expanded at a rapid
rate, so that today, virtually
all large and important
criminal intelligence systems are automated. This, in

275

See, 28 C.F.R. Part 20.

276

28 C.F.R. § 23.3(b)(3)(i).

Page 70

turn, has encouraged the
establishment of more
criminal intelligence systems, with more data, about
more people.
2. Second, criminal intelligence systems have become
far more textured and robust. Today there are a
multitude of data sources,
allowing intelligence files to
be compiled and supplemented using personal information obtained from
other criminal intelligence
information systems, newspapers, commercial vendors, and other information
sources. This information
may include financial data,
medical information, family
data, and other very sensitive types of information.

“horizontal sharing” between States and between
local law enforcement organizations.
The Task Force recognizes that
the analysis and structuring of
privacy policies for criminal
intelligence data is complex and
raises issues that are substantially different than the privacy
issues raised by changes in
CHRI and other criminal justice
information systems. Accordingly, the Task Force recommends that the U.S. DOJ
sponsor an initiative exclusively
dedicated to the examination of
the privacy implications arising
from a new generation of criminal intelligence information
systems.

3. A third important change is
the increased sharing of
criminal intelligence information among jurisdictions.
Traditionally, criminal intelligence information was
maintained locally, with little sharing of information
outside of the host agency.
During the late 1960s, attempts to create regional
criminal intelligence information compacts failed.277
Today, fueled by automation and with increased
Federal funding, this information is increasingly
shared between jurisdictions
and agencies, both in terms
of “vertical sharing” between local police, State
police, and the FBI, and

277
Intelligence and Investigative Records, supra note 26, p. 20.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

VI. Task Force recommendations
Background
The National Task Force on
Privacy, Technology and
Criminal Justice Information
brought together representatives
from the academic community,
State and Federal government,
law enforcement, the courts,
commercial compilers of criminal justice information, the privacy advocacy community, and
others who have expertise in
criminal justice information and
privacy and who are national
leaders in the debate about
criminal justice information privacy. Task Force members
cover the privacy spectrum from
those favoring high levels of
privacy protection for criminal
justice information to those favoring high levels of public use
and disclosure.
As this report indicates, the
Task Force has identified a series of “change drivers” that are
profoundly changing the traditional balance between criminal
justice information access and
privacy. Without intervention
by policymakers, those change
drivers inevitably will create an
environment favoring enhanced
public access and use, with no
assurance that the resulting balance between access and privacy will be satisfactory.
Although constituted to examine
“privacy, technology, and
criminal justice information,”
the Task Force made an early
determination to focus its time
and resources on the complex

issues associated with access to
CHRI. Accordingly, the Task
Force report does not address, in
any depth, the broad range of
other issues arising from the
increasing demand for public
access to other types of criminal
justice information, such as intelligence and investigative
data, and the accompanying privacy risks associated with
making that data more widely
available.
Task Force recommendations
comprise a range of proposals
for handling CHRI. Recommendation I reflects the Task
Force’s conclusion that change
drivers are creating a pattern of
essentially making ad hoc policy at the local, State, and national level. The Task Force
believes there is a need, at least
in the short term, for an institutionalized entity responsible for
making considered public policy
recommendations with respect
to all issues associated with the
increasing demand for criminal
justice information and the privacy risks associated with that
demand.
Recommendations and
commentary
The National Task Force on
Privacy, Technology and
Criminal Justice Information
adopts the following 14 recommendations in three broad areas:
privacy protections, data quality
and security, and data integration and amalgamation.

Action is necessary to ensure
appropriate privacy protection

Recommendation I: The
Task Force recommends that
a body be statutorily created
to consider and make policy
recommendations to the Federal and State legislative, executive, and judicial branches
of government as they work
to balance the increasing demand for all forms of criminal justice information and
the privacy risks associated
with the collection and use of
such information. The Task
Force recommends that the
body look at information and
privacy issues arising from
all types of criminal justice
information, including criminal history record information, intelligence and
investigative information,
victim and witness information, indexes and flagging
systems, wanted person information, and civil restraining orders. The Task Force
further recommends that such
a body be comprised of public and private stakeholders;
that the body be limited to an
advisory role; and that it have
neither rulemaking nor adjudicatory authority. Finally,
the Task Force recommends

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 71

made a number of recommendations, the Task Force
believes that additional, detailed work is necessary,
particularly when the discussion moves from general
principles to more specific
policy issues.

that the body sunset after not
more than 3 years, unless
statutorily reauthorized.
Commentary:
•

•

•

The Task Force believes
that without the establishment of a body to study and
provide guidance on criminal justice privacy issues on
an ongoing basis, the
change drivers identified in
chapter V of this report will
result, essentially, in a pattern of ad hoc policymaking
at the local, State, and national level.
The Task Force believes
that the establishment of a
body dedicated to the detailed examination of issues
relating to the privacy, confidentiality, and security of
criminal justice information
is necessary to build upon
the work of the Task Force
and provide advice and
guidance to local, State, and
Federal agencies, courts,
and policymakers on the
many issues surrounding the
collection, use, maintenance, and dissemination of
criminal justice information.
The Task Force believes
there is a need, at least in
the short term, for an institutionalized entity responsible for making considered
public policy recommendations with respect to all issues associated with the
increasing demand for
criminal justice information
and the privacy risks associated with that demand. Although the Task Force has

Page 72

•

The body would not have
adjudicatory or rulemaking
authority. The Task Force
envisions an advisory body,
available to consult and advise Federal, State, and local officials, as well as the
public, on criminal justice
privacy issues. The Task
Force believes this approach
respects the nature of our
Federal system, while providing a mechanism to provide guidance at all levels
of government.

•

The Task Force believes the
new body should include
representatives of publicand private-sector organizations that create, use, compile, or sell criminal justice
information. Examples of
categories of entities that
the Task Force believes
should be represented in the
new body include: law enforcement, the courts,
prosecutors, corrections,
criminal history repositories, academics, privacy advocates, commercial
compilers, and the media.
Public-sector representation
should include Federal,
State, and local officials, as
appropriate.

•

The Task Force believes
that a short-lived body will
be sufficient to guide the
formulation of a new gen-

eration of criminal justice
information privacy laws,
regulations, and policies. If
a longer period of time
proves necessary, an extension permitting the body to
continue its work could be
considered.

Recommendation II: The
Task Force recommends the
development of a new generation of criminal justice
information and privacy law
and policy, taking into account public safety, privacy,
and government oversight
interests. This law and policy
should be broad in scope, so
as to address the collection,
maintenance, use, and dissemination of criminal justice
record information by law
enforcement agencies, including State central repositories and the FBI, the courts,
and commercial compilers
and resellers of criminal justice record information.
Commentary:
•

When the first criminal
history record privacy principles were developed in the
mid-1970s, they were designed to regulate the actions of a relatively limited
number of entities. Today,
CHRI is collected, maintained, used, and disclosed
by numerous types of entities, including, in particular,
law enforcement agencies
(local police, State central

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

repositories, and the FBI);
courts; and commercial
compilers and resellers.
Thus, it makes little sense
and achieves little purpose
to fashion privacy and confidentiality policy and law
that applies to only one of
these sectors.
•

On the other hand, certainly
there can be differences in
standards for collection,
maintenance, use, and disclosure based upon special
considerations pertaining to
each of these sectors. Notwithstanding these differences, any law or policy
should at least take into account and, where possible,
synthesize or rationalize
standards among the various
sectors that collect, maintain, use, and disclose
CHRI.

•

Any standards established
for private actors, such as
the media and commercial
compilers, should carefully
consider the first amendment interests of these entities.

Recommendation III: The
Task Force recommends that
the adequacy of existing legal
remedies for invasions of privacy arising from the use of
criminal history record information should be reexamined by legal scholars,
State legislatures, Congress,
State and Federal agencies,
and the courts.

Commentary: Individuals
who are aggrieved by privacy
violations arising from their arrest and/or conviction information face substantial legal
hurdles if they are to obtain any
type of relief. The outcome of a
judicial privacy challenge pivots
on the nature of the privacy
complaint (was the information
incomplete or inaccurate? old or
otherwise not relevant? subject
to a seal or purge order? used
without the individual’s knowledge or opportunity to respond?); the identity or category
of the defendant (was it a Federal or State law enforcement
agency? a court? the media? a
commercial information broker?); as well as the nature of
the alleged harm (can the individual/plaintiff demonstrate
tangible harm or “merely” intangible harm, such as stigma or
embarrassment?). These factors,
as well as the victim’s legal theory (tort, statutory rights, or
constitutional rights) and the
interplay of these legal theories
with the defendant’s legal and
constitutional rights to obtain,
use, and disseminate CHRI, determine the outcome of most
criminal history privacy claims.
In the new information era
where CHRI — even aged or
purged information — remains
not just available, but easy and
inexpensive to use and disseminate, the question arises whether
traditional judicial remedies
remain meaningful.

Recommendation IV: The
Task Force recommends the
development of a new generation of confidentiality and

disclosure law and policy for
criminal history record information, taking into account the type of criminal
history record information;
the extent to which the database contains other types of
criminal justice information
(victim and witness information, or intelligence or investigative information) and
sensitive personal information (medical or financial information, and so on); the
purpose for the intended use
of the information; and the
onward transfer of the information (the redissemination
of the criminal history information by downstream users).
Commentary:
•

In assessing the privacy risk
posed by CHRI, the source
of the information is unlikely to be a compelling
consideration. If the source
is a central repository, for
example, as opposed to a
court, why does this affect
the privacy impact on the
individual?

•

On the other hand, the type
of criminal history information seems far more likely
to create a privacy impact.
Arguments can be made, for
example, that:
— Juvenile justice record
information should be
treated differently than
adult CHRI.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 73

— Witness and victim information should be
treated differently.
•

Further, arguments can be
made that the purpose of the
intended use should be a
criterion for shaping privacy
policy. Relevant questions
as to use include the following:

Commentary:
•

Task Force members agree
that intelligence and investigative information systems
are growing in number and
size. Moreover, these systems sometimes contain
CHRI and other types of
sensitive personal information.278 The ubiquity and
importance of these systems
appear to be having an impact upon the information
culture, and appear to pose
privacy risks.

•

Task Force members also
agree that intelligence and
investigative information
should be addressed as part
of any new generation of
privacy policy. The Task
Force recommends, however, that prior to crafting
proposed law or policies for

— Should the traditional
distinction between
criminal justice uses
and noncriminal justice
uses be retained?
— Should there be any
distinctions among
criminal justice uses?
— Should governmental,
noncriminal justice be
treated differently than
private, noncriminal
justice uses?
— Should national security
use continue to receive
a high priority?
— Is there a meaningful
distinction between licensing uses and employment uses?
— Should the identity (as
opposed to the purpose)
of the prospective user
be a criterion for imposing restrictions?

Recommendation V: The
Task Force recommends that
intelligence and investigative
information also be addressed
by new privacy law and policy, but that this process
should begin with the establishment of a Task Force

Page 74

intelligence and investigative information and information systems, a separate
Task Force or initiative examine both the privacy risks
and the important public
safety interests relating to
these systems. The sources,
requirements for confirmation (accuracy) of data, retention, dissemination,
purpose, and usage policies
for criminal intelligence and
investigative data are different than those policies as
they relate to CHRI and
should be separately examined by a Task Force with
greater representation from
the intelligence and investigative community than was
present on this Task
Force.279

dedicated exclusively to a
review of intelligence and
investigative systems, and the
law and privacy issues related
to those systems.

278

The RISS.NET (Regional Information Sharing Systems) and its compatible components — Western States
Information Network’s (WSIN) Statewide Integrated Narcotic System
(SINS), the California Bureau of Investigation’s Automated Criminal Intelligence File (ACII), and the
Southwest Border States — are among
the most important criminal intelligence systems. Both the SINS and
ACII have developed integrated data
submission capabilities between investigations and criminal intelligence.
Each operates under file guidelines
(CFR 28, part 23 governs Federal systems, and the ACII follows the California Attorney General’s Criminal
Intelligence File Guidelines).

279

It bears emphasis that criminal intelligence and investigative systems,
while both different than criminal history systems, are also very different
from each other:
Criminal Intelligence Information vs.
Investigative Information
§
Proactive vs. Reactive
§
Prevention vs. Identification
§
Not intended for court vs. Intended for court
§
“Soft” information vs. “Hard”
information
§
Not necessarily crime-related vs.
Must be crime-related
Organizations that have extensive experience in these arenas, and which would
need to be represented in any review of
the privacy implications of intelligence
and investigative systems, include: the
RISS, the Law Enforcement Intelligence Unit (L.E.I.U.), and the Board of
Directors for the Association of State
Criminal Investigative Agencies
(ACIA).

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Data quality and security are
important

Recommendation VI: The
Task Force recommends that
legislators and criminal history record information system managers develop,
implement, and use the best
available technologies to
promote data quality and data
security.

Commentary:
•

Use of fingerprints when
conducting record checks is
a means of enhancing data
quality and data accuracy,
by reducing the potential for
identification errors that
may result in a false positive or false negative response to a background
check or other type of inquiry.

•

Requesting or requiring fingerprints to compare to existing criminal history
records gives the individual
notice and, if optional, the
opportunity to consent to
the records check. Nameonly checks, by contrast,
can be conducted without
the individual’s knowledge
or consent. On the other
hand, several Task Force
members noted that obtaining fingerprints is more intrusive than a name-only
check.

Commentary: Data security
and data quality are fundamental fair information practices.
The Task Force believes that it
is vital that the system managers
in the criminal history information community continue to
promote the quality and security
of data through the use of new
technology.

Recommendation VII:
The Task Force recommends
that criminal history record
information, whether held by
the courts, by law enforcement, or by commercial
compilers and resellers,
should, subject to appropriate
safeguards, be supported by
and accessible by fingerprints
to the extent legally permissible and to the extent that
technology, cost, and the
availability of fingerprints to
both database managers and
users make this practicable.

•

Changes in technology
(livescan and IAFIS) may
soon make fingerprinting
just as quick, convenient,
and inexpensive as “nameonly” checks.

•

Relying on “name-only”
checks inevitably means
that requesters must collect
and use more demographics,
such as Social Security
numbers. This carries its
own privacy risk and provides a further argument in
favor of fingerprinting.

•

Mismatched information
(applying the wrong CHRI
to the wrong person) is a
major privacy risk and is associated with name-only
checks. This also provides a
basis for the use of fingerprinting. In some jurisdictions a “name-only” check
is used as an initial screen
and is then followed by a
fingerprint check only if the
name check indicates a potential record match. Although this reduces the
potential for a false positive,
it does not reduce the potential for a false negative.

•

The use of aliases creates a
risk that name-only checks
will not retrieve available
criminal histories, thus creating a public safety risk.
This also provides a basis
for fingerprint-based
searches.

•

Commercial compilers and
resellers of CHRI and their
customers seldom have access to fingerprints. Future
changes in technology,
however, may make the use
of fingerprints more practical and cost-effective. The
Task Force encourages the
use of fingerprints when
practical.

•

The collection and use of
fingerprints should be accompanied by appropriate
safeguards to ensure the accuracy, security, and confidentiality of the fingerprints
collected. In cases where
fingerprints are requested
(such as in the employment
context) rather than required
(such as in arrest context),

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 75

individuals should receive
notice prior to the collection
of fingerprints of the collecting entity’s information
practices, including whether
the fingerprints will be retained or databased for future use.

Recommendation VIII:
The Task Force recommends
that criminal history record
information should be sealed
or expunged (purged) when
the record no longer serves
an important public safety or
other public policy interest. A
sealed record should be unsealed and available for
criminal justice and/or public
use only when the record
subject has engaged in a subsequent offense or when
other compelling public policy considerations substantially outweigh the record
subject’s privacy interests.
During the period that a
criminal history record is
sealed, use and disclosure
should be prohibited.
Commentary:
•

At present, laws in 40 States
provide for the purging of
nonconviction information
and in 26 States for the
purging of conviction information. Also at present,
laws in 31 States provide
for the sealing of nonconviction information and in
30 States for the sealing of
conviction information. The

Page 76

standards for a purge or seal
order vary substantially
among the States, but turn
on the type of offense, the
number of previous offenses, and the establishment of a “clean record”
period. The methods for
obtaining a seal or purge
order also vary substantially
among the States and include statutory or automatic
sealing or purging mechanisms, as well as record
subject-initiated and courtordered purging and sealing.
•

•

Sealing standards should
apply not only to criminal
history records at the central
State repository, but also to
original records of entry and
to commercially maintained
CHRI.
Several Task Force members supported the position
that expunging a criminal
history record from all levels of the criminal justice
system should not be done
because it effectively “rewrites history” and creates
the potential for confusion.
They argued that this confusion is exacerbated by the
fact that the media and
commercial compilers of information increasingly retain a record of the
underlying event. Although
it may be advisable from a
privacy standpoint to regulate future disclosures of a
particular record, the record
itself should not be destroyed. The Task Force as
a whole, however, declined
to adopt this position, noting that expungement could

serve important privacy interests and should be available to the courts and
criminal justice agencies,
particularly in the case of
individuals who have been
falsely accused.
•

The Task Force recognizes
that while it is inefficient
for all levels of the criminal
justice system to retain all
criminal history records in
perpetuity, records should
be retained permanently by
at least one agency, such as
the FBI at the Federal level
and the State repositories at
the State level, unless expungement has been ordered by a competent court
or authority.

•

The Task Force recommendation pertains to the criminal history record of living
persons. The Task Force
does not believe all records
need to be retained or sealed
in perpetuity. There may be
some records, however, that
should be retained beyond
the death of the record subject for academic or government oversight purposes.
In addition, it may be appropriate to unseal some records following the death of
the subject (or some reasonable duration thereafter) for
academic or government
oversight purposes.

Recommendation IX: The
Task Force recommends that
individuals who are the subject of criminal history record
information be told about the
practices, procedures, and

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

policies for the collection,
maintenance, use, and disclosure of criminal history information about them; be
given a right of access to and
correction of this information, including a right to see a
record of the disclosure of the
information in most circumstances; and enjoy effective
remedies for a violation of
any applicable privacy and
information standards. In addition, the Task Force recommends that States
establish meaningful oversight mechanisms to ensure
that these privacy protections
are properly implemented
and enforced.

•

Although individuals may
not have a choice about being arrested, once the individual is arrested, he or she
has some choice about the
disposition of the charges.
This choice may affect the
type of information that becomes a part of a criminal
history record. For example,
if the individual enters a
drug court or into a particular type of diversion or
probation program, the consequences of that choice include different information
consequences.

•

At present, the law in 43
States requires the creation
and maintenance of transaction logs (records describing the use and
disclosure of criminal history records), and requires
that record subjects be given
access to the logs. These
laws provide a significant
privacy benefit. The Task
Force believes that courts
and commercial providers
of CHRI should be required
to maintain these types of
logs, and provide access to
record subjects as well. Access to information contained in these logs may,
however, need to be restricted in certain instances
if disclosure would implicate attorney-client privilege, attorney work product
privilege, or where disclosure would interfere with
ongoing investigations either by law enforcement or
employers.

Commentary:
•

•

This recommendation promotes transparency in the
collection, use, disclosure,
and retention of CHRI. The
Task Force believes that requiring the publication and
distribution of notice of the
system’s data practices will
promote a continued dialogue and review of privacy
issues and policies.
Increasingly, notice is a
fundamental part of every
information privacy law and
standard. In addition, providing record subjects with
a right of access is also a
means of improving data
accuracy.
•

In part as a result of pressure from the European

Union, U.S. policymakers
have recently taken a new
look at the availability and
practicality of remedies for
violation of privacy law and
regulations. Most States
provide for both civil remedies and criminal penalties
in the event of a violation of
their criminal history record
statute. It is not clear, however, whether these remedies are practicable or
convenient for record subjects. Furthermore, there is
reason to believe that these
remedies are seldom invoked. Finally, these remedies do not apply to courts
or commercial compilers
and resellers.
•

The Task Force noted, however, that a number of laws
provide at least some of the
types of protections called
for by this recommendation.
The Fair Credit Reporting
Act, for example, provides
individuals with rights regarding the use of CHRI in
the employment context.

Recommendation X: The
Task Force recommends that
where public safety considerations so require, the record
of a juvenile offender who
commits an offense which, if
committed by an adult, would
be a felony or a violent misdemeanor, be treated in the
same manner that similar
adult records are treated.
Even if a State opts to retain
stronger privacy and confidentiality rules for these

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 77

types of juvenile records,
these records should be fingerprint-supported and
should be capable of being
captured in an automated,
national system.

•

Commentary:
•

•

Juvenile justice record policy is currently the subject
of debate in the Congress
and many State legislatures.
Legislation currently before
Congress would grant
greater access to juvenile
justice information arising
from offenses that would be
considered a felony, or in
some bills a violent felony,
if committed by an adult.
These bills would create incentives for States to disseminate information on
juvenile violent felonies on
the same basis as records
relating to adult felonies. In
most instances, however,
the legislation would restrict
access to information about
juvenile offenses to the
courts, law enforcement
agencies, and schools.
The Task Force recognizes
that State law and State
practice with respect to the
administration of juvenile
justice systems and recordkeeping varies substantially.
Implementing this recommendation will likely require greater cooperation
and coordination among the
States to ensure that the
type and quality of data
collected are similar across
the States.

Page 78

•

The Task Force discussed
the question of whether
there should be a minimum
age requirement incorporated into this recommendation. Although most Task
Force members agreed that
age is a relevant factor, a
consensus age was not
reached. Broadly speaking,
Task Force members were
more comfortable applying
the recommendation to
older juveniles than to
younger juveniles. Several
Task Force members suggested 14, although others
found that age to be too
low. Another Task Force
member observed that focusing on the age of the offender, rather than the crime
committed, is a flawed approach, citing cases, particularly in the narcotics
trafficking context, where
adults and older juveniles
use young children to commit crimes, knowing that
the child will face only limited repercussions.
Even if States opt to retain a
juvenile justice record information policy that provides more confidentiality
and privacy protections than
is provided for adult records, States should: require
fingerprinting so as to be
able to reliably identify the
juvenile; and require that
these records be captured in
a manner that at least creates the capability to share
these records on a national
basis.

•

The Task Force believes
that in certain circumstances, juveniles deserve a
“second chance,” and,
therefore, these juvenile records warrant greater privacy protection than adult
records. On the other hand,
the Task Force also believes
that juvenile adjudications
for serious offenses should
be available for public
safety purposes on the same
basis as adult adjudications.
Public safety purposes include law enforcement uses,
court uses, uses by the
military, uses for background checks for security
clearances, screening firearms purchasers, and uses
for background checks for
sensitive public and private
employment positions.

Data integration and amalgamation issues are important

Recommendation XI: The
Task Force recommends that
criminal justice record information law and policy should
restrict the combining of different types of criminal justice record information into
databases accessible to noncriminal justice users and
should restrict the amalgamation of criminal justice
record information in databases with other types of personal information, except
where necessary to satisfy
public policy objectives.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Commentary:
•

As a matter of law and custom, CHRI has been limited
to subject identification information; a history of arrests and dispositions; and,
occasionally, other types of
information, such as juvenile record information,
special felony conviction
flags, or pretrial release information.

•

The law in over a dozen
States restricts CHRI from
being integrated or combined with intelligence and
investigative information.
Even more States have
adopted law or standards
that prohibit combining
CHRI with juvenile record
information.

•

In recent years, a number of
studies and reports have
called for expanding criminal history records to include information about
victims, witnesses, and certain other third parties.
Amalgamation, therefore,
potentially implicates the
privacy and safety interests
of those other than offenders and arrestees.

•

There are instances when
the amalgamation of various
types of criminal justice information or the amalgamation of criminal justice
information with other personally identifiable information may be necessary to
further public policy goals,
such as public safety. The
Task Force notes that public

policy need not be expressed in terms of legislation, but may also result
from judicial decisions or
executive branch policies.
•

This recommendation
would restrict the creation
of profiling databases that
would combine CHRI with
other types of personal information. This is a forward-looking
recommendation, as the
Task Force is unaware of
the existence of any such
database at present. What is
customary, and would remain unchanged by this
recommendation, is the
ability of commercial compilers and investigators to
gather both CHRI and other
types of personal information from disparate sources
as part of an investigation,
consumer report, background check, or similar inquiry.

Recommendation XII:
The Task Force recommends
that where public policy considerations require amalgamation of information,
systems be designed to recognize and administer differing standards (including
dissemination policies and
standards) based upon differing levels of data sensitivity, and allow the flexibility
necessary to revise those
standards to reflect future
changes in public policy.

Commentary:
•

Advances in information,
identification, and communications technologies and
related software pose challenges to existing criminal
justice record privacy and
information law and policy.
At the same time, advances
in these technologies create
opportunities to use these
technologies to improve the
accuracy of criminal justice
record information; improve
the security of this information; and improve the ability
of criminal record managers
to distinguish among varying types of criminal justice
information and manage
this information with different policies for retention,
use, and disclosure.

•

The Task Force gave strong
emphasis to the role that information, identification,
and communications technologies play as a change
driver and as a threat to traditional privacy protections.

•

These technologies, however, can also be used to
enhance and protect privacy. New technologies, including, in particular, new
software technologies, are
both robust and nimble and
make it far easier, cheaper,
and faster to apply different
disclosure and other information policies to different
types of criminal justice record information and other
personal information, even
when the information is
maintained in the same database or system. These
technologies make it much

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 79

easier than it once was, for
example, to distinguish
between conviction and
nonconviction data or to
combine juvenile justice information with adult criminal justice information,
while retaining the ability to
provide enhanced confidentiality protections for juvenile justice information.

Recommendation XIII:
The Task Force recommends
that the integration of criminal justice information systems should be encouraged in
recognition of the value of
integrated systems in improving the utility, effectiveness, and cost efficiency of
information systems. Prior to
establishing integrated systems, however, privacy implications should be
examined, and legal and policy protections in place, to
ensure that future public- and
private-sector uses of these
information systems remain
consistent with the purposes
for which they were originally created. In addition,
once an integrated system is
created, any future uses or
expansions of that system
should be evaluated to assess
the privacy implications.

Page 80

Commentary:

Commentary:

•

Privacy risks that arise from
integration should be managed and minimized.

•

•

Integration can serve a variety of socially beneficial
purposes. Integration, for
example, can help move accused offenders more
quickly, efficiently, and
cost-effectively through the
criminal justice system,
thereby reducing the
amount of time the accused
spends in jail awaiting trial
and the amount of time victims must wait to have their
day in court.

•

Some types of integration
— such as integrating
criminal history record systems with intelligence and
investigative systems, or
with systems that contain
medical, financial, or other
very sensitive personal information — are especially
privacy-sensitive and should
be subject to appropriately
strong privacy protections.

The distinction between
conviction information and
nonconviction information
(“nonconviction information” is customarily defined
to mean “an arrest which is
over 1 year old without a
disposition, as well as acquittals and other dispositions which do not involve a
conviction”280 has long been
a cornerstone of criminal
history record privacy policy. Conviction information
is not only available to the
criminal justice system, but
is widely available to governmental, noncriminal justice agencies and to many
types of employers and
other noncriminal justice
users. Nonconviction information, even in the late
1990s, remains largely unavailable to the general
public (at least from State
central repositories) and
only partly available to private-sector employers and
other users.

•

Valid arguments exist for
States to treat nonconviction
information with more confidentiality and privacy
protections than conviction
information, given that nonconviction information carries a presumption of
innocence; that its dissemination frustrates efforts to
reintegrate arrestees into society; and that dissemination of nonconviction
information exacerbates the

Recommendation XIV:
The Task Force recommends
that new criminal justice privacy law and policy should
continue to give weight to the
distinction between conviction information and nonconviction information. The Task
Force recognizes, however,
that there are certain instances in which disclosure of
nonconviction information
may be appropriate.

280
See glossary of criminal justice information terms included as Appendix
2.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

disproportionate impact that
CHRI oftentimes has upon
minorities.
•

The fact that a State repository may not have a
disposition within 1 year of
arrest, which is the traditional standard, should not
necessarily preclude the repository from disclosing
any information. In such
circumstances, the State repository should be able to
point a requestor to the
court in question so the requestor can inquire as to the
disposition status. In responding to some inquiries,
such as those made pursuant
to the National Child Protection Act, the State is affirmatively required to track
down dispositions.

•

Examples of appropriate
disclosure of nonconviction
information most frequently
cited by Task Force members involved sex offenses
against young children and
rape arrests where the victim failed to testify. Several
Task Force members
pointed out that parents
would want to know that a
prospective child-care
worker had been arrested
for child molestation, even
if this individual was never
convicted.

•

Some Task Force members
also noted that arrest information, regardless of disposition, is of historical and
social interest and is a valuable government oversight
tool. It was observed, for
example, that information
concerning the arrest of Dr.

Martin Luther King, Jr., for
loitering and an array of
other offenses during the
civil rights movement of the
1960s is a valuable record
illustrating improper government action. Information
concerning false arrests resulting not from malice, but
from error or negligence
also serves a valuable oversight function.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 81

VII. Conclusion
This report and the Privacy Task
Force’s other efforts come at a
critical juncture. Fundamental
reassessments and changes regarding the rules for the handling of personal information
are under way not only in the
criminal justice information
community, but also in many
other information sectors, including medical information,
financial information, the online
collection of information, and
public record information of
various types.
Many of the same change drivers identified in this report (such
as the Information Culture, new
technology, new Business Models, and so on) have also impacted other information sectors
and have fueled the reassessments and changes under way.
There are differences, however,
between the criminal justice
sector and other sectors where
reassessments are under way.
These differences could have an
impact on how change in the
criminal justice information
sector proceeds. First, as the
public opinion survey data in
the companion report indicate,
the criminal justice system may
benefit from a higher overall
level of public trust than other
sectors that use personal information. Second, the public
safety value associated with access to, and disclosure of,
criminal justice information is

Page 82

more frequently seen to outweigh other interests, including
personal privacy, than is the
case in other information sectors.
These differences between the
collection and use of criminal
justice information and other
types of personal information do
not mean that changes in the
safeguards afforded to criminal
justice information are unnecessary or that changes will not
take place. These differences
suggest, however, that any
eventual changes will likely require a delicate and difficult-toachieve balance to preserve the
robust use of criminal justice
information for socially beneficial purposes while finding
ways to protect personal privacy.
The recommendations of the
Task Force are a first step —
but only a first step — in the
development of a new generation of criminal justice information law and policy that
achieves an important, nuanced
balance between the use of
criminal justice information and
the privacy interests of those to
whom the information pertains.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Appendix 1:
Task Force participants

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 83

Page 84

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Task Force participants
Chair

Robert R. Belair
Mullenholz, Brimsek & Belair; SEARCH General Counsel

Members

Kathy T. Albert
Global Network Coordinator, Global Justice Information Network,
U.S. Department of Justice
Dr. Ann Cavoukian
Commissioner, Office of Information and Privacy Commissioner, Ontario, Canada
Hon. Thomas M. Cecil
Judge, Sacramento Superior Court, California
Col. Timothy J. DaRosa
Deputy Director, Division of Administration, Illinois State Police
James X. Dempsey
Senior Staff Counsel, Center for Democracy and Technology
Dr. David H. Flaherty
Principal Officer, David H. Flaherty Inc., Privacy and Information Consultants
Dr. Charles M. Friel
Professor, College of Criminal Justice, Sam Houston State University, Texas
David Gavin
Assistant Chief of Administration, Crime Records Service,
Texas Department of Public Safety
Roger W. Ham
Chief Information Officer, Los Angeles Police Department, California
Ronald P. Hawley
Assistant Director, Division of Criminal Information,
North Carolina State Bureau of Investigation*
Hon. Catherine D. “Kitty” Kimball
Associate Justice, Supreme Court of Louisiana
Prof. Jane E. Kirtley
Silha Professor of Media Law and Ethics, School of Journalism and Mass
Communications, University of Minnesota
Linda Lightfoot
Executive Editor, The Advocate

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 85

Anthony S. Lowe
Senior Legislative Counsel, Subcommittee on Antitrust, Business Rights, and
Competition, U.S. Senate Judiciary Committee
Dr. Barry Mahoney
President, Justice Management Institute
Prof. Kent Markus
Visiting Professor, Capital University Law School, Ohio
Hon. Gordon A. Martin, Jr.
Associate Justice, District Court Department, Massachusetts Trial Court
Thomas R. McMahon
General Counsel, Illinois Department of Human Services
Iris Morgan
Senior Management Analyst II, Criminal Justice Information Services, Florida
Department of Law Enforcement
Deirdre Mulligan
Staff Counsel, Center for Democracy and Technology
Ron Oldroyd
Assistant Juvenile Court Administrator, Utah
Lawrence F. Potts
Director, Administrative Group, Boy Scouts of America
Jack H. Reed
Chairman, I.R.S.C., Inc. and Confidential Business Resources, Inc;
Vice President, DBT Online, Inc.
Jack Scheidegger
Chief Executive Officer, Western Identification Network, Inc.
James F. Shea
Assistant Director of Systems, New York State Division of Criminal Justice Services
Harold M. “Hal” Sklar
Attorney-Advisor, Criminal Justice Information Services Division,
Federal Bureau of Investigation
Prof. George B. Trubow**
Director, Center for Information Technology and Privacy Law,
The John Marshall Law School, Illinois

Page 86

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Donna M. Uzzell
Director, Criminal Justice Information Services, Florida Department of Law Enforcement
William C. Vickrey
Administrative Director of the Courts, Administrative Office of the California Courts
Dr. Alan F. Westin
Professor Emeritus of Public Law and Government, Columbia University, New York
Dr. John Woulds
Director of Operations, Office of the Data Protection Registrar, United Kingdom
Bureau of Justice Statistics, U.S. Department of Justice
Dr. Jan M. Chaiken‡
Director
Carol G. Kaplan
Chief, Criminal History Improvement Programs
General Counsel’s Office, Office of Justice Programs, U.S. Department of Justice
Anne Gardner
Attorney-Advisor
Paul F. Kendall
General Counsel
SEARCH, The National Consortium for Justice Information and Statistics
Sheila J. Barton
Deputy Executive Director
Law and Policy Division
Gary R. Cooper
Executive Director
Eric C. Johnson
Policy Research Analyst
Law and Policy Division
*

Mr. Hawley is now Chief Information Officer, North Carolina Office of Information Technology
Services
** Prof. Trubow has since retired
‡ Dr. Chaiken’s tenure as BJS Director ended in January 2001

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 87

Participants’ biographies
Robert R. Belair
Robert R. Belair is a partner
with the Washington, D.C., law
firm of Mullenholz, Brimsek &
Belair and is General Counsel to
SEARCH, The National
Consortium for Justice
Information and Statistics. He
also serves as Chief Executive
Officer of Privacy and
Legislative Associates, a legal
and policy consulting firm. The
principal emphasis of Mr.
Belair’s practice is privacy and
information law involving
administrative, legislative, and
litigation activity. His practice
includes counseling in all
aspects of privacy and
information law, including
credit, financial, educational,
criminal, juvenile, medical, and
employment records and
telecommunications;
defamation; intellectual
property, including software
copyright; constitutional law;
and criminal justice
administration.
As General Counsel to
SEARCH, Mr. Belair has
participated in SEARCH’s
privacy and security programs
and has authored many studies
in the area of criminal justice
information law and policy. He
was actively involved in the
development of SEARCH’s
revised standards of criminal
history record information,
Technical Report No. 13:
Standards for the Security and
Privacy of Criminal History
Record Information (Third
Edition).

Page 88

Mr. Belair has served as
consultant to numerous Federal
agencies and commissions on
information policy and law. He
is former Deputy General
Counsel and Acting Counsel of
the Domestic Council
Committee on the Right of
Privacy, Office of the President.
Mr. Belair is a graduate of
Kalamazoo College (Michigan)
and Columbia University
School of Law.

Dr. Cavoukian speaks
extensively on the importance
of privacy around the world.
Her published works include a
book on privacy titled Who
Knows: Safeguarding Your
Privacy in a Networked World
(McGraw-Hill, 1997).
Dr. Cavoukian received her
M.A. and Ph.D. in psychology
from the University of Toronto.
She specialized in criminology
and lectured on psychology and
the criminal justice system.

Dr. Ann Cavoukian
In May 1997, Dr. Ann
Cavoukian was appointed
Information and Privacy
Commissioner, Ontario,
Canada. As Commissioner, Dr.
Cavoukian oversees the
operations of Ontario’s freedom
of information and protection of
privacy laws, which apply to
both provincial and municipal
government organizations. She
serves as an officer of the
legislature, independent of the
government of the day.

Hon. Thomas M. Cecil
Judge Thomas M. Cecil has
served on the Sacramento
(California) Superior and
Municipal Courts since March
1989. During his tenure on the
bench, he has presided over
each of the criminal
departments in both the
municipal and superior courts.
For the past 4 years, Judge Cecil
has conducted felony trials, the
vast majority of which involved
murders.

Dr. Cavoukian joined the
Information and Privacy
Commission in 1987, during its
start-up phase, as its first
Director of Compliance. She
was appointed Assistant
Commissioner in 1990. Prior to
her work at the Commission,
Dr. Cavoukian headed the
Research Services Branch of the
Ministry of the Attorney
General, where she was
responsible for conducting
research on the administration
of civil and criminal law.

For the 6 years prior to his
appointment to the bench, Judge
Cecil served as Chief Counsel
and Deputy Director of the
California Department of
Consumer Affairs. His
responsibilities included
lobbying the California
Legislature on issues impacting
consumers, press relations,
consumer education, and
overseeing the legal staff of the
Department. As an attorney,
Judge Cecil practiced in a
variety of areas, including

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

bankruptcy, corporate law,
family law, political law, and
general business litigation. He
also served as Special Counsel
to the Joint Select Committee on
Municipal Liability Insurance
with the California Legislature.
Judge Cecil previously served
as a member and Chair of the
Pacific Bell Telecommunications Consumer Advisory Panel
(1988-91). He is now a member
and current Chair of the
California Judicial Council’s
Advisory Committee on Court
Technology.
Col. Timothy J. DaRosa
Col. Timothy J. DaRosa is a 22year veteran of the Illinois State
Police. In March 1991, he was
appointed Deputy Director of
the Division of Administration.
He is responsible for an annual
budget in excess of $35 million
and over 750 employees who
serve in the Bureaus of
Communications, Criminal
Identification, Personnel,
Information Services, and
Logistics, and the Crime Studies
Section.
In his capacity as Deputy
Director, Col. DaRosa is
responsible for the
administration of the
Department's Automated
Fingerprint Identification
System (AFIS), voice and data
communications systems, and
the Illinois State Police data
center that includes the Law
Enforcement Agency Data
System (LEADS). Col. DaRosa
also oversees the operation of
the Firearm Owners
Identification (FOID) Program

and serves as the Illinois pointof-contact for firearms
transactions relative to the
National Instant Criminal
Background Check System
(NICS).

Security Archive, a
nongovernmental organization
that uses the Freedom of
Information Act to gain the
declassification of documents
on U.S. foreign policy.

Col. DaRosa currently serves as
Chairman of the Illinois LEADS
Advisory Policy Board and is a
member of the Federal Brady
Act Task Force Working Group,
and the International
Association of Chiefs of Police
(IACP) Criminal Justice
Information Systems
Committee. Col. DaRosa’s
professional affiliations include
the National Criminal Justice
Association, the Police
Executive Research Forum, the
Illinois Association of Chiefs of
Police, and the IACP. In
November 1998, he was
appointed by Illinois’ governor
to serve on the SEARCH
Membership Group.

From 1985-94, Mr. Dempsey
was Assistant Counsel to the
House Judiciary Subcommittee
on Civil and Constitutional
Rights. His primary areas of
responsibility for the
Subcommittee were oversight of
the Federal Bureau of
Investigation (FBI), privacy,
and civil liberties. He worked
on issues at the intersection of
national security and
constitutional rights, including
terrorism, counterintelligence,
and electronic surveillance, as
well as crime issues, including
the Federal death penalty,
remedies for racial bias in death
sentencing, information privacy,
and police brutality. Mr.
Dempsey has traveled to Russia,
Poland, Hungary, Bulgaria,
Guatemala, Chile, and
Argentina to speak on civil
liberties issues.

Col. DaRosa holds a B.S.
degree in criminal justice
administration from Southern
Illinois University at
Carbondale, and is a veteran of
the U.S. Army.
James X. Dempsey
James X. Dempsey is Senior
Staff Counsel at the Center for
Democracy and Technology
(CDT) in Washington, D.C. He
joined CDT in 1997, where he
works on fourth amendment and
electronic surveillance issues.
Prior to joining CDT, Mr.
Dempsey was Deputy Director
of the Center for National
Security Studies. From 1995-96,
Mr. Dempsey also served as
Special Counsel to the National

From 1980-84, Mr. Dempsey
was an Associate with the
Washington, D.C., law firm of
Arnold & Porter, where he
practiced in areas of
government and commercial
contracts, energy law, and antitrust. He also maintained an
extensive pro bono
representation of death row
inmates in Federal habeas
proceedings. He clerked for the
Hon. Robert Braucher of the
Massachusetts Supreme Court.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 89

Mr. Dempsey graduated from
Harvard Law School in 1979
and from Yale College in 1975.
He is co-author of Terrorism &
the Constitution: Sacrificing
Civil Liberties in the Name of
National Security (with Prof.
Davie Cole of Georgetown Law
School).
Dr. David H. Flaherty
Dr. David H. Flaherty is
Principal Officer of David H.
Flaherty, Inc., Privacy and
Information Consultants, in
Victoria, British Columbia,
Canada. He became British
Columbia’s first Information
and Privacy Commissioner in
1993. Appointed by the
government of British
Columbia, Dr. Flaherty had a 6year, nonrenewable term of
office. In this position, he was
an independent Officer of the
Legislature of British Columbia,
and his role was to
independently monitor the
administration of British
Columbia’s Freedom of
Information and Protection of
Privacy Act.
Dr. Flaherty has over 20 years
of experience with privacy
protection and access to
information issues as an
academic, a teacher, an advisor,
a consultant, and an advocate.
He is recognized as one of the
world’s leading experts on
privacy and data protection.
Since 1965, Dr. Flaherty has
been a full-time academic in the
United States and Canada. He
received a B.A. (honors) degree
in history from McGill
University in 1962, and an M.A.

Page 90

and Ph.D. in history from
Columbia University in 1963
and 1967, respectively. He
taught at Princeton University
from 1965-68 and the
University of Virginia from
1968-72. In 1972, Dr. Flaherty
joined the faculty at the
University of Western Ontario,
where he taught history and law
until accepting the position of
Commissioner. His research and
teaching fields include
American and Canadian legal
history, information law and
policy, and privacy and data
protection in modern industrial
societies.
From 1971-72, Dr. Flaherty was
a Fellow in law and history at
Harvard Law School; a Visiting
Fellow at Magdalen College,
Oxford, in 1978-79; a Visiting
Scholar at Stanford Law School
in 1985-86; a Fellow of the
Woodrow Wilson International
Centre for Scholars in
Washington, D.C., during the
1992-93 academic year; a
Canada-U.S. Fulbright Fellow
(Law); a Visiting Scholar at the
Georgetown National Law
Center; and a Fellow of the
Kennedy Institute for Ethics, at
Georgetown University. From
1985-87, Dr. Flaherty served as
a Consultant to the Standing
Committee on Justice and
Solicitor General of the
Canadian House of Commons
for its report on the functioning
of Federal access to information
and privacy acts.
Dr. Flaherty has written and
published four books and edited
two international bibliographies
on privacy and data protection

policy. His major book,
Protecting Privacy in
Surveillance Societies: The
Federal Republic of Germany,
Sweden, France, Canada and
the United States (1989),
examines how privacy and data
protection laws for the public
sector work in practice. In
addition, he also has been an
editor and co-editor of six
publications relating to various
aspects of Canadian and
American studies, including
Challenging Times: The
Women’s Movement in Canada
and the United States (1992).
Several of Dr. Flaherty’s current
writings emanate from his role
as Information and Privacy
Commissioner, and discuss the
principles and practical
application of information and
privacy law in British
Columbia.
Dr. Charles M. Friel
Dr. Charles M. Friel is a
Professor in the College of
Criminal Justice, Sam Houston
State University (Texas), where
he previously served as Dean.
In 1978 and again in 1984, Dr.
Friel received fellowships from
the Japanese Ministry of Justice
to study that nation’s
correctional system. In 1988, he
served as a visiting lecturer in
various police colleges in the
People’s Republic of China.
Dr. Friel has lectured
extensively throughout the
United States and Canada. He is
an At-large Member of
SEARCH, as well as a member
of its Board of Directors. He
was the 1988 recipient of

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

SEARCH’s O.J. Hawkins
Award for Innovative
Leadership and Outstanding
Contributions in Criminal
Justice Information Systems,
Policy and Statistics in the
United States. Dr. Friel is also
the 1992 recipient of the Justice
Charles W. Barrow Award for
distinguished service to the
Texas judiciary.
Dr. Friel’s undergraduate
studies at Maryknoll College
(New York) included
philosophy and Latin; he
received a Ph.D. in
experimental psychology from
the Catholic University of
America, Washington, D.C.
David Gavin
David Gavin has worked for the
Texas Department of Public
Safety for 21 years. Since 1991,
Mr. Gavin has served as
Assistant Chief of the
Department’s Administration
Division. He held prior
positions with the Texas Crime
Information Center, the Texas
Uniform Crime Reporting
Program, the Texas
Computerized Criminal History
File, and the Texas Automated
Fingerprint Identification
System. Mr. Gavin’s current
duties include responsibilities
for all those programs.
Within the FBI’s Criminal
Justice Information Services
(CJIS) advisory process, he has
served as Chair of the Western
Regional Working Group and
the National Crime Information
Center Subcommittee. He
currently is Chair of the FBI
CJIS Advisory Policy Board.

His education includes a
master’s degree from the
University of Texas, Austin.
Roger W. Ham
Roger W. Ham is the first Chief
Information Officer (CIO) of
the Los Angeles (California)
Police Department (LAPD). He
serves the Department at the
level of Deputy Chief and
commands five divisions,
including Emergency Command
and Control Communications
Systems, Communications,
Information Resources, Crime
Analysis Section, and the
Systems Development Task
Force. Chief Ham manages a
professional and operational
staff of over 900, including
sworn commanding officers and
civilian managers. As
Commanding Officer, he is
responsible for the conduct of
operations and the efficient
utilization of the financial and
human resources in the
Information and
Communications Services
Bureau. Chief Ham directs and
manages an annual technology
project budget of over $400
million.
As CIO, Chief Ham is
developing information systems
divisions, which are centers of
competency with speed,
maneuverability,
responsiveness, flexibility, and
accountability. He has a focused
synergistic approach so that all
units under his command work
together toward the shared
vision and goals of the LAPD.
Chief Ham has over 28 years of
experience in developing

leading-edge technologies. He
started his career working for
Mobil Oil Corporation as a
project engineer managing
command and control of field
operations through automated
systems. He was the Bureau
Commander, Communications
Administrator, and Information
Systems Manager for the City of
Huntington Beach Police
Department in California for
over 21 years.
Chief Ham has an M.B.A. from
the University of Southern
California and a bachelor’s
degree in electrical engineering
from California State
University, Long Beach. He has
served on many professional
and business organizations.
Ronald P. Hawley
Ronald P. Hawley began his
career with the North Carolina
State Bureau of Investigation
(SBI) in August 1973. Since
January 2001, he has served as
CIO of the North Carolina
Office of Information
Technology Services. Previous
to that, he served as Assistant
Director for the SBI’s Division
of Criminal Information, a
position he had held since July
1993. Mr. Hawley’s early
assignments with the SBI
included Special Agent,
Assistant District Supervisor,
District Supervisor, and a tour
of duty with Governor’s
Security.
Subsequent to his appointment
to the Division, Mr. Hawley
became involved with several
committees and working groups
related to criminal justice

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 91

information technology. These
include Co-chair of the Criminal
Justice Information Network
Study Committee, member of
the Criminal Justice Information
Services (CJIS) Southern
Regional Working Group, and
member of the CJIS Ad Hoc
Task Force on Security, Privacy
and Policy Matters. Mr. Hawley
is an At-Large appointee to the
SEARCH Membership Group.
He previously was the
governor-appointed member of
SEARCH representing North
Carolina, and served on the
SEARCH Board of Directors
and as Vice Chair of the
SEARCH Law and Policy
Program Advisory Committee.
Mr. Hawley is a graduate of
Campbell College and received
a master’s degree in education
from the University of Maine.
Hon. Catherine D. “Kitty”
Kimball
The Honorable Catherine D.
“Kitty” Kimball serves as
Associate Justice of the
Louisiana Supreme Court. Her
previous work experience
included Law Clerk, U.S.
District Court, Western District
of Louisiana; Special Counsel,
Louisiana Attorney General’s
Office; General Counsel,
Louisiana Commission on Law
Enforcement and
Administration of Criminal
Justice; private solo practice;
and Assistant District Attorney
for the 18th Judicial District.
In December 1982, Justice
Kimball was elected District
Judge, Division A, for the 18th
Judicial District. She served in

Page 92

that capacity until being elected
as Associate Justice of the
Supreme Court of Louisiana in
November 1992.
Justice Kimball’s current
professional responsibilities and
associations include: Member,
Louisiana State Bar
Association; Member, American
Judicature Society; Member,
National Association of Women
Judges; Member, State-Federal
Judicial Council; Member, Wex
Malone American Inn of Court;
Charter Member, Louisiana
Association of Elected Women;
Chair, Louisiana Supreme Court
Case Management Information
System Task Force; Member,
Governor’s Task Force on
Violent Crime and Homicide;
Member, Automated Fingerprint
Identification Selection
Committee; and Chair, Judicial
Budgetary Control Board.
Justice Kimball has previously
served as Past President,
Louisiana Legislative Wives
Auxiliary; First Vice-President
and Member, Executive
Committee of the Louisiana
District Judges Association;
President and Member,
Louisiana State University Law
Alumni Association; Member,
Louisiana Juvenile Judges
Association; Member, National
Conference of State Trial
Judges; Member, 18th Judicial
District Bar Association;
Member, American Trial
Lawyers Association; Chief
Judge, 18th Judicial District
Court; Member, Governor’s
Commission on Child Support;
Member, Economic Justice for
All Task Force; Member,

Committee to Evaluate New
Judgeships; Member, Orleans
Criminal and Civil Court
Committee; Member, Supreme
Court Committee on the Judicial
Electoral Process; Member,
Louisiana Task Force on
Women in the Courts. She also
has been inducted into the
Louisiana State University Law
School Hall of Fame.
Prof. Jane E. Kirtley
Jane E. Kirtley is the Silha
Professor of Media Law and
Ethics at the School of
Journalism and Mass
Communication, University of
Minnesota. Prior to assuming
her position at the University of
Minnesota in August 1999,
Prof. Kirtley served as
Executive Director of The
Reporters Committee for
Freedom of the Press, a
voluntary unincorporated
association of reporters and
editors devoted to protecting the
first amendment and freedom of
information interests of the
news media. In that position,
she was responsible for
overseeing the legal defense and
publications efforts of the
Reporters Committee, as well as
supervising the group’s
fundraising activities. Prof.
Kirtley also edited the
Committee’s quarterly
magazine, The News Media &
The Law.
Prof. Kirtley has prepared
numerous friend-of-the-court
briefs on behalf of the Reporters
Committee and other news
media organizations, including
Reno v. ACLU, Hustler
Magazine v. Falwell, The

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Florida Star v. B.J.F., and
Department of Justice v. Tax
Analysts. She frequently writes
and speaks on media law and
freedom of information issues in
the United States and abroad,
including Russia, Mongolia,
Belarus, Bulgaria, Latvia,
Romania, Poland, the Czech
Republic, Japan, Chile, the
United Kingdom, Ireland, and
Canada. Prof. Kirtley also
writes “The Press and the Law”
column each month for
American Journalism Review,
and has appeared on programs
such as “Nightline,” “All Things
Considered,” “The Jim Lehrer
News Hour,” “Good Morning
America,” “Today,”
“Donahue!,” “Crossfire,”
“Burden of Proof,” “CNN &
Co.,” and the British
Broadcasting Corp.’s “Law in
Action.” She also has served as
an Adjunct Professor with the
American University School of
Communications Graduate
Program.
Prior to her tenure at the
Reporters Committee, Prof.
Kirtley was associated with the
law firm of Nixon, Hargrave,
Devans & Doyle. She is a
member of the New York,
District of Columbia, and
Virginia bars. Prof. Kirtley
worked as a reporter of the
Evansville Press, the Oak
Ridger, and the Nashville
Banner.
She serves on many advisory
boards and committees,
including the Freedom Forum’s
First Amendment Center, the
American Bar Association’s
(ABA) National Conference of

Lawyers and Representatives of
the Media, the Libel Defense
Resource, the Student Press
Law Center, and the editorial
board of Government
Information Quarterly. In 1993,
Prof. Kirtley received the
Distinguished Service Award
from the Newspaper Division of
the Association for Education in
Journalism and Mass
Communication, and in 1994,
the John Peter Zenger Award
for Freedom of the Press and the
People’s Right to Know from
the University of Arizona. In
1996, she was one of 24
individuals inducted into the
Freedom of Information Act
Hall of Fame, established to
commemorate the 30th
anniversary of the signing of the
Act.
Prof. Kirtley obtained her J.D.
degree in 1979 from Vanderbilt
University School of Law,
where she served as Executive
Articles Editor of the Vanderbilt
Journal of Transnational Law.
She received bachelor’s and
master’s degrees from
Northwestern University’s
Medill School of Journalism in
1975 and 1976.
Linda Lightfoot
Linda Lightfoot is Executive
Editor of The Advocate in Baton
Rouge, Louisiana. Ms.
Lightfoot has been employed by
Capital City Press, the publisher
of The Advocate, since 1965.
She started as a “society” writer,
and has been a Reporter in the
areas of courts and education;
headed the Capitol News
Bureau, covering State
government and higher

education; and was Assistant
Executive Editor prior to her
present appointment as
Executive Editor in 1991.
Ms. Lightfoot has and continues
to be involved in many
professional and community
activities, including the
American Society of Newspaper
Editors (ASNE), currently
serving on its Board of
Directors; as a member of the
Freedom of Information
Committee; and as
representative of ASNE on the
National Conference of Lawyers
and Representatives of the
News Media, which is a
committee of the ABA. She has
also served as a Nominating
Juror for the Pulitzer Prize for
1997 and 1998. She currently is
on the Visiting Committee for
the School of Communications,
Loyola University; a member of
the Society of Professional
Journalists; a member of the
Board of Directors of the Press
Club of Baton Rouge; a member
of the Louisiana Press
Association’s Legislative
Committee; and a member of
the Louisiana Leadership
Alumni, a program of the
Council for a Better Louisiana.
In 1993-94, Ms. Lightfoot
served on the Task Force to
Study Cameras in the Trial
Courts of Louisiana. She was
appointed by the Supreme Court
of Louisiana to represent
newspapers on the Task Force
and authored the majority of the
report in favor of cameras.
Ms. Lightfoot received a
bachelor’s degree in political

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 93

science and journalism from the
University of Mississippi, and
has studied at the Institute of
Politics, Loyola University, and
the Louisiana State University
Executive Program.
Anthony S. Lowe
Anthony S. Lowe is Senior
Legislative Counsel to the U.S.
Senate Judiciary Committee’s
Subcommittee on Antitrust,
Business Rights, and
Competition, a position he has
held since 1997. He is
responsible for the development
and introduction of crimerelated legislation and handles
all crime-related issues before
the full committee for the
subcommittee chair.
Mr. Lowe’s prior experience
includes Legislative Assistant to
U.S. Sen. Slade Gorton (R-WA)
from 1988-90, during which
time he was assigned to the
these committees: Judiciary;
Rules; Commerce, State, Justice
Appropriations; Government
Affairs; Impeachment Trial; and
Indian Affairs. He also served
as Legal Counsel to the
Washington State Senate,
Majority Office of Legal
Counsel and Policy
Development from 1991-92; as
Deputy Prosecutor in the King
County, Washington,
Prosecutor’s Office; as Judicial
Extern for the U.S. Court of
Appeals for the Ninth Circuit,
Judge Robert R. Beezer; as
Associate Director, International
Center for Economic Growth
and International Center for
Self-Governance Programs of
the Institute for Contemporary
Studies, Washington, D.C.; and

Page 94

as Senior Trade Intern,
International Trade
Administration, Foreign and
Commercial Service, U.S.
Department of Commerce.
Mr. Lowe received his B.A.
(cum laude) degree in
international political science
from the University of
Washington and his J.D. from
the University of Santa Clara
(California). He also studied at
the National University of
Singapore Law School and the
East China Institute of Politics
and Law. He is a member of the
Bars of Pennsylvania,
Washington State, U.S. Court of
Appeals for the Ninth Circuit,
U.S. Court of International
Trade, U.S. District Court for
the Western District of
Washington, and Washington,
D.C.
Dr. Barry Mahoney
Since 1993, Dr. Barry Mahoney
has been President of The
Justice Management Institute
(JMI), a Denver-based,
nonprofit organization engaged
in education, research, and
technical assistance focused on
the operations of courts and
other organizations involved in
the administration of justice. He
is responsible for overall
management and program
development for JMI, and
during 1998-99 he directed JMI
projects on reduction of
litigation cost and delay, drug
court planning and
implementation, and courtlinked community justice
innovations.

Dr. Mahoney's prior
professional work includes
extensive experience in
litigation as an Assistant
Attorney General for the State
of New York in 1962-67, and as
a lawyer in private practice in
New York City in 1967-71.
During 1971-73, he was First
Assistant Counsel for the New
York State Division of Criminal
Justice Services. From 1973-78,
he was with the National Center
for State Courts (NCSC), where
he was the Associate Director
responsible for all of the
organization’s national-scope
research and technical
assistance programs. In 1978-79
and 1982-83, Dr. Mahoney was
the Director of the London
Office of the Vera Institute of
Justice. During 1979-82 and
1983-92, he was with the
NCSC’s Institute for Court
Management, where he led a
number of national-scope
research and technical
assistance projects focused on
court delay reduction,
intermediate sanctions, and fine
use and collection.
Dr. Mahoney has served as a
lead faculty member for
educational programs conducted
by the National Judicial
College, the National
Association for Court
Management, and many other
national-, State-, and local-level
organizations. Dr. Mahoney
served as a member of the
Advisory Panel for the
Assessment of Alternatives for a
National Computerized
Criminal History System
conducted by the Office of
Technology Assessment of the

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

U.S. Congress in 1979-82, and
since 1997 has been a member
of the SEARCH/Bureau of
Justice Assistance National
Task Force on Court
Automation and Integration.
Dr. Mahoney is a graduate of
Dartmouth College and the
Harvard Law School, and holds
a Ph.D. in political science from
Columbia University.
Prof. Kent Markus
Kent Markus is a visiting
Professor at Capital University
Law School in Columbus, Ohio,
and Director of Capital’s new
Dave Thomas Center for
Adoption Law, the first law
school-based institution focused
on adoption law in the United
States.
Before heading to Capital in the
fall of 1998, Prof. Markus
served as the Deputy Chief of
Staff at the U.S. Department of
Justice (DOJ) and as the
highest-ranking advisor —
Counselor — to Attorney
General Janet Reno. During his
approximately 5 years at the
DOJ, Prof. Markus, at various
points in time, was responsible
for the national implementation
of the Brady Handgun Violence
Prevention Act and the 1994
Crime Act; established and was
the first director of the
Community Oriented Policing
Services (COPS) Office
(responsible for putting 100,000
new community policing
officers on America’s streets);
managed the DOJ’s dealings
with the Congress; and was the
DOJ’s point person on crime
policy in general, with special

attention to juvenile crime, gun
violence, and criminal record
systems.
Prior to his service at the DOJ,
Prof. Markus was the Chief of
Staff at the Democratic National
Committee. He also previously
served as Chief of Staff for
former Ohio Attorney General
Lee Fisher. Earlier in his career,
Prof. Markus, a Cleveland
native, worked at law firms in
Australia, Alaska, and
Washington, D.C., before
heading back home to clerk for
U.S. District Judge Alvin I.
“Buddy” Krenzer, practice law,
and teach at Cleveland State
Law School. On Capitol Hill,
Prof. Markus worked for former
U.S. House Speakers Carl
Albert and Thomas P. “Tip”
O’Neill, and former House
Rules Committee Chairman
Richard Bolling.
Prof. Markus teaches
Administrative Law, Remedies,
and a seminar on the Role of the
Prosecutor at Capital
University. He is a 1981
graduate of Northwestern
University’s School of Speech,
a 1984 honors graduate of
Harvard Law School, and a
graduate of the Kennedy
School’s Program for Senior
Executives in State and Local
Government.
Hon. Gordon A. Martin, Jr.
Judge Gordon A. Martin, Jr.,
was appointed to the
Massachusetts Trial Court in
1983. He headed one of the
country’s frontline urban district
courts with the most gun, drug,
and domestic violence cases in

the State, and now operates a
special assignment session for
cases from various Eastern
Massachusetts courts.
Judge Martin was a Trial
Attorney with the Civil Rights
Division of the U.S. DOJ during
the Kennedy Administration and
thereafter First Assistant U.S.
Attorney for the District of
Massachusetts. He was
subsequently a Commissioner of
the Massachusetts Commission
Against Discrimination before
organizing the firm in which he
was a partner until becoming a
judge.
In 1994, he was honored by
New England’s largest program
for battered women, Casa
Myrna Vasquez, for his work on
behalf of abused women. That
same year, Judge Martin was
designated one of the three
initial U.S. House of
Representatives “practitioner”
appointees to the Federal
Coordinating Council on
Juvenile Justice and
Delinquency Prevention,
chaired by Attorney General
Janet Reno. In that capacity, he
participated in the preparation
of Combating Violence and
Delinquency: The National
Juvenile Justice Action Plan. He
was re-appointed to the Council
in 1998. Judge Martin also is
completing his second term as a
trustee of the National Council
of Juvenile and Family Court
Judges. He spoke at the
SEARCH/Bureau of Justice
Statistics National Conference
on Juvenile Justice Records in
1996.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 95

Judge Martin co-authored Civil
Rights Litigation: Cases and
Perspectives (Carolina Press
1995), and has written law
review articles on a wide range
of topics, including juvenile
justice articles in the
Connecticut Law Review and
the New England Journal on
Criminal and Civil
Confinement.

individuals with developmental
disabilities.

Judge Martin is a graduate of
Harvard College and the New
York University School of Law.

Iris Morgan
Iris Morgan is a Senior
Management Analyst II for the
Criminal Justice Information
Services (CJIS) Program in the
Florida Department of Law
Enforcement (FDLE). She is
currently serving as the
coordinator for delivery of
information services statewide,
supervisor of the CJIS Help
Desk, and project leader for the
development and installation of
the Florida Crime Information
Center (FCIC) II Workstation
Software Project. Prior to
assuming that role, she was
responsible for conducting
FCIC/National Crime
Information System (NCIC)
audits of criminal justice
agencies accessing the
FCIC/NCIC systems.

Thomas R. McMahon
Thomas R. McMahon is
General Counsel of the Illinois
Department of Human Services.
The Department is comprised of
the former Departments of
Mental Health and
Developmental Disabilities;
Alcohol and Substance Abuse;
Rehabilitation Services; and
portions of the Departments of
Public Aid, Public Health, and
Children and Family Services.
He administers the Division of
Legal Services and provides
counsel to the Department on a
wide range of administrative,
policy, and regulatory matters.
Prior to his employment with
the Department, Mr. McMahon
was associated with the firm of
Cappetta & Shadle, Ltd., and
served as an Assistant States
Attorney in Lake County,
Illinois. Before entering the
legal profession, Mr. McMahon
was employed by the Ray
Graham Association for the
Handicapped in various
capacities, including the
administration of sheltered
workshop programming for

Page 96

Mr. McMahon received his
undergraduate degree from the
University of Illinois and his
J.D. from The John Marshall
Law School. Mr. McMahon is
an adjunct faculty member at
DePaul University School of
Law (Illinois).

Ms. Morgan has over 19 years
experience with FDLE and the
CJIS Program Area. During this
time she has served in a variety
of technical, analytical, and
supervisory positions. She has
also been instrumental in
designing several major
criminal justice information
system enhancements,
including: the Offender-Based
Transaction System, Uniform
Offense and Arrest Reports,

National Fingerprint File
Program, Uniform Crime
Reports Program, and Criminal
Justice Data Element
Dictionary, as well as redesign
of the Computerized Criminal
History file.
Deirdre Mulligan
Deirdre Mulligan is Staff
Counsel at the Center for
Democracy and Technology, a
public interest organization
based in Washington, D.C.,
dedicated to preserving and
enhancing democratic values
and civil liberties on the Internet
and other interactive
communications media. As
Staff Counsel, Ms. Mulligan
evaluates the impact of
technology on individual
privacy. She works with other
privacy and civil liberties
advocates, the communications
and computer industries, and
public policy makers to
strengthen fair information
practices and enhance individual
control over personal
information through the
development of individual
empowering policies and
technologies. Currently Ms.
Mulligan is shepherding the
Internet Privacy Working Group
— a collaborative public
interest/private-sector working
group — developing a
framework for privacy on the
Internet.
Prior to joining the Center, Ms.
Mulligan worked on
information privacy issues in
emerging technologies at the
Electronic Frontier Foundation
(EFF). While at EFF, Ms.
Mulligan staffed the National

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Information Infrastructure
Advisory Council’s
Megaproject III on Privacy,
Security and Intellectual
Property for Co-chair Ester
Dyson.
Ms. Mulligan received her
undergraduate degree from
Smith College. She received her
law degree from Georgetown
University.
Ron Oldroyd
Ron Oldroyd is the Assistant
Juvenile Court Administrator
for Utah. He began his career
with the Juvenile Court in 1973
as a Deputy Probation Officer.
Since then he has held a number
of positions within the Juvenile
Court. He received his B.S. and
M.S. degrees from the
University of Utah. After
receiving his M.S. degree in
School Counseling, he left the
court to work as an elementary
school counselor for 4 years
prior to returning to the court as
the Chief of Probation in Salt
Lake City.
During his tenure with the
courts, Mr. Oldroyd has been
very involved with
programming for delinquent
youth and Utah’s Juvenile
Justice Management
Information System. He is
currently chairing the reengineering of this system, an
effort that is expected to take 3
years. Mr. Oldroyd was also a
participant in an initiative of the
U.S. DOJ’s Office of Juvenile
Justice and Delinquency
Prevention to define juvenile
probation and its expectations
on a national level.

Lawrence F. Potts
Lawrence F. Potts has served as
Treasury Division Director and
currently as Director of the
Administrative Group of the
Boy Scouts of America. In his
present position, he directs
Information Systems,
Properties, and Treasury.
Mr. Potts has served with the
National Council of the Boy
Scouts since 1982, and in his
current position since 1992.
Prior to joining the National
Council, he had extensive
experience in the causality
insurance industry, holding
positions of controller and
treasurer and serving as a
member of several boards of
directors. He also served with
the U.S. Armed Forces with the
rank of Captain.
Mr. Potts was an original
member of the Boy Scouts of
America Youth Protection Task
Force. In this capacity, he was
instrumental in creating several
tools for the prevention of child
abuse in society and Scouting.
He also was an original member
of the National Collaboration
for Youth Sexual Abuse Task
Force. This is an association of
16 not-for-profit youth-serving
organizations interested in the
prevention of child sexual
abuse. This group pioneered
efforts in information-sharing
and education about sexual
abuse among youth-serving
agencies. Mr. Potts is the author
of a paper on a model program’s
efforts in the child abuse area.

Through the Boy Scouts of
America, Mr. Potts is able to
communicate with more than
4.4 million youth and 1.1
million adults of mixed ethnic
and racial backgrounds, and
many others throughout society.
Currently, he holds the positions
of Chairman, Boy Scouts of
America Youth Protection Task
Force; Chairman, Child Abuse
Expert Advisory Panel;
Chairman, National
Collaboration for Youth Child
Sexual Abuse Task Force; and
Member, National Child Abuse
Coalition. He was a member of
the U.S. Advisory Board on
Child Abuse and Neglect from
1992-96.
Mr. Potts is a Certified Public
Accountant and, as such, a
member of the American and
Texas Institutes of CPAs. He
also is a member of the
Association of Investment
Analysts, the Southwest Pension
Conference, and the Sentinel
Institute.
Mr. Potts is a graduate of the
University of Texas, Austin, and
is a member of Beta Alpha Psi
and Phi Kappa Phi
organizations.
Jack H. Reed
Jack H. Reed is Chairman of
I.R.S.C., Inc., an information
provider company, and
Confidential Business
Resources, Inc., a corporation
recently formed by the merger
of nine companies representing
all facets of the information
industry.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 97

Mr. Reed began his career in the
personal finance business,
where he spent 9 years, serving
in various management
positions. He has been a
licensed Private Investigator
since 1964, at which time he
founded J.H.R.I., Inc., a private
investigation firm. Mr. Reed
founded I.R.S.C., Inc., in 1979
and began selling public record
and nonpublic information to
private investigators,
corporations, insurance
companies, and financial
institutions in 1983.
Mr. Reed entered Western State
University, College of Law in
1966. His graduation was
delayed until 1972 due to a
serious injury that left him
quadriplegic. During his
recovery period, J.H.R.I.
continued to grow with Mr.
Reed at the helm.
As a member of the California
Association of Licensed
Investigators, Mr. Reed has
served as President, and on the
Board of Directors as Vice
President of Investigations,
District Director, and Director at
Large. He served on the
Legislative Committee for over
20 years and re-engineered this
committee into a formidable
entity, which, since its
inception, has prevented any
negative legislation affecting the
private investigation and
security industry.
Mr. Reed was President of the
National Council of
Investigation and Security
Services (NCISS), as well as its
Legislative Committee Chair,

Page 98

which involved overseeing
Federal legislation issues in
1997-98. He is an active
member of various other State,
national, and international
professional associations, and
serves on various committees
within these organizations.
Mr. Reed has been appointed by
the Software/Information
Industry Association (SIIA)
Board of Directors to serve on
the Executive Committee of the
Public Policy and Government
Relations Council. He also
serves on the SIIA Committee
on Privacy and Information
Regulation and chairs the State
Issues Working Group and
Government Information Policy
Committee. Additionally, Mr.
Reed served on the privacy task
force spearheaded by California
State Sen. Steve Peace of
California (D-El Cajon).
In June 1997, Mr. Reed was
invited to attend the Federal
Trade Commission (FTC)
hearings, representing NCISS
and the Individual Reference
Services Group (IRSG). Mr.
Reed is also a founding member
of the IRSG, which is based in
Washington, D.C., and is
comprised of representatives
from leading companies within
the information industry who
are addressing privacy concerns.
Mr. Reed was recently elected
Vice Chair and SecretaryTreasurer of the IRSG. This
group has compiled “Privacy
Principles,” which are intended
to serve as the industry model
for ethical and privacy
standards. These Principles
were approved by the FTC, and

resulted in a recommendation
from the FTC in its “Report to
Congress” that no new
legislation was needed to
regulate the information
industry.
Jack Scheidegger
Jack Scheidegger is Chief
Executive Officer of the
Western Identification Network,
Inc., a position he has held since
1996. Prior to his current
appointment, Mr. Scheidegger
was Chief of the Bureau of
Criminal Identification and
Information in the California
DOJ.
He also has previously held the
positions of Chief, Bureau of
Forensic Services, California
DOJ; Director, Bureau of MediCal Fraud and Patient Abuse,
California DOJ; and Legislative
Advocate for the California
Attorney General’s Office.
Mr. Scheidegger previously
served as California’s governorappointed Member to the
SEARCH Membership Group.
As a SEARCH Member, he
served on its Board of Directors,
as Chair of its Law and Policy
Program Advisory Committee,
and as Chair of the Bureau of
Justice Statistics/SEARCH
National Task Force on
Increasing the Utility of the
Criminal History Record. He
also has been a member of the
California Peace Officers
Association, American Society
of Crime Laboratory Directors,
and the FBI/NCIC Western
Regional Working Group
(Control Terminal Officer).

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Mr. Scheidegger received his
B.A. degree in public
administration from California
State University at Sacramento,
and his master’s degree in
public administration from the
University of Southern
California.
James F. Shea
James F. Shea is Assistant
Director of Systems at the New
York State Division of Criminal
Justice Services. In this
position, he manages a broad
range of projects, including the
State Automated Fingerprint
Identification System, Store and
Forward, and the development
and support of systems
developed for local agencies,
including law enforcement,
prosecution, jails, and
probation.
Mr. Shea manages the State’s
federally funded National
Criminal History Improvement
Program and Criminal Justice
Records Improvement Program,
as well as automation projects
supported by the National
Institute of Justice and the
Office of Juvenile Justice and
Delinquency Prevention, U.S.
DOJ. He heads up the State
criminal justice data
standardization project, serves
on the Executive Board that
oversees data standardization
for all State departments, and
directs a statewide initiative to
re-examine record sealing and
information dissemination. Mr.
Shea previously served on the
Governor’s Task Force to
improve information systems in
New York State.

Mr. Shea holds a B.S. degree
from Holy Cross College, an
M.B.A. from Union College,
and has participated in
Executive Training Programs at
Harvard’s Kennedy School of
Government.
Harold M. “Hal” Sklar
Harold M. “Hal” Sklar is an
Attorney-Advisor to the
Criminal Justice Information
Services Division of the FBI,
having been appointed to that
position in September 1997. He
received his J.D. and L.L.M.
from the Temple University
School of Law (Pennsylvania)
and the Georgetown University
Law Center, respectively. Half
of his 16 years of practice has
been in government service,
most notably as a Trial Attorney
pursuing Employee Retirement
Income Security Act (ERISA)
fraud for the U.S. Department of
Labor, abusive tax shelter
promotion for the U.S. DOJ,
and savings and loan defalcation
(Resolution Trust Corporation).
Prof. George B. Trubow
From 1976 until his retirement
in 2001, Prof. George B.
Trubow was a Professor of Law
at The John Marshall Law
School in Chicago, Illinois,
where he taught Information
Law and Policy, Cyberspace
Law, Privacy Law, and
Computer Law and directed the
Center for Information
Technology and Privacy Law.
Prof. Trubow practiced law in
Kansas and Missouri from
1958-61, and in 1961 became
assistant at The John Marshall
Law School. In 1965, he was

awarded a Congressional
Fellowship with the American
Political Science Association in
Washington, D.C. From 196668, Prof. Trubow was Deputy
Counsel to the U.S. Senate
Judiciary Subcommittee on
Judicial Machinery. In 1968, he
became Executive Director of
the Maryland Governor’s
Commission on the
Administration of Justice, and
he served on the U.S. Attorney
General’s Advisory Council on
Law Enforcement Education
from 1968-70.
In 1970, Prof. Trubow joined
the Law Enforcement
Assistance Administration
(LEAA), U.S. DOJ, where he
served as Deputy Director of
Law Enforcement Programs and
Director of Inspection and
Review, in charge of grant
programs to the States and
planning and program
development for LEAA.
In 1974, Prof. Trubow became
General Counsel to the
Committee on the Right to
Privacy, Executive Office of the
President, during the Ford
Administration. The Committee
was concerned with the analysis
and development of Federal
information and privacy law and
policy. Prof. Trubow returned to
John Marshall in 1976.
Prof. Trubow is active in the
ABA Section of Science and
Technology; he was advisor to
the National Commission on
Uniform State Laws in drafting
the Uniform State Information
Practices Code; and was
Reporter for the Uniform

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 99

Criminal History Records Act.
He was Chair of the 1994
International Conference on
Computers, Freedom and
Privacy and was a longtime
member of the Board of
Directors of SEARCH. He has
been an advisor to the Office of
Technology Assessment of the
U.S. Congress and to the
National Research Council in
Fraud Institute, and a member
of the Federal Computer
Systems Security and Privacy
Advisory Board.
Prof. Trubow has written and
spoken widely on the law of
information technology,
“cyberspace,” and privacy. He
was law editor of IEEE’s
Software magazine, and his
Center for Information
Technology and Privacy Law
publishes a quarterly law
review, The Journal of
Computer and Information Law.
He is editor-in-chief of the
three-volume treatise, Privacy
Law and Practice (1987), and
co-author of the casebook,
Privacy Law (1992).
Prof. Trubow is a graduate of
the University of Michigan,
earning both bachelor’s and law
degrees.
Donna M. Uzzell
Donna M. Uzzell was appointed
Director of Criminal Justice
Information Services (CJIS) for
the Florida Department of Law
Enforcement (FDLE) in
November 1996, after serving as
Special Agent in Charge of the
Investigative Support Bureau.
The CJIS program provides
instant telecommunications

Page 100

capabilities for law enforcement
throughout the State; criminal
justice information storage and
retrieval capabilities in Florida
and over the entire Nation;
criminal identification services;
the ability to document and
analyze criminal activity for the
entire State; statistical and crime
trend analysis; criminal record
inquiry services for
governmental, private, and
public record requests;
improved system integrity
through biennial terminal audits;
and a statewide training
program for law enforcement.
Prior to her appointment at
FDLE, she was a Sergeant with
the Tallahassee Police
Department and a member of
that agency for 13 years.
In 1988, Ms. Uzzell was elected
to the Leon County (Florida)
School Board and completed
her 8 years in office, serving 2
years as Board Chair. During
the past 8 years, she has worked
on safe school policy and
procedures and has conducted
training throughout the State on
crisis intervention, safe school
planning, interagency
collaboration, and Serious
Habitual Offender
Comprehensive Action Program
(SHOCAP). She currently is an
adjunct professor at Florida
State University, teaching in the
School of Criminology, and is a
consultant for Fox Valley
Technical College in Wisconsin.
Ms. Uzzell is a certified crime
prevention practitioner and
former Drug Abuse Resistance
Education (D.A.R.E.) officer.
She has received recognition for

her work in the area of child
safety, including a Law
Enforcement Officer of the Year
award. She has served on
several statewide task forces on
school and child safety and
juvenile justice issues. In 1993,
she completed a 4-month
special assignment to the
Commissioner of Education on
law enforcement and education
collaborative relationships. In
1993, she spent 5 months on
special assignment to the
Florida Attorney General’s
Office developing and
implementing the Florida
Community Juvenile Justice
Partnership Grant Program.
William C. Vickrey
William C. Vickrey is
Administrative Director of the
Courts of the Administrative
Office of the California Courts,
managing its legal, court
services, fiscal, and other
operations that support the
California judicial system. As
Administrative Director of the
Courts, Mr. Vickrey also serves
as Secretary of the Judicial
Council of California and the
Commission on Judicial
Appointment, both of which are
chaired by the Chief Justice of
the California Supreme Court.
Appointed to the position in
1992, Mr. Vickrey has been
responsible for many
improvements in the State
judicial system, including the
development of a long-range
planning process for State
courts, implementation of a
statewide budgeting system, and
coordination of trial court
resources.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Prior to coming to the
Administrative Office of the
California Courts, Mr. Vickrey
was the State Court
Administrator for the Utah
Administrative Office of the
Courts. He also previously
served as Executive Director for
the Utah Department of
Corrections, and Director for the
Utah State Division of Youth
Corrections.

Dr. Alan F. Westin
Dr. Alan F. Westin is Professor
Emeritus of Public Law and
Government at Columbia
University; publisher of Privacy
& American Business; and
President of the Center for
Social & Legal Research. He is
the author or editor of 26 books
on constitutional law, civil
liberties and civil rights, and
American politics.

Mr. Vickrey received the
Warren E. Burger Award from
the National Center for State
Courts in 1995. He previously
served as President of the
Conference of State Court
Administrators.

Dr. Westin’s major books on
privacy — Privacy and
Freedom (1967) and Databanks
in a Free Society (1972) —
were pioneering works in the
field of privacy and data
protection, as were his field
studies for the U.S. National
Bureau of Standards,
Computers, Health Records,
and Citizen Rights (1976), and
Computers, Personnel
Administration, and Citizen
Rights (1979).

Mr. Vickrey also co-authored
Managing Transition in a Youth
Corrections System (University
of Chicago Press); drafted
legislation to establish the
Commission on Criminal and
Juvenile Justice; and received
the 1984 James Larson Award
for Outstanding Contributions to
Corrections. During 1985, he
served as staff to the Governor’s
Judicial Article Task Force in
Utah. This resulted in the
passage of HB 100, which
established the Court of
Appeals, among other reforms
of the judiciary. He also coauthored “Utah Court of
Appeals: Blueprint for Judicial
Reform” for the Utah Bar
Journal.
Mr. Vickrey received his
bachelor’s degree from the
University of Utah.

Over the past 40 years, Dr.
Westin has been a member of
Federal and State government
privacy commissions and an
expert witness before many
State and Federal legislative
committees and regulatory
agencies. These activities have
covered privacy issues in such
fields as financial services,
credit- and consumer-reporting,
direct marketing, medical and
health, telecommunications,
employment, law enforcement,
online and interactive services,
and social services.
Dr. Westin has been a privacy
consultant to many Federal,
State, and local government
agencies and private

foundations. He also has
consulted on privacy for over
100 major and start-up
companies, including IBM,
Security Pacific National Bank,
Equifax, American Express,
Citicorp, Bell, Prudential, Bank
of America, Chrysler, AT&T,
SmithKline Beecham, News
Corporation, Visa, and Glaxo
Wellcome.
He also has spoken at more than
500 national and international
business and government
meetings on privacy issues since
the early 1960s, as well as
appearing on all the national
U.S. television networks to
discuss current privacy
developments in business or
government.
Between 1978-98, he has been
the academic advisor to Louis
Harris & Associates for 20
national surveys of public and
leadership attitudes toward
consumer, employee, and
citizen privacy issues in the
United States and Canada. He
also has worked with Opinion
Research Corporation on a
dozen proprietary privacy
surveys for companies and
industry associations.
In 1993, with Robert Belair, he
founded a national newsletter
and information service,
Privacy & American Business,
to provide expert analysis and a
balanced voice on businessprivacy issues. P&AB also
conducts an annual national
conference in Washington on
“Managing the Privacy
Revolution,” attended by 250
business, government,

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 101

academic, and public interest
group representatives. P&AB
also conducts the Corporate
Privacy Leadership Program,
and a Global Business Privacy
Policies Project.
Dr. Westin earned his
bachelor’s degree from the
University of Florida, an L.L.B.
from Harvard Law School, and
his Ph.D. in political science
from Harvard University. He is
a member of the District of
Columbia Bar and has been
listed in Who's Who in America
for three decades.
Dr. John Woulds
Dr. John Woulds is Director of
Operations at the Office of the
Data Protection Registrar, the
supervisory authority
established in the United
Kingdom under the 1984 Data
Protection Act. Dr. Woulds has
been in the Office of the Data
Protection Registrar since
March 1985. As Director of
Operations, he is a member of
the Registrar’s Management
Board and has responsibility for
all operational aspects of the
work of the office. This includes
registration, complaints,
casework, investigations,
compliance casework, and
policy advisory work in all
sectors.
Prior to his appointment with
the Data Protection Registrar, he
worked for several years in
computer management in
scientific computing centers.
Before that, he was an active
research scientist in the field of
high-energy particle physics.

Page 102

Staff biographies
— Bureau of Justice
Statistics,
U.S. Department of
Justice
Dr. Jan M. Chaiken
Dr. Jan M. Chaiken was
Director of the Bureau of Justice
Statistics (BJS), U.S. DOJ, until
January 2001. His appointment
to this position by President
Clinton was confirmed in
September 1994.
Dr. Chaiken earned his Ph.D. in
mathematics at the
Massachusetts Institute of
Technology (MIT). He was an
Assistant Professor in the
mathematics department of
Cornell University; a Research
Associate at MIT; a Senior
Mathematician at the Rand
Corporation in Santa Monica,
California, from 1972-84; an
Adjunct Associate Professor in
the system sciences department
of the University of California,
Los Angeles; and a Principal
Scientist in the law and justice
area at Abt Associates, Inc., in
Cambridge, Massachusetts,
from 1984 until his nomination
as BJS Director.
Dr. Chaiken’s research has
focused on developing and
applying methods for improving
operations of criminal justice
agencies, including studies of
the criminal investigation
process, police patrol allocation,
predicting prison populations,
models of the criminal justice
system, and statistical analyses
of the Federal criminal justice
system.

Dr. Chaiken and his wife, Dr.
Marcia Chaiken, who is now
Director of Research at LINC in
Alexandria, Virginia,
collaborated on numerous
research topics, such as varieties
of criminal behavior, identifying
career criminals for priority
prosecution, drugs and crime,
multijurisdictional drug task
forces, improving sample
designs for learning about drug
use of arrestees, and private
policing.
During his tenure as BJS
Director, Dr. Chaiken has
focused on the use of modern
technologies, such as the World
Wide Web, to provide the
public with accurate, up-to-date
statistics, to allow the rapid
interstate exchange of criminal
histories and information about
registries of sex offenders, to
facilitate the implementation of
the FBI’s National IncidentBased Reporting System, and to
develop improved computerized
tracking of Federal arrestees and
defendants through the criminal
justice process.
Carol G. Kaplan
Carol G. Kaplan is currently
Chief, Criminal History
Improvement Programs, BJS,
U.S. DOJ. In this capacity, she
is responsible for managing all
BJS programs that focus on
improving the quality and
accessibility of criminal history
records and the establishment of
the national criminal record
system. Ms. Kaplan is also
responsible for all BJS activities
to ensure the privacy of criminal
record data and to support
implementation of the Brady

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Handgun Violence Prevention
Act and the National Child
Protection Act of 1993.
Previously, Ms. Kaplan served
as the Assistant Deputy
Director, BJS, overseeing
programs relating to criminal
justice information policy,
privacy policy development,
and Federal justice statistics. In
this position, she was
responsible for all BJS
publications, conferences, and
technical assistance dealing with
criminal history record issues,
privacy policy, and Federal
justice statistics.
Ms. Kaplan has been involved
in Federal activities relating to
the development of privacy
policy throughout her career,
and participated in drafting the
initial landmark Federal
regulations ensuring the
privacy, accuracy, and
completeness of criminal
records and the confidentiality
of federally supported research
data. She has served on
numerous interagency task
forces to develop policies and
standards applicable to record
usage and was a charter member
of the Office of Justice
Programs’ Intelligence Systems
Policy Review Board.
Ms. Kaplan was formerly an
Attorney with the Department
of Health, Education and
Welfare and the Federal
Communications Commission.
Ms. Kaplan is a graduate of
Columbia University Law
School and Radcliffe College.

— Office of Justice
Programs,
U.S. Department of
Justice
Anne Gardner
Anne Gardner is an AttorneyAdvisor for the Office of Justice
Programs (OJP), U.S. DOJ,
under the Attorney General’s
Honors Program. Ms. Gardner
is a member of OJP’s
Intergovernmental Information
Sharing Working Group,
Intelligence Systems Policy
Review Board, and Privacy
Task Force.
Ms. Gardner received her B.S.
degree from the University of
Wisconsin – Madison, and her
J.D. from The Catholic
University of America,
Columbus School of Law, cum
laude. Her publications include
“Legislation: A New Design for
Justice Integration,” 30
McGeorge Law Review 9
(1998).
Paul F. Kendall
Paul F. Kendall, General
Counsel for OJP, is the
Executive Chairman of OJP’s
Information Technology
Executive Council, as well as
Chairman of the Executive
Council’s Inter-governmental
Information Sharing Working
Group, the Intelligence Systems
Policy Review Board, and the
Privacy Task Force. Mr.
Kendall is leading a variety of
efforts in developing State and
local coordinated information
technology programs, and is
leading the Review Board’s
examination of legal and public
policy issues associated with

information sharing. Prior to his
appointment as General
Counsel, Mr. Kendall held
positions of Senior Counsel at
the Federal Mine Safety Board,
and Assistant General Counsel
of the Legal Services
Corporation, as well as other
positions in public and private
practice.
Mr. Kendall received his B.A.
degree from Columbia College
of Columbia University, his
M.B.A. from the University of
Maryland, and his J.D. from
The Catholic University of
America, Columbus School of
Law. His publications include
“Legislation: A New Design for
Justice Integration,” 30
McGeorge Law Review 9
(1998).
— SEARCH, The National
Consortium for
Justice Information and
Statistics
Sheila J. Barton
As a Deputy Executive Director
of SEARCH, Sheila J. Barton is
responsible for the development
and implementation of a
multifaceted program of public
policy analysis, documentation
of State and Federal information
policy development, education,
and assistance to State and local
policymakers; the conduct of
national conferences and
workshops on justice
information policy issues; and
the publication of timely studies
on justice information policy.
She is also In-house Counsel
and staff to the SEARCH Law
and Policy Program Advisory

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 103

Committee and Board of
Directors.
Prior to joining SEARCH, Ms.
Barton was a Municipal Judge
in Cheyenne, Wyoming, and
also was engaged in the private
practice of law. She also has
held the positions of Public
Defender for Cheyenne, and
Staff Attorney to the Wyoming
Supreme Court. She previously
served in the New York State
Department of Correctional
Services, Office of the Special
Legal Assistant to the
Commissioner, and Legal
Specialist for the Department’s
Division of Health Services.
Prior to her service in New
York, she was Associate County
Judge for Lincoln County,
Nebraska.
Ms. Barton holds a B.A. degree
from Augustana College (South
Dakota) and a J.D. from the
University of Nebraska College
of Law. She is a member of the
Bars of California, Nebraska,
and Wyoming.
Gary R. Cooper
Since 1983, Gary R. Cooper has
served as the Executive Director
of SEARCH. In his role as
Executive Director, Mr. Cooper
is called upon to represent
SEARCH before the various
branches and levels of
government, including the U.S.
Congress and the U. S. DOJ;
criminal justice associations;
and the private sector. He has
twice chaired the Evaluation
Committee for tests of the
Interstate Identification Index, a
committee of the Advisory
Policy Board to the FBI’s

Page 104

National Crime Information
Center, and currently chairs the
FBI’s Evaluation Group for the
National Fingerprint File Pilot
Project.
In 1981, Mr. Cooper was
appointed by California’s
Governor to the California
Commission on Personal
Privacy. He currently serves on
the Board of Directors for the
National Foundation for Law
and Technology. With
SEARCH for 26 years, Mr.
Cooper also has served as the
Deputy Director and the
Director of the Law and Policy
Program.
Mr. Cooper’s law enforcement
career began as a Patrolman for
the City of Sacramento, and he
has held various research and
planning positions with the
California Council on Criminal
Justice and the California Crime
Technological Research
Foundation. He has written
extensively in all areas of
information law and policy,
with an emphasis on the privacy
and security of criminal history
records.
Mr. Cooper received his B.A.
degree in political science from
the University of California,
Davis.
Eric C. Johnson
Eric C. Johnson is a Policy
Research Analyst in SEARCH’s
Law and Policy Division, where
he researches and writes on
issues relating to criminal
justice information management
and policy. Mr. Johnson joined
SEARCH’s Corporate

Communications staff in July
1997 as a Writer/Researcher. He
contributed to SEARCH
publications, including
Interface, SEARCH Update, and
SEARCHLite, and also worked
on other communications and
program-related projects
involving writing, editing, and
design.
Mr. Johnson authored two of
SEARCH’s Technical Bulletins:
“Court Automation and
Integration: Issues and
Technologies,” and “From the
Inkpad to the Mousepad: IAFIS
and Fingerprint Technology at
the Dawn of the 21st Century.”
The latter, which focused on the
FBI’s Integrated Automated
Fingerprint Identification
System, was reprinted in the
April 1999 issue of Government
Technology magazine.
Before joining SEARCH, Mr.
Johnson served for 7 years as
Editor of the Northern
California Teamster newspaper,
with a circulation of 65,000 in
the greater San Francisco Bay
area. He has worked in the
mainstream press as a Reporter
and Assignment Editor, and also
in government and in public
relations, where his writing was
honored with a Bay Area
Publicity Club Award. He holds
a Bachelor of Arts degree in
Journalism from San Francisco
State University.
Mr. Johnson joined SEARCH’s
Law and Policy staff on May 1,
1999.

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Appendix 2:
Glossary of criminal justice information terms

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 105

Page 106

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Confidentiality refers to information itself, and means that
only certain persons under
specified circumstances are
authorized to have access to
particular information.1
Criminal History Record Information (CHRI) means information collected by criminal
justice agencies on individuals
consisting of identifiable descriptions and notations of arrests, detentions, indictments,
informations or other formal
criminal charges (and any disposition arising therefrom),
sentencing, correctional supervision, and release. The term
does not include identification
information such as fingerprint
records to the extent that such
information does not indicate
involvement of the individual in
the criminal justice system.
State and Federal Inspector
General Offices are included.2
Criminal Intelligence Information means information on
identifiable individuals compiled in an effort to anticipate,
prevent, or monitor possible
criminal activity.3
Criminal Investigative Information means information on
identifiable individuals com-

1

George B. Trubow, “Information
Law Overview,” 18 J. Marshall L. Rev.
815, 817 (1985).
2
28 C.F.R. § 20.23(b).
3
Technical Report No. 13: Standards
for the Security and Privacy of Criminal History Record Information, 3rd ed.
(Sacramento: SEARCH Group, Inc.,
1988) Standard 2.1(d). Hereafter,
Technical Report No. 13.

piled in the course of an investigation of specific criminal acts.4
Criminal Justice Agency means
(1) Courts; (2) A government
agency or any subunit thereof
that performs the administration
of criminal justice pursuant to a
statute or executive order, and
which allocates a substantial
part of its annual budget to the
administration of criminal justice.5
Criminal Justice Information
includes CHRI, criminal intelligence information, criminal investigative information,
disposition information, identification record information,
nonconviction information, and
wanted person information.6
Disposition means information
disclosing that criminal proceedings have been concluded,
including information disclosing
that the police have elected not
to refer a matter to a prosecutor
or that a prosecutor has elected
not to commence criminal proceedings, and also disclosing the
nature of the termination in the
proceedings; or information disclosing that proceedings have
been indefinitely postponed and
also disclosing the reason for
such postponement. Examples
of dispositions include (but are
not limited to), acquittal, dismissal, case continued without
finding, charge dismissed,
charge still pending, guilty plea,
4

Technical Report No. 13, Standard
2.1(e).
5
28 C.F.R. § 20.23(c).
6
Technical Report No. 13, Standard
2.1.

nolle prosequi, no paper, nolo
contendere plea, convicted,
youthful offender determination,
deceased, deferred disposition,
dismissed defendant discharged
(civil action, pardoned, probation before conviction, sentence
commuted, adjudication withheld, mistrial), executive clemency, placed on probation,
paroled, or released from correctional supervision.7
Nonconviction information
means arrest information without disposition if an interval of
1 year has elapsed from the date
of arrest and no active prosecution of the charge is pending; or
information disclosing that the
police have elected not to refer a
matter to a prosecutor; or information disclosing that a prosecutor has elected not to
commence criminal proceedings; or information disclosing
that proceedings have been indefinitely postponed, as well as
all acquittals and all dismissals.8
Privacy is “the claim of individuals, groups, or institutions
to determine for themselves
when, how, and to what extent
information about them is
communicated to others.”9

7

28 C.F.R. § 20.23(e).
28 C.F.R. § 20.23(k).
9
Alan F. Westin, Privacy and Freedom (New York: Atheneum, 1967) p.
7.
8

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 107

Page 108

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Appendix 3:
Comparison of criminal history and
other privacy measures
§
§
§
§
§
§
§

Notice
Choice
Onward transfer
Security
Data integrity
Access
Enforcement

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 109

Page 110

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Comparison of criminal history and other privacy measures1
Notice
Federal justice information
system regulations2

None.

Safe Harbor Privacy
Principles3

An organization must inform individuals about:
• The purposes for which it collects and uses PII.
• How to contact the organization with any inquiries or complaints.
• The types of third parties to which it discloses the information.
• The choices and means offered to individuals for limiting its use and disclosure.
This notice must be provided in clear and conspicuous language that is readily
understood; and the notice must be made available when individuals are first asked to
provide personal information to the organization or as soon thereafter as is practicable. In
any event, notice must be provided before the organization uses such information for a
purpose other than that for which it was originally collected or processed by the
transferring organization, or before the organization discloses it for the first time to a
third party.

Online Privacy Alliance
Principles

The policy must state clearly:
• What PII is collected.
• The use of that information.
• Possible third-party distribution.
• The choices available to an individual.
• The company’s commitment to data security.
• What steps the organization takes to ensure data quality and access.
The policy should:
• Disclose any consequences of a refusal to provide PII.
• Include a statement of enforcement mechanisms and how to contact the organization.
A privacy policy must be easy to find, read, and understand. The policy must be available
prior to or at the time that the PII is collected or requested.

1
The measures reviewed here use various terms to identify and, in some cases, to define the personal information covered by
the measure. Examples include personal information and data, protected health information, individually identifiable information,
and so on. For ease of comparison, this chart uses the abbreviation “PII” (personally identifiable information), or simply
“information” or “data.”
2
28 C.F.R. Part 20. (Also known as the “DOJ regulations.”)
3
65 Federal Register 45666 (July 24, 2000).

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 111

Notice (cont.)
Fair Credit Reporting Act

Upon request, notice, substantially similar to the model promulgated by the Federal Trade
Commission (FTC), must be provided to consumers; those who regularly supply the
credit-reporting agency with information; and those who receive reports.4
A consumer-reporting agency that furnishes a consumer report for employment purposes
containing public record information, including criminal history records, which is “likely
to have an adverse effect upon a consumer’s ability to obtain employment,” must either
provide the consumer with notice at the same time that the information is reported to the
potential employer or “must maintain strict procedures” to ensure that the information is
complete and up-to-date.5
Consumers also must be notified if a credit report provided the basis for an adverse
determination.6

Individual Reference
Services Group Principles

Each individual reference service (Service) shall have an information practices policy
statement that is available upon request that describes:
• What types of PII it has.
• From what types of sources.
• How it is collected.
• The type of entities to whom it may be disclosed.
• The type of uses to which it is put.7

European Union Directive

Requires disclosure of information, such as:
• The identity of the controller.
• The purposes of the processing for which the data are intended.
Notice should also include any further information necessary to guarantee fair processing,
such as:
• The recipients or categories of recipients of the data.
• Whether replies to questions are obligatory or voluntary, and possible consequences
for failing to reply.
• The existence of the right of access and the right to rectify data.8

Comments

Notice of potential uses of criminal justice information traditionally has not been viewed
as necessary, in part because the notice will not influence subject behavior and it is
unlikely that the individual will be interested in the contents of a privacy notice at the
time of arrest, conviction, or imprisonment.

4

15 U.S.C. § 1681e(d).
15 U.S.C. § 1681k.
6
15 U.S.C. § 1681b(b)(3).
7
Individual Reference Services Group, “Individual Reference Service Industry Principles” (December 15, 1997) Article VII.
Available at http://www.dbtonline.com/irsg-principles.asp. Hereafter, IRSG Principles.
8
Directive 95/46/EC, Articles 10, 11. Hereafter, Directive.
5

Page 112

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Comparison of criminal history and other privacy measures
Choice
Federal justice information
system regulations

None.

Safe Harbor Privacy
Principles

Organization must:
• Offer the opportunity to choose whether PII they provide is disclosed to third parties
or used (where such use is incompatible with the purpose for which it was originally
collected or subsequently authorized).
• Provide clear, conspicuous, readily available, and affordable mechanisms.
• Require opt-in choice for sensitive types of information.

Online Privacy Alliance
Principles

Individuals must be given the opportunity to exercise choice regarding how PII collected
from them online may be used when such use is unrelated to the purpose for which the
information was collected. At a minimum, individuals should be given the opportunity to
opt out of such use.

Fair Credit Reporting Act

With certain exceptions, consumer consent is required before a consumer report may be
furnished.9
Consumers may elect to be excluded from certain lists relating to offers of insurance or
credit not initiated by the consumer.10
Consumer-reporting agencies may not provide reports containing medical information for
certain purposes without the consent of the consumer.11

Individual Reference
Services Group Principles

Each Service shall, upon request, inform individuals of the choices, if any, available to
limit access or use of information about them in its database, provided, however, that in
the case of nonpublic information distributed to the general public, a Service shall
provide an opportunity for an individual to limit the general public’s access or use of
such information.12

European Union Directive

Individual consent for processing is frequently required; however, certain nonconsensual
processing is also permitted.13
Provides individual with the right to object, in certain circumstances, to certain
processing of data about the individual.14

Comments

Record subjects have never been able to choose to consent or opt-out of the criminal
history record regime. Participants in the criminal justice process are not voluntary
participants; given the potential for adverse consequences resulting from disclosure, it is
assumed that all record subjects would opt-out.

9

15 U.S.C. § 1681b(b)(2), (c)(1).
15 U.S.C. § 1681b(e).
11
15 U.S.C. § 1681b(g).
12
IRSG Principles, Article VIII.
13
See, for example, Directive, Articles 7, 9, and 13.
14
Directive, Article 14.
10

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 113

Comparison of criminal history and other privacy measures
Onward transfer
Federal justice information
system regulations

Dissemination of nonconviction data must be limited to:
• Criminal justice agencies for administration of the justice system and justice agency
employment.
• Individuals or agencies as authorized by statute, executive order, ordinance, or court
action.
• Agents and contractors of criminal justice agencies.
• Individuals and agencies for the express purpose of research, evaluative, or statistical
activities, provided safeguards are in place.15

Safe Harbor Privacy
Principles

• An organization may only disclose PII to a third party for the third party’s own use
consistent with the principles of notice and choice.
• PII may be transferred to a third party acting as the organization’s agent, provided that
the third party has adopted the Safe Harbor Principles, is subject to another “adequate”
privacy regime, or has provided suitable contractual assurances regarding the third
party’s privacy practices.

Online Privacy Alliance
Principles

• In most circumstances, where there is third-party distribution of PII, collected online
from the individual, unrelated to the purpose for which it was collected, the individual
should be given the opportunity to opt-out.
• Consent for such use or third-party distribution may also be obtained through
technological tools or opt-in.
Organizations should ensure that third parties to which they transfer PII are aware of
these security practices, and take reasonable precautions to protect any transferred PII.

Fair Credit Reporting Act

Consumer reports may be only used for permissible purposes.
Information may be provided to consumer-reporting agencies without individual consent.
Consent is required for most disclosures of consumer report information.

Individual Reference
Services Group Principles
European Union Directive

See Choice section.
Individual consent for processing is frequently required; however, certain nonconsensual
processing is also permitted.16
Restricts onward transfers to countries without “adequate” privacy protections.17
Contractors “must provide sufficient guarantees,” by contract, which obligate the
contractor to the required security measures.18

Comments

Under the DOJ regulations, conviction information may be disseminated without
restriction while nonconviction information is unavailable unless specifically authorized
by State law, regulation, or policy.
The DOJ regulations are detailed and relatively privacy-protective of the criminal history
information covered.

15

28 C.F.R. § 20.21(b).
See, for example, Directive, Articles 7, 9, and 13.
17
Directive, Articles 25, 26.
18
Directive, Article 17(2) and (3).
16

Page 114

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Comparison of criminal history and other privacy measures
Security
Federal justice information
system regulations

Wherever criminal history record information is collected, stored, or disseminated, each
State shall ensure that technical, physical, or administrative actions are taken to ensure
the security of the information.19

Safe Harbor Privacy
Principles

Organizations creating, maintaining, using, or disseminating records of PII must
take reasonable precautions to protect it from loss, misuse, unauthorized access, or
disclosure, alteration, and destruction.

Online Privacy Alliance
Principles

Organizations creating, maintaining, using, or disseminating PII should take:
• Appropriate measures to ensure its reliability.
• Reasonable precautions to protect it from loss, misuse, or alteration.

Fair Credit Reporting Act

Consumer-reporting agencies are required to “maintain reasonable procedures” to avoid
violations of key provisions of the Act.20

Individual Reference
Services Group Principles

Services shall maintain facilities and systems to protect information from unauthorized
access and persons who may exceed their authorization. In addition to physical and
electronic security, Services shall reasonably implement employee and contractor
supervision and system reviews at appropriate intervals.21

European Union Directive

Requires “appropriate technical and organizational measures to protect personal data
against accidental or unlawful destruction or accidental loss, alteration, unauthorized
disclosure or access, in particular where the processing involves transmission of data over
a network, and against all other unlawful forms of processing.”22

Comments

The DOJ regulations compare favorably with those found in other privacy measures. The
DOJ regulations require a wide range of security measures to guard against unauthorized
access or disclosure, as well as natural disasters.

19

28 C.F.R. § 20.21(f).
15 U.S.C. § 1681e(a).
21
IRSG Principles, Article VI.
22
Directive, Article 17(1).
20

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 115

Comparison of criminal history and other privacy measures
Data integrity
Federal justice information
system regulations

Complete records should be maintained at a central State repository. To be “complete”
means that the State repository must record a disposition within 90 days of the date of
disposition.
To be “accurate” means that no record containing criminal history record information
shall contain erroneous information. Criminal justice agencies shall institute processes
that will minimize the possibility of recording and storing information of an inaccurate
nature.23

Safe Harbor Privacy
Principles

Consistent with the other principles, PII must be relevant to the purposes for which it is to
be used. An organization may not process personal information in a way that is
incompatible with the purposes for which it has been collected or subsequently
authorized by the individual. To the extent necessary for those purposes, an organization
should take reasonable steps to ensure that data are accurate, complete, and current.

Online Privacy Alliance
Principles

Organizations creating, maintaining, using, or disseminating PII should take reasonable
steps to ensure that the data are accurate, complete, and timely for the purposes for which
they are to be used.

Fair Credit Reporting Act

Consumer-reporting agencies may disclose a consumer report only for specified
permissible purposes.24
The Act prohibits certain information from inclusion in most consumer reports.25

Individual Reference
Services Group Principles

Reasonable steps shall be taken to help ensure the accuracy of the information in
Services.
When contacted about alleged inaccuracies, Services shall either correct any inaccuracy
or direct the individual to the source of the information.26

European Union Directive

PII must be “collected for specified, explicit, and legitimate purposes and not further
processed in a way incompatible with those purposes. Further processing of data for
historical, statistical, or scientific purposes shall not be considered as incompatible,
provided that Member States provide appropriate safeguards.”27

Comments

The DOJ regulations are at least comparable to the other measures examined here. In
some cases, such as the OPA and IRSG Principles, the DOJ standards may actually be
more stringent because they appear to require more than “reasonable” efforts.

23

28 C.F.R. § 20.21(a).
15 U.S.C. § 1681(b).
25
15 U.S.C. § 1681(c).
26
IRSG Principles, Article III.
27
Directive, Article 6(1)(b).
24

Page 116

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Comparison of criminal history and other privacy measures
Access
Federal justice information
system regulations

Requires that States grant access to record subjects upon satisfactory verification of
identity.
Record subjects are permitted to obtain copies of records (excluding intelligence,
investigative, and related files) when necessary for challenge or correction.
States are required to establish administrative review and appeal procedures for record
subjects who challenge the accuracy of information.28

Safe Harbor Privacy
Principles

Individuals must have access to PII about them that an organization holds and be able to
correct, amend, or delete that information where it is inaccurate, except where the burden
or expense of providing access would be disproportionate to the risks to the individual’s
privacy in the case in question, or where the rights of persons other than the individual
would be violated.

Online Privacy Alliance
Principles

Organizations should establish appropriate processes or mechanisms so that inaccuracies
in material PII, such as account or contact information, may be corrected.
These procedures and mechanisms should be simple and easy to use, and provide
assurance that inaccuracies have been corrected.
Other procedures to ensure data quality may include use of reliable sources and collection
methods; reasonable and appropriate consumer access and correction; and protections
against accidental or unauthorized alteration.

Fair Credit Reporting Act

Consumer-reporting agencies are required to disclose, upon the consumer’s request,
specified information that the credit-reporting agency possesses about the consumer, as
well as a summary of the individual’s rights under FCRA and contact information.
(Summary of rights must be substantially similar to FTC model.)29
Consumer has the ability to dispute information believed to be inaccurate and to request
reinvestigation of such information.30

Individual Reference
Services Group Principles

Upon request and reasonable terms, Services shall:
• Inform individuals about the nature of public record and publicly available
information it makes available in its products.
• Provide individuals with nonpublic information contained in products or services that
specifically identify the individual.
• Direct individuals to a consumer-reporting agency when such agency is the source of
the PII.31

28

28 C.F.R. § 20.21(g).
15 U.S.C. § 1681g.
30
15 U.S.C. § 1681I.
31
IRSG Principles, Article IX.
29

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 117

Access (cont.)
European Union Directive

Requires, with certain exceptions, that inquiries be acted upon “without constraint at
reasonable intervals and without excessive delay or expense.”32
Requires Member States to guarantee a data subject’s right to determine if personal data
are being processed and what data are being processed.33
“Member States may, in the interest of the data subject or so as to protect the rights and
freedoms of others, restrict rights of access and information.”34
Requires that data subjects be given the rights of “rectification, erasure, or blocking,” as
appropriate.35

Comments

The DOJ standards are largely comparable concerning individual rights of access and
correction.
The DOJ regulations are more favorable than some of the other measures in that they
guarantee administrative procedures and appeals in the event of disagreements between
the record subject and agency over record correction requests.
The DOJ regulations are less protective insofar as they only guarantee record subjects the
right to obtain copies of their records if necessary for purposes of challenge or correction.

32

Directive, Article 12(a).
Ibid.
34
Recital 42.
35
Directive, Article 12(b).
33

Page 118

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Comparison of criminal history and other privacy measures
Enforcement
Federal justice information
system regulations

Any agency or individual in violation may be fined up to $10,000. In addition, agencies
may be subject to loss of Federal funding.36
States must establish administrative and appeals processes for record subject challenges
to record accuracy.37

Safe Harbor Privacy
Principles

At a minimum, mechanisms must include:
• Readily available and affordable independent recourse by which an individual’s
complaints and disputes can be investigated and resolved and damages awarded where
provided by applicable law or private initiative.
• Procedures for verifying that the attestations and assertions businesses make about
their privacy practices are true and that practices are implemented as presented.
• Obligations to remedy problems arising out of noncompliance by companies adopting
the principles.
• Sufficiently rigorous sanctions to ensure compliance.

Online Privacy Alliance
Principles

Whether administered by a third-party seal program, licensing program, or membership
association, the effective enforcement of self-regulation requires:
• Verification and monitoring.
• Complaint resolution.
• Education and outreach.
OPA believes the best way to create public trust is for organizations to alert consumers
and other individuals to the organization’s practices and procedures through participation
in a program that has an easy-to-recognize symbol or seal.

Fair Credit Reporting Act

Authorizes private right of action by consumers.38
Administrative enforcement by the FTC is authorized and the FTC may initiate civil
court actions. States and other Federal agencies may bring actions in specified
circumstances.39

Individual Reference
Services Group Principles

Periodic compliance audits by outside auditors are required. A summary of results must
be made publicly available.40

European Union Directive

Member States are required to provide judicial remedies for a data subject whose rights
are provided under national law.41
Data subjects are to be entitled to “compensation from the controller for the damage suffered.”42

Comments

The DOJ regulations authorize fines against both agencies and individuals for violations
of the regulations. In addition, agencies run the risk of losing Federal funding if they fail
to comply with the regulations.

36

28 C.F.R. § 20.25.
28 C.F.R. § 20.21(g).
38
15 U.S.C. § 1681n.
39
15 U.S.C. §1681s.
40
IRSG Principles, Article XI.
41
Directive, Article 22.
42
Directive, Article 21(1).
37

Report of the National Task Force on Privacy, Technology and Criminal Justice Information

Page 119