Balancing Security & Privacy Concerns in Juvenile Justice: Confidentiality vs. Need to Know

2007 Symposium on Juvenile Information Sharing

August 14, 2007Susan Laniewski

The Balancing Act

• Justice Integration requires that data security is added as a factor to privacy and confidentiality concerns when planning a JJIS

• Initial JJIS efforts have produced Policies and Procedures that work – and some that do not work

• How can Data Security Tools help us protect JJIS Privacy?

“Information Technology pervades all aspects of our daily lives, of our national lives. Its presence is felt almost every moment of every day, by every American. It pervades everything from a shipment of goods,

to communications, to emergency services, and the delivery of water and electricity to our homes.

All of these aspects of our life depend on a complex network of critical infrastructure information systems. Protecting this infrastructure is critically important. Disrupt it, destroy it or shut it down these information

networks, and you shut down America as we know it and as we live it and as we experience it every day.

We need to prevent disruptions; and when they occur, we need to make sure they are infrequent, short and manageable. This is an enormously difficult challenge. It is a technical challenge, because we must

always remain one step ahead of the hackers.”

Tom Ridge, Director of Homeland Security (October 21, 2001)

Why Examine Privacy/Security in JJIS?

• Cost-effectiveness• Transparency• Public Trust

Bottom Line: The success of your information collection program can hinge on your handling of privacy protection .. i.e. data security policies, and practices

The Balancing Act with Juvenile XML• The goal is to think about privacy of information needs BEFORE

AND DURING the development of information technology systems or changes to an existing system (XML)… not AFTER INSTALLATION!

– The system must collect information in identifiable form about individuals

– The system must understand rights and confidentiality of Juveniles when this data is shared

– The system must offer protections to ensure security once in operation

Keys to Balancing Privacy & Security

• What information is collected?– Describe in detail the type of data being collected– Identify who collects the data and the source– Validate the source of the data as well as refresh rate and

audit process • Why is the information being collected?

– Provide the authorities (statutory or otherwise) authorizing collection

– Review the currency of the authority• What is the intended use of the information?

– Clearly define how the information collected will be used by various agencies (investigation, reporting, prediction)

– Justify residency of the data in the JJIS based upon type and use (statistical, anecdotal, case files)

Keys to Balancing Privacy & Security (continued...)

• Who will have access to the system?– Describe all the public and private sector, including public

access to the JJIS– What other systems are operating on the same infrastructure

or network?– Intranet vs. Internet Accessible?

• How is the information regulated?– Do individuals have the opportunity to decline to provide

information or to consent to particular uses of their information?

– Describe the mechanisms, if any, used to provide notice to individuals of the inclusion or availability of their data

– Is the originating data source updated by JJIS?– What is the role of FOIA? – Are penalties and sanctions in existence and enforceable?

Keys to Balancing Privacy & Security (continued...)

• How will the information be secured? – What Audit Trails and Back Up processes will be put in

place?– Where is the original record/transaction stored? (Physical

security and paper records access)– How often are audit logs reviewed?– What virus, hacker proof, technical firewalls are in place?

• Does the JJIS integrate the data and create a “Repository/ Data Warehouse or Data Mart of Information?– What are the Transaction Based vs. Repository Based

procedures?

• Costs and Time Requirements

Privacy Rules by State

Multiple guidelines exist at state and agency level to control and regulate data access and data security.

Interagency memoranda and policies on data sharing does not always result in complementary confidentiality in the technical infrastructure

Pre-existing “Restrictions” on Records We “Need” to Share

• Vital records have specific rules• Juvenile data for healthcare and social services is segmental addressed in

specific applications, that differ based on the record system data as “case based” vs. “client based”

• Most privacy rules by state look at redaction of data or sealing records as security controls

• Privacy and sharing rules seldom address “automated data “links” and “joins” necessary for juvenile data

Policies must result in Procedures with Achievable Parameters

Collection Limitation: “The collection of personal information should be limited, should be obtained by lawful and fair means, and, where appropriate, with the knowledge or consent of the individual.”

Data Quality: “Personal information should be relevant to the purpose for which it is collected, and should be accurate, complete, and current as needed for that purpose.

Use Limitation: “Personal information should not be disclosed or otherwise used for other than a specified purpose without consent of the individual or legal authority.”

Disclosure Policy: “The purposes for the collection of personal information should be disclosed before collection and upon any change to that purpose, and its use should be limited to those purposes and compatible purposes.”

Public Access: “The public should be informed about privacy policies and practices, and individuals should have ready means of learning about the use of personal information.”

Security Safeguards: “Personal information should be protected with reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, modification or disclosure”

Openness

Changes in technology have usually provided the impetus for the evolution of the American concept of information privacy and privacy law.”

FOIA vs. Juvenile, Victim, Witness Rights to Privacy

• Risk of Disclosure vs. Criminal Closure

• Routine Sharing – Ad Hoc Need to Know

• Personal Safety vs. Rights of Others

• HIPPA, FERPA, FOIA, PIA,SORN, FIP

• What you don’t know can hurt you – but – I cant tell you what you needto know

Control Includes Accountability

Avoid the Case of “Legal Beagle vs. Technical Eagle”

• Web Designers tend to control web page content• Technical Programmers/Coders understand system data

linkages• Privacy Officers know legalities of data privacy/security • Non technical Executives may expect that only data viewable

on the main page or intended links is viewable by the general public

“Individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of these principles.”

User Access Rights

“Individuals should have the following rights:– to know about the collection of personal information– to access that information– to request correction– to challenge the denial of these rights.”

Beware the “Google Factor”•Personnel Details•Account information•Address/location information•Password files•Detailed police reports/Registries•Photos

WORD 2WORD 1 WORD 3

Web Site

Informative not Invasive”

• Remember the Web is non sectarian, non denominational, and WORLD WIDE

• Public has a higher degree of web savvy then in the past

• Data mining using the web is a moneymaker. Info for Sale

• Identity Theft• Never discount the power of

the e- Press”!

“It is uncertain whether the increased access to information and the ability to relate disparate pieces of a person’s information result in a distorted and inaccurate picture of that person”

Site Digger www.foundstone.com

Free Software ..Not for the faint of

heart

Include Data Security in Action Plan

Provides Strategic Vision, Policy, and Budget Oversight

(Include Policies and Costs)

Outlines Vision, Mission and Strategic Goals

(Define Privacy Protection Goals)

Lists current projects with description, sponsor, status, milestone and delivery datesInclude Data Security Validation Milestones

PMO serves as central point for tracking, reporting and management on all formal projects

(Assign Security Monitoring Function)

Strategic Plan

Annual Business Plan

Critical Path Matrix

Outlines Annual Projects and ensures alignment with Strategic Plan

(Include Periodic Security Audit & Review)

Project

Life Cycle

Governance

Delivery of projects in a systematic, structured method. Project assessment, planning and execution.

(Include in all Facets of Assessment and Planning)

Project

Management Office

Measure, Monitor, Update and Revise

• Don’t let your policies get stale– Ongoing Observation, Regular Measurements and Feedback on

Breaches are essential– Observe the activities in terms of progress toward preferred

results (Check that policy change)– Comparing progress to the preferred standards– Expect and prepare for “breaches”, data leaks, spammers,

hackers by having a damage control process in place– Provide ongoing feedback to all concerned agencies and

personnel (useful and timely information will ameliorate breaks,improper releases)

– Publicize your processes and your successes

• Don’t stop thinking about Tomorrow…

Data Security Resources and Tools for JJIS

• State & Federal Statutes, Rules, Policies• Individual State JJIS Efforts• OJJDP Guidelines for Sharing• Global • Others (NASCIO, NGA, Center(s) for

Domestic Violence, Safe Schools, NCSC)• Private Foundations

Federal Statutes & Regulations

Generally, there are no blanket prohibitions on federal government access to publicly available information contained in Automated Systems

• Justice information• Information contained public service information systems• Financial information• Motor vehicle information• Education information• Telecommunications information• Health information

At Federal Level the primary measurement tool is the Privacy Impact Assessment (PIA)

State Resources• Criminal Information Sharing Alliance Network (CISAnet)• Regional Information Sharing Systems Network (RISSNET)• Justice Network (JNET)• DHS Homeland Security Information Network (HSIN)/ Joint Regional

Information Exchange System (JRIES)• Automated Regional Justice Information System (ARJIS)• California Department of Justice• Wisconsin Department of Justice• Georgia - GCATS • Illinois, Illinois Criminal Justice Information Authority (ICJIA):

– Exec. Order No. 16 (2003), available athttp://www.illinois.gov/Gov/pdfdocs/execorder2003-16.pdf.

– http://www.icjia.state.il.us• List available on Web Site

Top Resources/WebPublications• JIS: Privacy & Security Impact Assessment

• Global Justice Information Sharing Initiative– http://www.it.ojp.gov/global– Privacy & Security Templates (www.iir.com/global/GPIQWG.htm

• Applying Security Practices to Justice Information Sharing: A field compendium of current best practices and successful models for justice-related information technology (IT) security. The publication covers key IT security topics from detection and recovery to prevention and support.

• Alan Harbitter & Jeff Langford, IJIS Industry Working Group, Information Security in Integrated Justice Applications, 1 (2002), available at http://it.ojp.gov/global/security/infosec4ijis3-19-02.pdf

• Privacy and Information Quality Working Group (GPIQWG)– A privacy and information quality policy development guide and resource materials– http://it.ojp.gov/documents/200411_global_privacy_document.pdf– http://it.ojp.gov/documents/Privacy_Guide_Final.pdf

• National Center for State Courts– www.ncsconline.org

• NIEM Public Website: http://www.NIEM.gov

• Library of Congress on line access: http://thomas.loc.gov/home/thomas.html

• NASCIO: www.nascio.org