240 Ind. Admin. Code 5-2-10

Current through December 4, 2024
Section 240 IAC 5-2-10 - Security; confidentiality

Authority: IC 10-11-2-10; IC 10-13-2-9; IC 10-13-2-10

Affected: IC 10-13-2

Sec. 10.

(a) "System", as used in the security and confidentiality rules, means IDACS, NLETS, and/or NCIC terminals, equipment, and any and all data accessible from or stored therein.
(b) Access, meaning the ability to obtain information from the system, shall be permitted only to criminal justice agencies in the discharge of their official mandated responsibilities, and those agencies as required by state and/or federal enabling authority. Release of Indiana bureau of motor vehicles data to noncriminal justice agencies may occur when it is determined to be in the best interest of law enforcement/criminal justice to do so. Agencies that shall be permitted access to SYSTEM data include the following:
(1) Police forces and departments at all governmental levels (including private college and railroad police departments as authorized by Indiana Code) that are responsible for enforcement of general criminal laws.
(2) Prosecutive agencies and departments at all governmental levels.
(3) Courts at all governmental levels with a criminal or equivalent jurisdiction.
(4) Correction departments at all governmental levels, including corrective institutions and probation departments.
(5) Parole commissions and agencies at all governmental levels.
(6) Agencies at all governmental levels which have as a principal function the collection and provision of fingerprint identification information.
(7) Regional or local governmental organizations established pursuant to statute which collect and process criminal justice information and whose policy and governing boards have, as a minimum, a majority composition of members representing criminal justice agencies.
(c) Approved noncriminal justice agencies may have access to SYSTEM data on a limited basis. "Limited basis" means restricted to only that data recommended through resolution by the IDACS committee and approved by the state police superintendent.
(d) All computers, electronic switches, and manual terminals (including mobile data terminals/printers) interfaced with the SYSTEM computer for the exchange of SYSTEM data shall be under the management control of criminal justice agencies. Similarly, satellite computers and manual terminals accessing the SYSTEM shall be under the management control of a criminal justice agency.
(e) "Management control" means the authority to set and enforce:
(1) priorities;
(2) standards for the selection, supervision, and termination of personnel; and
(3) policy governing the operations of computers, circuits, and telecommunications terminals used to process SYSTEM information insofar as the equipment is used to process, store, or transmit SYSTEM information. Management control includes, but is not limited to, the supervision of equipment, systems design, programming, and operating procedures necessary for the development and implementation of the computerized SYSTEM. Management control shall remain fully independent of noncriminal justice data systems, and criminal justice systems shall receive priority service and be primarily dedicated to the service of the criminal justice community.
(f) In those instances where criminal justice agencies are utilizing equipment and personnel of a noncriminal justice agency for SYSTEM purposes, they shall have complete management control of the hardware and the people who use and operate the system.
(g) The criminal justice agency shall exercise management control with regard to the operation of the equipment by:
(1) having a written agreement with the noncriminal justice agency operating the data center providing the criminal justice agency authority to select and supervise personnel;
(2) having the authority to set and enforce policy concerning computer operations; and
(3) having budgetary control with regard to personnel and equipment in the criminal justice agency.
(h) Procedures for the use of system-derived criminal history data shall be as follows:
(1) Criminal history data on an individual from the national computerized file shall be made available outside the federal government to criminal justice agencies for criminal justice purposes. This precludes the dissemination of such data for use in connection with licensing (except when a federal, state, or local law/ordinance exists making the criminal justice agency responsible for the processing or issuing of the licenses/permits) applications, or local or state employment, other than with a criminal justice agency, or for other uses unless such dissemination is pursuant to state and federal statutes or state and federal executive order. There are no exceptions.
(2) Researchers using the data shall acknowledge a fundamental commitment to respect individual privacy interests by removing the identification of subjects as fully as possible from the data. Proposed programs shall be reviewed by the IDACS committee to assure their propriety and to determine that proper security is being provided. All noncriminal justice agency requests involving the identities of individuals in conjunction with their national criminal history records shall be approved by the NCIC advisory policy board through the IDACS committee. The NCIC or the IDACS committee shall retain rights to monitor any research project approved and to terminate same if violation of the above principles is detected. Research data shall be provided off line only.
(3) Upon verification that any agency has received criminal history information and has disclosed that information to an unauthorized source, immediate action shall be taken by the IDACS committee. Unauthorized use of criminal history information shall result in imposed sanctions as authorized by this article.
(4) Agencies are instructed that their rights to direct access to NCIC information encompass only requests reasonably connected with their criminal justice responsibilities.
(5) The IDACS committee shall make checks as necessary concerning inquiries made of the SYSTEM to detect possible misuse.
(i) The person's right to see and challenge the contents of his records shall form an integral part of the SYSTEM with reasonable administrative procedures. If an individual has a criminal record supported by fingerprints and that record has been entered in the NCIC III file, or the state central repository, it shall be available to that individual for review, upon presentation of appropriate identification, and in accordance with applicable state and federal administrative and statutory regulations. Such requests shall be made by the person contacting the FBI or state central repository directly, and not through the SYSTEM.
(j) The following security measures are the minimum to be adopted by all agencies having access to the SYSTEM data and are designed to prevent unauthorized access to the SYSTEM data and/or unauthorized use of that data:
(1) Security measures for computer centers as follows:
(A) All computer sites accessing SYSTEM data shall have the security to protect against any unauthorized access to any of the stored data and/or the computer equipment including the following:
(i) All doors having access to the central processing unit (CPU) room shall be locked at all times.
(ii) A visitor's log shall be maintained of all persons entering the CPU area except those assigned to the area on a permanent basis. The visitor's name, date, time in, time out, agency represented, and reason for visit.
(B) Since personnel at these computer centers have access to data stored in the SYSTEM, they shall be screened thoroughly under the authority and supervision of the IDACS committee or their designated representative. This screening shall also apply to noncriminal justice maintenance or technical personnel. The screening process shall consist of a character investigation, including fingerprints, for the purpose of establishing suitability for the position. Investigations shall consist of the gathering of information as to the applicant's honesty, integrity, and general reputation. Personal characteristics or habits, such as lack of judgment, lack of physical or mental vigor, inability to cooperate with others, intemperance, or other characteristics which would tend to cause the applicant to be unsuitable for this type of position, shall be considered sufficient grounds for rejection. Also, convincing information in an applicant's past history involving moral turpitude, disrespect for law, or unethical dealings shall be considered sufficient grounds for rejection. If any of the above facts are presented to the IDACS committee, a recommendation shall be made and presented to the state police superintendent for a final approval or disapproval decision.
(C) All visitors to these computer centers shall be accompanied by a permanent full-time employee of the data center.
(D) Computers having access to the SYSTEM shall have the proper computer instructions written and other built-in controls to prevent SYSTEM data from being accessible to any terminals other than authorized terminals. These instructions and controls shall be made available to the IDACS committee for inspection upon request.
(E) Computers and/or terminals (including mobile data terminals) having access to SYSTEM data shall maintain an audit of all transactions. This audit trail shall be maintained either manually by each agency or automated by the computer center. This transaction audit shall be monitored and reviewed on a regular basis to detect any possible misuse of SYSTEM data. This audit shall be made available to IDACS for inspection upon request.
(2) Security measures for communications as follows:
(A) Lines/channels being used to transmit SYSTEM information shall be dedicated solely to SYSTEM use, i.e., there shall be no terminals belonging to agencies outside the criminal justice system sharing these lines/channels except by prior IDACS committee approval.
(B) Security of the lines/channels shall be established to protect against clandestine devices being utilized to intercept or inject SYSTEM traffic.
(C) Audio response terminals, radio devices, and mobile data terminals, whether digital (teleprinters) or voice, shall not be used for the transmission of criminal history data beyond that information necessary to effect an immediate identification or to ensure adequate safety for officers and the general public. Transmission shall be made to police officers upon his or her request.
(3) Security measures for terminal devices having access to the SYSTEM as follows:
(A) All agencies and computer centers having terminals on the SYSTEM and/or having access to SYSTEM data shall physically place these terminals in a secure location previously approved by the IDACS committee within the authorized agency. Subsequent physical location changes of terminals shall have prior approval of the IDACS committee.
(B) The agencies having terminals with access to SYSTEM data shall have terminal operators screened as in subdivision (1)(B) and restrict access to the terminal to a minimum number of authorized employees.
(C) Copies of SYSTEM data obtained from terminal devices shall be afforded security to prevent any unauthorized access to or use of that data. Copies of SYSTEM data which are no longer relevant shall be destroyed.
(D) Mobile teleprinters having access to SYSTEM data shall afford security to that data in the same manner as a fixed terminal. Any positive "wanted response" shall be duplicated at the agencies station terminal for proper interpretation and confirmation to occur. SYSTEM data shall not be transmitted to the device when it is unattended.

240 IAC 5-2-10

State Police Department; 240 IAC 5-2-10; filed Nov 5, 1982, 8:25 a.m.: 5 IR 2492; filed Aug 6, 1990, 4:40 p.m.: 13 IR 2102; errata filed Aug 10, 1990, 5:00 p.m.: 13 IR 2137; readopted filed Oct 17, 2001, 10:05 a.m.: 25 IR 935; readopted filed Jul 2, 2007, 3:01 p.m.: 20070711-IR-240070255RFA; readopted filed Dec 2, 2013, 10:29 a.m.: 20140101-IR-240130458RFA