GangNET FAQs Part 2 Question 11: If the system uses commercial or publicly available data please explain why and how it is used. NC GangNET users that collect information about a gang member or associate in the course of an investigation or other law enforcement activity may obtain some of that information from commercial or publicly available data sources. That information may ultimately be entered into NC GangNET when the gang member or associate record is created or updated by the certified agency user. The officer is responsible for ensuring that the public or commercial data is accurate to the extent possible before including it in NC GangNET. Question 12: Describe any types of controls that may be in place to ensure that information is handled in accordance with the above described uses. Automatic purge parameters permanently delete stored personally identifiable information if that information has not been edited within five years, in accordance with 28 C.F.R. Part23. Additionally, NC GangNET users undergo agency-wide and system-specific training. Only GCC employees and contractors are able to directly access the NC GangNET system. Further, individual users cannot access NC GangNET without an account created for them by the system administrators. Users of the W/B HIDTA system can query and have read-only access to NC GangNET gang data, but do not have direct user access or edit privileges to NC GangNET. Question 13: What information is retained? NC GangNET records containing gang members' and associates' personal identifying information are retained. General information in NC GangNET that does not necessarily pertain to a specific individual (such as estimated membership size, claimed turf, common signs, symbols etc.) is also retained. NC GangNET does not store reports or link analyses or other ad hoc reports run by certified users for later review. They must be printed out in hard copy to be retained. Question 14: How long is information retained? The gang member and associates records are stored in the system for five years after the last date they were updated, as required under 28 C.F.R. Part 23. Records are automatically tagged when they are accessed with the expected purge date, allowing administrators to purge expired data automatically and efficiently. Question 15: What are the risks associated with the length of time data is retained and how are those risks mitigated? Privacy Risk: Retaining NC GangNET data longer than necessary would violate the Fair Information Principle of minimization which requires systems and programs to retain only the information necessary and relevant to complete the task associated with its initial collection. Mitigation: The five year period suggested for NC GangNET complements the mission requirements of NC GangNET because five years allows for sufficient time to analyze and track suspected gang members and associates, and allows for a fuller development of complicated cases where linkages between subjects, organizations, and criminal conspiracies are difficult to detect. It is also sufficiently short to reduce the risk of out-of-date information persisting indefinitely. Understanding that the retention period should not be longer than the mission and purpose of the system, five years ensures that certified participants can use the information for the stated purpose while not keeping the information longer than necessary. It should be noted that the retention period is established by 28 C.F.R. Part 23 and all users of the GangNET systems (such as W/B HIDTA) must also comply with this retention period Question 16: With which law enforcement and correctional organization(s) is the information shared, what information is shared and for what purpose? In certain cases, select individuals in the Division of Adult Correction or probation and parole officers who have a specific need for access may be given access to the system through user accounts on a case-by-case basis. These users are provided read-only access and cannot modify NC GangNET records directly. Local, state (SBI, ALE, Highway Patrol), federal (ATF, ICE, FBI) and other certified law enforcement agencies are afforded system privileges. Question 17: How is the information transmitted or disclosed? Information is transmitted and shared by directly accessing NC GangNET via a secure internet connection. W/B HIDTA users have access to the same functions and tools that most NC GangNET users have. However, users outside of North Carolina via the W/B HIDTA are limited to read-only access which prevents them from adding, modifying, or printing data. Question 18: Considering the extent of internal information sharing, what privacy risks are associated with the sharing and how were they mitigated? Privacy Risk: A risk exists that information may be shared with other criminal justice components without a need to know. Mitigation: Information from NC GangNET is shared only with law enforcement organizations that have a role in the investigation of possible violations with criminal laws. NC GangNET uses access controls and audit trails to mitigate the risk information will be accessed by unauthorized individuals or improperly used by authorized individuals. Out-of-state system users of NC GangNET via W/B HIDTA currently have read-only access, which mitigates the risk that they will modify the data. All NC GangNET agencies and users must sign use agreements and undergo mandatory system-specific training which helps ensure that NC GangNET data is not shared inappropriately. Question 19: With which external organization(s) is the information shared, what information is shared, and for what purpose? NC GangNET shares information with the Washington/Baltimore HIDTA system and its collaborative users for the purpose of providing information on gangs, gang members and gang associates to the wider law enforcement community. NC GangNET and W/B HIDTA member users are able to reciprocally query and access data in each other's repository. Users of each system have read-only access to the data in the other system and are unable to change, save or print the information. Question 20: Is the sharing of personally identifiable information outside the State compatible with the original collection? Sharing with external law enforcement agencies is compatible with the purpose of the original collection, namely to improve the efficiency and effectiveness of law enforcement personnel investigating gang members and associates and gang-related activity and to facilitate sharing of gang-related information. NC GangNET information shared with W/B HIDTA users is done so pursuant to an existing information sharing agreement. As the community of W/B HIDTA participants grows, additional sharing partners may be identified and give NC GangNET users access to their data and may be given access to NC GangNET data.