Global Privacy Resources

1. Educate and Raise Awareness 2. Assess Agency Privacy Risks 3. Develop the Privacy Policy 4. Perform a Policy Evaluation 5. Implement and Train


Global Privacy Program Cycle
To support justice agencies in their efforts to implement privacy, civil rights, and civil liberties policies and protections for the information they collect, store, maintain, access, share, and disseminate, DOJ’s Global has developed this online Global Privacy Resources site as a road map to guide justice entities through the diverse privacy policy development and implementation products available today.  The resources presented here were developed for state, local, and tribal (SLT) entities by DOJ’s Global or Global partners or through DOJ collaborations with other federal agencies, such as the U.S. Department of Homeland Security (DHS).

Global recognizes that SLT justice entities come in all sizes, with a variety of roles and with varying degrees of available resources.  This site was developed to illustrate the flexible suite of products available for every stage of an entity’s Privacy Program Cycle, each designed to meet a range of privacy protection needs. To navigate and view the resources available at a particular stage of the Privacy Program Cycle, simply click on a stage on the graphic shown or, to view all resources for all stages, scroll down the page.

This information is also available in a Global Privacy Resources booklet. To download a copy, select it.ojp.gov/global-privacy-resources.pdf, or you may request printed versions at the following e-mail address: global@iir.com.


Value and Purpose

Justice agencies are encouraged to use the resources described here to ensure that privacy, civil rights, and civil liberties protections are in place for the information in their justice systems.  Such protections will reduce risks to public safety, reduce legal liability of justice entities, and uphold a justice entity’s reputation.  Protecting privacy, civil rights, and civil liberties through the course of everyday justice work inspires trust in the justice system and in the law enforcement entities that collect and use this information.

Stage One Educate and Raise Awareness Graphic
 

The following Stage 1 resources will familiarize agency administrators with the importance of having privacy, civil rights, and civil liberties protections within their agency and includes a high-level overview of the seven steps an agency should follow to develop a privacy policy.

 
 
This executive summary is an awareness resource for justice executives, as well as an informational tool to use for training. The easy-to-read flyer is designed to engender awareness about the topic, make the case for privacy policy development, and underscore the importance of promoting privacy protections within justice agencies. Included is information on basic privacy concepts; the intersection between privacy, security, and information quality; privacy risks; and steps to establish privacy protections through a privacy program cycle. This paper applies settled privacy principles to justice information sharing systems and makes recommendations on best practices.

 

Designed for both justice executives and agency personnel, this document raises awareness and educates readers on the seven basic steps involved in the preparation for development of a privacy, civil rights, and civil liberties policy (as recommended in DOJ’s Privacy, Civil Rights, and Civil Liberties Policy Development Guide for State, Local, and Tribal Justice Entities). Each step describes the practical tasks associated with preparing for, drafting, and implementing a privacy policy. Also featured is an overview of the core concepts (or chapters) that an agency should address in the written provisions of a privacy policy (as recommended in DOJ’s Privacy, Civil Rights, and Civil Liberties Policy Development Template for State, Local, and Tribal Justice Entities).   

Establishing a Privacy Officer Function Within a Justice or Public Safety Entity:  Recommended Responsibilities and Training

A privacy policy is a written, published statement that articulates the policy position of an organization on how it handles the personally identifiable information and other personal, sensitive information it seeks or receives and uses in the normal course of business.  A privacy policy protects the agency, the individual, and the public; and contributes to public trust and confidence that the justice system understands its role and promotes the rule of law.  While a privacy policy is a positive and proactive step toward mitigating privacy risks and preventing violations, the policy alone is not a guarantee.  To adequately ensure that personnel and PII the justice agency collects are managed in compliance with the agency’s privacy policy, responsibility needs to be assigned for the oversight and execution of these tasks.  This role is traditionally performed by a privacy officer—a person (or persons) whose job responsibility is to manage and monitor compliance with privacy laws and the agency's privacy policy, respond to public access and corrections requests or complaints, ensure that agency personnel receive appropriate training, and enforce adherence to the provisions of the policy.

Establishing a Privacy Officer Function Within a Justice or Public Safety Entity:  Recommended Responsibilities and Training introduces useful guidance for justice and public safety agencies wanting to create a privacy officer function within their entities.  It provides informative answers to common questions asked about establishing this privacy-related role and includes a discussion on whether the agency needs a full- or part-time role, or if the agency might benefit from a shared/team approach or designation within a parent agency.  Real-world examples are included to demonstrate the justice community’s trend toward adopting this critical function, further emphasizing the field’s growing commitment to protecting privacy.  Also available are suggested privacy officer qualifications, as well as a comprehensive list of generally-accepted responsibilities for the position.  Finally, a resource section features a variety of general, educational/awareness, privacy impact assessment, and privacy policy development products, as well as tools for policy, analytic product, information quality, and privacy compliance evaluations.  In addition, a training section highlights a variety of privacy training resources, including online videos. 

Having guidance on how to establish a privacy officer role within a justice or public safety agency, regardless of the type or size of agency, is extremely valuable both to those agencies that already have privacy officers, as well as to those in the process of developing their privacy policies or instituting privacy protections within their agencies.


Stage 2 Assess Agency Privacy Risks Graphic
 

The following Stage 2 resource will help agencies understand privacy risks, which are critical to the development of a privacy policy that establishes how an agency collects, maintains, and shares agency justice information.

 
Practitioners are provided a framework with which to examine the privacy implications of their information systems and information sharing collaborations so they can design and implement privacy policies to address vulnerabilities identified through the assessment process. Privacy policies emerge as a result of the analysis performed during the Privacy Impact Assessment (PIA) process. In addition to an overview of the PIA process, this guide contains a template that leads policy developers through a series of appropriate PIA questions that evaluate the process through which personally identifiable information is collected, stored, protected, shared, and managed. The PIA questions are designed to reflect the same policy concepts as those recommended in the Privacy, Civil Rights, and Civil Liberties Policy Development Guide for State, Local, and Tribal Justice Entities, featured in Stage 3, further supporting privacy policy development.

Stage 3 Develop the Privacy Policy Graphic

After a Privacy Impact Assessment is completed in Stage 2, next is the development of policies to address privacy, civil rights, and civil liberties vulnerabilities. The following Stage 3 resources provide guidance, templates, and sample polices for assisting agencies in drafting a comprehensive privacy policy.

Privacy, Civil Rights, and Civil Liberties Policy Development Guide for State, Local, and Tribal Justice Entities
(Privacy Guide)
 
This guide is a practical, hands-on tool for SLT justice practitioners charged with drafting the privacy policy, providing sensible guidance for articulating privacy obligations in a manner that protects the justice agency, the individual, and the public. This guide provides a well-rounded approach to the planning, education, development, and implementation of agency privacy protections. Also included are drafting tools, such as a policy template (described below), a glossary, legal citations, and sample policies.
 
(SLT Policy Development Template)
 
The Privacy, Civil Rights, and Civil Liberties Policy Development Template for State, Local, and Tribal Justice Entities (SLT Policy Development Template) was developed to assist SLT agencies in drafting a privacy policy. The provisions suggested are intended to be incorporated into the agency’s general operational policies and day-to-day operations. Each section represents a fundamental component of a comprehensive policy that includes baseline provisions on information collection, information quality, collation and analysis, merging, access and disclosure, redress, security, retention and destruction, accountability and enforcement, and training. Sample language is included for each recommended provision.

 
(FC Privacy Template)
 
The FC Privacy Template was developed by DOJ in collaboration with DHS in the joint DHS/DOJ Fusion Process Technical Assistance Program. This template was designed specifically to assist fusion center personnel in developing a privacy policy related to the information, intelligence, and suspicious activity report (SAR) information the center gathers, collects, receives, maintains, archives, accesses, discloses, and disseminates to center personnel, governmental agencies, Information Sharing Environment (ISE) participants, and other participating criminal justice and public safety agencies, as well as to private contractors and the general public. Provisions contained in this template help centers comply with requirements of the DHS Homeland Security Grant Program Guidance, the ISE Privacy Guidelines, and the Nationwide Suspicious Activity Reporting (SAR) Initiative (NSI).

 
This online repository (www.nfcausa.org) of fusion center privacy policies, hosted by the National Fusion Center Association, is a useful policy development resource for those agencies with an intelligence function. Each policy posted on this site has met all of the criteria outlined in the Fusion Center Privacy Policy Development: Privacy, Civil Rights, and Civil Liberties Policy Template (described above) and has been determined by the DHS Privacy Office to be “at least as comprehensive as the Information Sharing Environment (ISE) Privacy Guidelines.” These policies are the result of the joint DHS/DOJ Fusion Process Technical Assistance Program. 

 
In collaboration with the Bureau of Justice Assistance (BJA) and the Office of the Program Manager for the Information Sharing Environment (PM-ISE), this program provides support to assist federal agencies in the ongoing implementation of the Guidelines to Ensure That the Information Privacy and Other Legal Rights of Americans Are Protected in the Development and Use of the Information Sharing Environment (ISE Privacy Guidelines). Privacy technical assistance is provided to federal agencies in the development of privacy policies that comply with the ISE Privacy Guidelines. 

Stage 4 Perform a Policy Evaluation Graphic

The following Stage 4 resource will assist SLT agency practitioners in evaluating whether their draft privacy policy adequately addresses current privacy standards and protection recommendations. 


The checklist is a companion piece to the SLT Policy Development Template, described in Stage 3, and serves both as a self-assessment tool to assist privacy policy authors, project teams, and agency administrators in evaluating whether the provisions contained within their draft policy have met the core concepts recommended in the SLT Policy Development Template and as a useful resource for use during the annual policy review, recommended in Stage 6. The checklist is structured according to policy provision categories. These include key concepts such as: 

  • Policy applicability and legal compliance
  • Governance and oversight
  • Acquiring and receiving information
  • Information quality assurance
  • Sharing and dissemination
  • Redress
  • Security safeguards
  • Information retention and destruction
  • Accountability and enforcement 
Section references are also provided to correlate checklist components with those in the SLT Policy Development Template.

Stage 5 Implement and Train Graphic

The following Stage 5 resources will assist justice entities in implementing privacy policy requirements systematically and provide resources for training personnel and authorized users on the established rules and procedures.
 
 
This document was developed for technical practitioners to provide guidelines for supporting the electronic expression of a privacy policy and how to convert a privacy policy so that it is understandable to computers and software. A technical framework provides approaches and alternatives to resolving technical and interoperability challenges in supporting a privacy policy through automation. It outlines a sequence of steps for implementing a set of electronic privacy policy rules that can be readily implemented using existing information technology architectures, standards, and software tools. An executive summary is also available at it.ojp.gov/documents/Privacy_policy_flyer.pdf. To learn about online training modules that demonstrate how to implement privacy policies technically into information systems, refer to the Privacy Technical Training Web Site referenced below under “Training Resources.”

Privacy, Civil Rights, and Civil Liberties Compliance Verification for the Intelligence Enterprise

This compliance verification document assists intelligence enterprises in complying with all applicable privacy, civil rights, and civil liberties protection laws, regulations, and policies. As a “next step” for agencies that have completed and implemented protections established in the privacy policy, the checklist evaluates agency compliance with the policies and procedures and helps to uncover any gaps that may need to be addressed. The checklist provides a suggested methodology for conducting the review of an agency’s intelligence enterprise and identifies the high-liability areas of concern that should be included when performing the review. This resource is being used for ongoing peer-to-peer assessment at multiple fusion centers, and a best practices document resulting from the peer reviews is forthcoming. 

COMMUNITY OUTREACH RESOURCES
 
Another area of implementation is the liaison of justice entities with members of the communities they serve to inform them of the thoughtful, intentional process used to develop privacy protections and to promote public confidence in the justice entity and in the safety and integrity of the information contained in justice systems.

 
This resource—developed by Robert Wasserman in collaboration with the Office of Community Oriented Policing Services (COPS), DOJ, and DHS—focuses on developing relationships of trust among law enforcement, fusion centers, and the communities they serve, particularly immigrant and minority communities, so that the challenges of crime control and prevention of terrorism can be addressed. Trust, transparency, and the protection of privacy, civil rights, and civil liberties are fundamental to effective crime control, and these principles must serve as the foundation for information and intelligence sharing efforts intended to support crime prevention and terrorism prevention activities. Through a series of facilitated sessions, the Building Communities of Trust (BCOT) effort convened privacy, civil rights, and civil liberties groups; community leaders; and law enforcement officials for an intensive dialogue. The program’s objective is to help communities understand how law enforcement is using information to protect neighborhoods and citizens, while at the same time educating law enforcement on the priorities and needs of residents and how various community members view law enforcement efforts.  The resulting guidance provides advice and recommendations on how to initiate and sustain trusting relationships that support meaningful sharing of information, responsiveness to community concerns and priorities, and the reporting of suspicious activities. Building and maintaining trusting relationships between communities and law enforcement to prevent acts of crime and terrorism is the overarching theme of this document. 

TRAINING RESOURCES
 

Training is essential to the effective implementation of any privacy policy.   In addition to the two awareness primers described in Stage 1, the following Stage 5 resources are available for training purposes.

 

Establishing a Privacy Officer Function Within a Justice or Public Safety Entity:  Recommended Responsibilities and Training

A privacy policy is a written, published statement that articulates the policy position of an organization on how it handles the personally identifiable information and other personal, sensitive information it seeks or receives and uses in the normal course of business.  A privacy policy protects the agency, the individual, and the public; and contributes to public trust and confidence that the justice system understands its role and promotes the rule of law.  While a privacy policy is a positive and proactive step toward mitigating privacy risks and preventing violations, the policy alone is not a guarantee.  To adequately ensure that personnel and PII the justice agency collects are managed in compliance with the agency’s privacy policy, responsibility needs to be assigned for the oversight and execution of these tasks.  This role is traditionally performed by a privacy officer—a person (or persons) whose job responsibility is to manage and monitor compliance with privacy laws and the agency's privacy policy, respond to public access and corrections requests or complaints, ensure that agency personnel receive appropriate training, and enforce adherence to the provisions of the policy.

Establishing a Privacy Officer Function Within a Justice or Public Safety Entity:  Recommended Responsibilities and Training introduces useful guidance for justice and public safety agencies wanting to create a privacy officer function within their entities.  It provides informative answers to common questions asked about establishing this privacy-related role and includes a discussion on whether the agency needs a full- or part-time role, or if the agency might benefit from a shared/team approach or designation within a parent agency.  Real-world examples are included to demonstrate the justice community’s trend toward adopting this critical function, further emphasizing the field’s growing commitment to protecting privacy.  Also available are suggested privacy officer qualifications, as well as a comprehensive list of generally-accepted responsibilities for the position.  Finally, a resource section features a variety of general, educational/awareness, privacy impact assessment, and privacy policy development products, as well as tools for policy, analytic product, information quality, and privacy compliance evaluations.  In addition, a training section highlights a variety of privacy training resources, including online videos. 

Having guidance on how to establish a privacy officer role within a justice or public safety agency, regardless of the type or size of agency, is extremely valuable both to those agencies that already have privacy officers, as well as to those in the process of developing their privacy policies or instituting privacy protections within their agencies.

 

This training Web site offers many resources to information sharing partners in the public domain who seek Global technical solutions for enforcing privacy and access-control policies governing protected data.  Supported by the Bureau of Justice Assistance and developed by the National Center for State Courts, the site features a series of four training modules in which interviews and audio-accompanied slide decks demonstrate the steps, resources, and methods used for the technical implementation of privacy policies in entity information sharing systems.  The modules include an introduction, a privacy policy primer, a technical privacy readiness assessment, and an implementation guide, as well as quizzes and resources for further research and follow-up.


Provides guidance and recommendations to law enforcement agency personnel in understanding their roles and responsibilities in First Amendment-protected events.  This guidance document is divided into three stages: pre-event, operational, and post-event, with each stage identifying the recommended actions of law enforcement.  The resource also provides an overview of how fusion centers can support law enforcement in its public safety mission in regards to these types of events.

Responding to First Amendment-Protected Events—The Role of State and Local Law Enforcement Officers Training Video

This video is designed to assist law enforcement personnel in understanding their roles and responsibilities as they prepare for and respond to a First Amendment-protected event; to protect the privacy, civil rights, and civil liberties of persons and groups participating in a First Amendment-protected event; and to reinforce fundamental concepts learned at law enforcement training academies and in-service programs.  At the end of the video is a short quiz with the option to print a certificate of completion.


 
This short video was developed as a training tool to educate viewers, particularly line officers during roll call, on the privacy and civil liberties issues they may confront in their everyday work. The video also addresses the liabilities associated with the failure to adhere to sound policy and practice.   This short overview reviews and proactively emphasizes the role line officers have in the ongoing protection of citizens’ and community members’ privacy, civil rights, civil liberties, and other associated rights in the course of officers’ daily activities and calls for service.

The Role of State and Local Law Enforcement at First Amendment Events Reference Card 

This resource is designed to serve as a pocket-sized reference card for line officers who are responding to a First Amendment-protected event.  It provides an overview of their roles and responsibilities, as well as an overview of the rights of participants in First Amendment-protected events. 
 
 
This SAR CD was developed through a joint effort of the Bureau of Justice Assistance (BJA), DOJ, and the International Association of Chiefs of Police (IACP) to educate law enforcement line officers not only on what kinds of suspicious behaviors are associated with pre-incident terrorism activities and how to document and report suspicious activity but also on how to ensure the protection of privacy, civil rights, and civil liberties when documenting SAR information. The CD also provides information about the Nationwide Suspicious Activity Reporting (SAR) Initiative (NSI) requirement that NSI sites have privacy policies in place prior to NSI participation. 
 
 
Criminal intelligence plays a vital role in the safety and security of our country. The Code of Federal Regulations, Title 28, Part 23—Criminal Intelligence Systems Operating Policies (or 28 CFR Part 23) was issued in 1980 to ensure the privacy and constitutional rights of individuals during the collection and exchange of criminal intelligence information, and it has since been an important part of the intelligence landscape. 28 CFR Part 23 is a guideline for law enforcement agencies that operate federally funded multijurisdictional criminal intelligence systems. To facilitate greater understanding of 28 CFR Part 23, the Bureau of Justice Assistance, Office of Justice Programs, U.S. Department of Justice, developed the Criminal Intelligence Systems Operating Policies (28 CFR Part 23) online training, which focuses on the requirements of 28 CFR Part 23 and includes topics such as compliance, privacy, inquiry, and dissemination requirements; storage requirements; and review-and-purge requirements. The online training is available at www.ncirc.gov or www.iir.com/Justice_Training/28cfr/default.aspx.

 
This training is designed to present effective information sharing tools, examine the principles of 28 CFR Part 23, and address the importance of privacy, civil rights, and civil liberties in the context of information sharing. Its purpose is to enhance information sharing by clarifying the various rules and regulations to ensure that agencies are more confident as they collect and share information, particularly criminal intelligence information. In addition, technical assistance can be provided through on-site system reviews, policy reviews, and other specialized problem resolution. Training and technical assistance for this project are provided through funding from BJA, DOJ.

 
Through a joint effort among DHS, DOJ, and BJA, this collaborative Web portal, accessible at it.ojp.gov/PrivacyLiberty, provides access to a wide range of resources and training materials available in the Information Sharing Environment that address privacy and civil liberties protections, including many of the Global products described within this overview. Although originally intended for fusion center use, these resources can be easily adapted by law enforcement, criminal justice, public safety, and homeland security communities nationwide.

Stage 6 Conduct an Annual Review Graphic

Applying the guidance described in the Privacy Guide featured in Stage 3, justice entities are encouraged to review and update the provisions protecting privacy, civil rights, and civil liberties contained in the privacy policy at least annually using the annual review section of the Policy Review Checklist referenced in Stage 4. This update will ensure that appropriate changes are made in response to changes in applicable laws, technology, the purpose and use of the information systems, and public expectations. Once the policy is updated, entities should revisit the resources listed in each stage of the Privacy Program Cycle. This will ensure that systems and individuals comply with the most current protections established in the entity privacy policy.