By Michael Ramage, General Counsel, Florida Department of Law Enforcement (FDLE); and Privacy Officer, FDLE Fusion Center
ut of personal curiosity, an agency analyst repeatedly accesses databases she uses daily for official purposes to glean personal information about coworkers and others. Even though the analyst does not sell or use the information to commit a crime such as identify theft, the agency expends significant time and effort notifying those whose personal information has been inappropriately accessed. The analyst is disciplined, and the agency implements new steps to train and monitor individuals who are granted access to databases.
In another agency, a sworn officer uses official databases to help locate people for a friend who runs a repossession business. The officer is fired and is charged with a felony.
Both situations are based on recent events and demonstrate what can happen when agency personnel exceed their authorization in use of agency-provided databases. Databases abound that contain confidential, restricted, or personal information that relates to identifiable persons, in the form of personally identifiable information (PII). Managing those who have access to PII is crucial to the agency retaining public confidence in its ability to manage sensitive information. The use of fair information practices (FIPs) can assist agencies in reviewing their current information security practices and help promote responsible agency information management. What follows is a brief description of FIPs.
Specify the Agency’s Purpose
First, an FIP requires that an agency identify the purposes for which information is collected and guard against pressure to use information for new purposes for which authorization or permission has not been granted. The individual who develops the FIP must have an understanding of why the information is being collected and then apply that understanding to defining the limits on the current and future collection and use of the information. This designation helps prevent purpose creep, through which agency personnel develop new uses for information that are outside the authority for using the information that was originally granted. Original permissions granted by voluntary submission of information or authority provided by statutes or agreements may limit use of information only for certain purposes. Is a particular agency’s collection of information specifically authorized? What are the source and parameters of that authorization? Does the agency use this information consistently with any original grants of authority? Agencies and staff must know and remain within stated purposes for collecting information.
Collect Only Relevant and Necessary Information
Just because an agency can obtain information does not mean the agency has a justifiable need or reason to obtain or retain it. Make sure that which is collected is relevant to and within granted agency authority. Law enforcement has a voracious appetite for information, and this principle guided by relevancy and necessity helps keep that appetite under control. Ongoing review of agency collection practices helps ensure that purpose creep is not occurring, and, as a result, more focused and more valuable information will be collected.
Ensure Information Is Accurate, Relevant, Timely, and Complete
This FIP requires agencies to implement safeguards to ensure information is accurate, complete, and current and to provide methods of correcting information discovered to be deficient or erroneous. Inaccurate information is dangerous and can lead to agency liability. Agencies are wise not to take significant action on information contributed by others until they have verified with the contributor that the information remains accurate, timely, and complete. Agencies must take ownership of the information they contribute to databases. Individuals must promptly update and correct agency contributions to databases when errors or changes are noted. Agency employees must appreciate the importance of keeping information current and accurate and must know how to promptly effect corrections when needed. If it appears another agency may have used or relied upon another’s contributed information before it was corrected, notice of the changes should be made directly to that agency.
Provide Public Notice of Information Practices
People have a right to know what types of information about them are being collected and maintained, in a manner that does not compromise the agency’s mission. Transparency and candid responses to inquiries can often help to defuse potential concerns and future grievances.
Provide a Way to Review and Correct Errors
Not all information a law enforcement agency collects can be revealed to affected individuals, and this FIP does not call for agencies to compromise their missions or efforts. However, to the extent consistent with a law enforcement agency’s mission, people who assert they have been adversely impacted by agency information should have the chance to review the information for accuracy and be provided a mechanism for requesting any necessary corrections.
Use for Specified Purposes
Agencies must limit the use and disclosure of information to the uses and intentions stated in their purpose specifications and ensure employees understand those limits. They cannot hold employees accountable for what they do not know or understand and therefore must carefully choose language to describe the standards. For example, allowing access to a database “for official purposes” is broader than access “for criminal justice purposes.” Access “for criminal justice purposes” is broader than access “only in conjunction with a criminal investigation.” Agencies must know their standards and state them clearly; use meetings and training sessions to articulate standards and define expected behavior; and then hold employees and their supervisors accountable for operating within the stated standards, thus reinforcing a culture of respect for staying within specified restrictions.
Protect with Appropriate Safeguards
This FIP requires that agencies assess the risk of loss or unauthorized access to information in their systems and ensure that ongoing use conforms to information-use limitations. Training is essential in implementing these safeguards, as is the investment in appropriate information security protections and technical support staff.
Inappropriate access to information carries risks and ramifications. Some states have statutes that mandate notification of affected persons when there has been a material breach of PII. Commercial information providers may require notification to them in the contracts agencies have with them. If notification has to be made, the time and efort spent in notifying persons can impose a heavy burden on an agency’s resources. Individuals who are notified may be rightfully upset and demand to know what the agency has done to address the problem. The media will inevitably be interested in any story suggesting there has been an unauthorized access of agency files. Unauthorized access constitutes at a minimum an embarrassment to the agency and could very well result in significant political, citizen, press, or other criticism for lax information safeguards.
As in the case of the analyst and the officer mentioned at the beginning of this article, the problem often exists in using information beyond the legitimate authority granted. Beyond the internal agency concerns such as access causes, willful and knowing access beyond granted authority is a crime under many state and federal statutes. Employees should understand that they face agency discipline and even potential criminal liability for unauthorized access or use of information.
Hold Accountable and Be Proactive
Agencies should have a formal means of oversight to ensure that privacy and information quality policies are being honored by agency personnel. Who has access to which databases in a particular agency? Do those persons have a legitimate need for such access ? Is the agency’s listing of access authority current? Are grants of access promptly revoked when employees move to new duties or when they resign, retire, or are fired? Do supervisors regularly discuss restrictions with their employees? Are standards communicated regularly? Do employees with database access know what will happen if they violate the rules? Do agency executives provide an environment for coworkers to raise concerns about other workers inappropriately accessing information? Does the agency perform random auditing to ensure information restrictions are being honored? Has leadership checked to see where access is occurring to ensure passwords have not been shared inappropriately with others? Are employees accessing databases during off-duty times and, if so, why? When a violation is documented, does the agency consistently treat it as a serious disciplinary matter? Are procedures revised when deficiencies become known?
FIPs are essential tools for agencies intending to refine their information practices and avoid employee misuse of information. Good information management should include enforcing limits; defining uses; maintaining current and accurate information; ensuring security of the information; allowing review by adversely affected persons; and continued training, auditing, and proactive intervention to hold employees accountable. In today’s world of increasing opportunities to collect PII and other sensitive information, agency self-management of information practices is essential to maintaining public trust in law enforcement’s ability to use and maintain such information. ■
Please cite as:
Michael Ramage, "Principles to Promote Effective Agency Practices in Database and Information Management," Chief's Counsel, The Police Chief 77 (September 2010): 12–13, http://www.nxtbook.com/nxtbooks/naylor/CPIM0910/index.php#/12 (insert access date).