National Crime Prevention and Privacy Compact Council.
Interim final rule; request for comments.
The Compact Council, established pursuant to the National Crime Prevention and Privacy Compact (Compact), is publishing an Interim Final Rule (“interim rule”) to permit the outsourcing of noncriminal justice administrative functions involving access to criminal history record information (CHRI). Procedures established to permit outsourcing are required to conform with the Compact Council's interpretation of Articles IV and V of the Compact.
This rule is effective December 31, 2004. Comments must be received on or before February 14, 2005.
Send all written comments concerning this interim rule to the Compact Council Office, 1000 Custer Hollow Road, Module C3, Clarksburg, WV 26306; Attention: Todd C. Commodore. Comments may also be submitted by fax at (304) 625-5388. To ensure proper handling, please reference “Noncriminal Justice Outsourcing Docket No. 107” on your correspondence. You may view an electronic version of this interim rule at www.regulations.gov. You may also comment via electronic mail at firstname.lastname@example.org or by using the www.regulations.gov comment form for this regulation. When submitting comments electronically you must include NCPPC Docket No. 107 in the subject box.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Ms. Donna M. Uzzell, Compact Council Chairman, Florida Department of Law Enforcement, 2331 Philips Road, Tallahassee, Florida 32308-5333, telephone number (850) 410-7100.End Further Info End Preamble Start Supplemental Information
This interim rule is being adopted without prior notice and prior public comment. However, to the maximum extent possible, the Compact Council provides an opportunity for public comment on regulations issued without prior notice. Accordingly, the Compact Council invites interested persons to participate in this rulemaking by submitting written comments, data, or views. See addresses above for information on where to submit comments.
The Compact Council will consider all comments received on or before the closing date for comments and will consider comments filed late to the extent practicable. The Compact Council may change this rulemaking in light of the comments received.
The National Crime Prevention and Privacy Compact (Compact), 42 U.S.C. 14616, establishes uniform standards and processes for the interstate and Federal-State exchange of criminal history records for noncriminal justice purposes. The Compact was approved by the Congress on October 9, 1998, (Pub. L. 105-251) and became effective on April 28, 1999, when ratified by the second state. Article VI of the Compact provides for a Compact Council that has the authority to promulgate rules and procedures governing the use of the Interstate Identification Index (III) System for noncriminal justice purposes. This interim rule will permit a third party to perform noncriminal justice administrative functions relating to the processing of CHRI maintained in the III System, subject to appropriate controls, when acting as an agent for a governmental agency or other authorized recipient of CHRI.
In recent years, government and other statutorily authorized entities seeking improved efficiency and economy have become increasingly interested in permitting third party support services for noncriminal justice administrative functions. This is due in large part to the escalating demand for fingerprint-based risk assessments for authorized licensing, employment, and national security purposes over the last several years. The escalating numbers of noncriminal justice fingerprint submissions has resulted in increased workloads for local, state, and federal government entities. In addition, under OMB Circular No. A-76, the federal government is encouraged wherever feasible to use private sector services.
The Compact requires the FBI and each Party State to comply with III System rules, procedures, and standards duly established by the Compact Council concerning record dissemination and use, system security, and privacy protection. In that regard, the Compact specifies that any record obtained may be used only for the official purposes for which the record was requested. The Compact Council believes that, under the Compact, private contractors may be used to perform noncriminal justice administrative functions requiring access to CHRI provided there are appropriate controls expressly preserving the sole official purpose of the record request. With appropriate standards and requirements, the benefits of outsourcing may be attained without degradation to the security of the national III System of criminal records. For example, under this interim rule, subject to some exceptions, contracting agencies or organizations will not be permitted to have direct access to the III System by computer terminal or other automated means which would enable them to initiate record requests. Further, the interim rule provides that tasks necessary to perform noncriminal justice administrative functions will be monitored to assure the integrity and security of such records. Under the interim rule, safeguards will be required to ensure that private contractors may not access, modify, use, or disseminate such data in any manner not expressly authorized by a government agency or a statutorily authorized recipient of CHRI. Such procedures will establish conditions on the use of the CHRI and will limit dissemination of the CHRI to ensure that such CHRI is used only for authorized purposes. Such procedures also will provide for accurate and current data distribution and require proper maintenance and handling, including the removal and destruction of obsolete or erroneous information that has been brought to its attention. These conditions are necessary to ensure the confidentiality of such information.
Further, this interim rule permits the outsourcing of noncriminal justice administrative functions authorized under Articles IV and V of the Compact. Article IV provides generally for authorized record disclosure; Article V provides record request procedures as related to noncriminal justice criminal history record checks pursuant to the Compact. This interim rule outlines the basic structured framework for minimum standards to ensure that outsourced contracts satisfy the security and privacy required by the Compact Council when criminal history record Start Printed Page 75244checks of the III are conducted for noncriminal justice purposes. The contracting parties are not at liberty to supercede these minimum standards with lesser standards; however, contracting parties are free to adopt more stringent standards than required by this regulation.
To ensure such minimum standards are followed, the interim rule provides that contracts and agreements providing for the outsourcing authorized by the interim rule “shall incorporate by reference a security and management control outsourcing standard approved by the Compact Council after consultation with the United States Attorney General.” See 28 CFR 906.2(c). Therefore, in conjunction with the interim rule, the Compact Council established Security and Management Control Outsourcing Standards (Outsourcing Standards), published in a notice elsewhere in today's edition of the Federal Register, specifying the standards that must be followed under the interim rule. The Compact Council developed two Outsourcing Standards—one for Contractors having access to CHRI on behalf of an authorized recipient for noncriminal justice purposes and one for Contractors serving as channelers of noncriminal justice criminal history record check requests and results. The first Outsourcing Standard (“Security and Management Control Outsourcing Standard for Contractors Having Access to CHRI on Behalf of an Authorized Recipient for Noncriminal Justice Purposes”) will be used by Contractors authorized to perform noncriminal justice administrative functions requiring access to CHRI without a direct connection to the FBI's Criminal Justice Information Services (CJIS) Wide Area Network (WAN). The second Outsourcing Standard (“Security and Management Control Outsourcing Standard for Channelers Only”) will be used by Contractors authorized access to CHRI through a direct connection to the FBI's CJIS WAN. The Outsourcing Standards were developed by the Compact Council in coordination with the FBI's CJIS Division and relevant subcommittees of the CJIS Advisory Policy Board (APB). The APB is an advisory committee with representatives of state, local, and federal contributors and users of the FBI's National Crime Information Center information systems, including the III. The Compact Council has also invited comments on the Outsourcing Standards, in addition to inviting comments on this interim rule.
Administrative Procedures and Executive Orders
Administrative Procedure Act
This rule is published by the Compact Council as authorized by the National Crime Prevention and Privacy Compact (Compact), an interstate and Federal-State compact which was approved and enacted into law by Congress pursuant to Pub. L. 105-251. The Compact Council is composed of 15 members (with 11 state and local governmental representatives). The Compact specifically provides that the Compact Council shall prescribe rules and procedures for the effective and proper use of the III System for noncriminal justice purposes, and mandates that such rules, procedures, or standards established by the Compact Council be published in the Federal Register. See 42 U.S.C. 14616, Articles II(4), VI(a)(1) and VI(e). This publication complies with those requirements.
Although not subject to the notice and comment requirements of the Administrative Procedure Act, the Compact Council generally provides an opportunity for notice and comment before issuing regulations. This rulemaking, however, is being issued as an interim rule because of imminent plans by the Transportation Security Administration (TSA) to implement a program to conduct criminal history record information (CHRI) checks of certain commercial drivers. Pursuant to section 1012 of the USA PATRIOT Act (Pub. L. 107-56), a state “may not issue to any individual a license to operate a motor vehicle transporting in commerce a hazardous material unless [TSA] * * * has first determined * * * that the individual does not pose a security risk warranting denial of the license.” TSA has informed the Compact Council that it plans to publish new regulations that implement procedures to be used when conducting required security risk assessments for hazmat drivers that will be effective January 31, 2005. Any delays in conducting the required background checks will pose a risk to the public and national security and be contrary to the public interest. According to TSA, it will need to perform as many as 2.7 million background checks as part of its hazmat program. As a result, TSA has informed the Compact Council that it will need to utilize private contractors to handle this large volume of CHRI checks. Therefore, because of the short time available before the TSA hazmat program is implemented, and because the Compact Council will not reconvene until after the TSA's implementation of the program, the Compact Council finds there is good cause to publish this interim rule that will permit TSA and other authorized agencies/entities to outsource noncriminal justice administrative functions pursuant to the provisions of this interim rule. The Compact Council welcomes any relevant comments concerning this interim rule and will consider such comments before issuing the final rule.
Executive Order 12866
The Compact Council is not an executive department or independent regulatory agency as defined in 44 U.S.C. 3502; accordingly, Executive Order 12866 is not applicable.
The Compact Council is not an executive department or independent regulatory agency as defined in 44 U.S.C. 3502; accordingly, Executive Order 13132 is not applicable. Nonetheless, this rule fully complies with the intent that the national government should be deferential to the States when taking action that affects the policymaking discretion of the States.
Unfunded Mandates Reform Act
Approximately 75 percent of the Compact Council members are representatives of state and local governments; accordingly, rules prescribed by the Compact Council are not Federal mandates. No actions are deemed necessary under the provisions of the Unfunded Mandates Reform Act of 1995.
Small Business Regulatory Enforcement Fairness Act of 1996
The Small Business Regulatory Enforcement Fairness Act (Title 5, U.S.C. 801-804) is not applicable to the Compact Council's rule because the Compact Council is not a “Federal agency” as defined by 5 U.S.C. 804(1). Likewise, the reporting requirement of the Congressional Review Act (Subtitle E of the Small Business Regulatory Enforcement Fairness Act) does not apply. See 5 U.S.C. 804.Start List of Subjects
List of Subjects in 28 CFR Part 906End List of Subjects Start Printed Page 75245 Start Amendment Part
Accordingly, chapter IX of title 28 Code of Federal Regulations is amended by adding part 906 to read as follows:End Amendment Part Start Part
PART 906—OUTSOURCING OF NONCRIMINAL JUSTICE ADMINISTRATIVE FUNCTIONSEnd Part
The purpose of this part 906 is to establish rules and procedures for third parties to perform noncriminal justice administrative functions involving access to Interstate Identification Index (III) information. The Compact Council is establishing this rule pursuant to the National Crime Prevention and Privacy Compact (Compact), title 42, U.S.C., chapter 140, subchapter II, section 14616. The scope of this rule is limited to noncriminal justice background checks in so far as they are governed by the provisions of the Compact as set forth in 42 U.S.C. 14614 and 14616.
(a) Except as prohibited in paragraph (b) of this section, criminal history record information obtained from the III System for noncriminal justice purposes may be made available:
(1) To a governmental agency pursuant to a contract or agreement under which the agency performs activities or functions for another governmental agency that is authorized to obtain criminal history record information by a federal statute, federal executive order or a state statute that has been approved by the United States Attorney General; and
(2) To a private contractor, or other nongovernmental entity or organization, pursuant to a contractual agreement under which the entity or organization performs activities or functions for a governmental agency authorized to obtain criminal history record information as identified in paragraph (a)(1) of this section or for a nongovernmental entity authorized to obtain such information by federal statute or executive order.
(b) Criminal history record information provided in response to fingerprint-based III System record requests initiated by authorized governmental agencies or nongovernmental entities for noncriminal justice purposes may be made available to contracting agencies or organizations manually or electronically for such authorized purposes. Such contractors, agencies, or organizations shall not be permitted to have direct access to the III System by computer terminal or other automated means which would enable them to initiate record requests, provided however, the foregoing restriction shall not apply with respect to: (1) Persons, agencies, or organizations that may enter into contracts with the FBI or State criminal history record repositories for the performance of authorized functions requiring direct access to criminal history record information; and (2) any direct access to records covered by 42 U.S.C. 14614(b).
(c) The contracts or agreements authorized by paragraphs (a)(1) and (a)(2) of this section shall specifically describe the purposes for which criminal history record information may be made available to the contractor and shall incorporate by reference a security and management control outsourcing standard approved by the Compact Council after consultation with the United States Attorney General. The security and management control outsourcing standard shall specifically authorize access to criminal history record information; limit the use of the information to the purposes for which it is provided; prohibit retention and/or dissemination of the information except as specifically authorized in the security and management control outsourcing standard; ensure the security and confidentiality of the information; provide for audits and sanctions; provide conditions for termination of the contractual agreement; and contain such other provisions as the Compact Council, after consultation with the United States Attorney General, may require.
(d) The exchange of criminal history record information with an authorized governmental or nongovernmental entity or contractor pursuant to this part is subject to cancellation for use, retention or dissemination of the information in violation of federal statute, regulation or executive order, or rule, procedure or standard established by the Compact Council in consultation with the United States Attorney General.
Dated: November 29, 2004.
Donna M. Uzzell,
Compact Council Chairman.
[FR Doc. 04-27488 Filed 12-15-04; 8:45 am]
BILLING CODE 4410-02-P