GangNET FAQs Part 3 Question 21: How is the information shared outside the state and what security measures safeguard its transmission? A secure Internet connection protects the data as it flows between NC GangNET and W/B HIDTA. Users of NC GangNET and W/B HIDTA access each other's data transparently via their own GangNET application. Memos of Understanding (MOUs) are signed between the HIDTA and all participants designating organizational security and responsibilities between all connected parties for protection and handling of all view-only access. Question 22: Given the external sharing, what privacy risks have been identified and how were they mitigated? Privacy Risk: The primary risk that results from sharing NC GangNET information with W/B HIDTA participants is HIDTA users can use NC GangNET data for purposes besides the investigation of gangs and gang-related activity. Mitigation: External users of reciprocally supported GangNET software suites are trained, granted access, and monitored by their host agency but with training, policies and monitoring which is similar and complimentary to NC GangNET policy. Further, HIDTA users are limited to read-only access to NC GangNET and cannot edit, print or save viewed information. Question 23: Was notice provided to the individual prior to collection of information? All information collected about gangs and their members and associates is law enforcement sensitive and notice is not given to the subject that a record is being created in NC GangNET. In some cases, the subject knows law enforcement is gathering information about him/her (such as information given at the time of booking or during interviews). In lieu of individual notice, this publication acts as notice to the public that the NC GangNET system exists and that it collects information regarding gang members and associates. Question 24: Do individuals have the opportunity and/or right to decline to provide information? In most cases, because of the law enforcement purposes for which the information is collected, opportunities to decline may be limited or nonexistent. Question 25: Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right? In most cases, because of the law enforcement purposes for which the information is collected, individuals do not have a right to consent to particular uses of the information. The information in NC GangNET will be used in accordance with rules and laws affecting the use of law enforcement intelligence data. Question 26: How is notice is provided to individuals, and how are the risks associated with individuals being unaware of the collection mitigated? Most directly, the public is provided notice of the NC GangNET system through this publication. As part of the NC GangNET administrative and auditing process, applicable laws have been reviewed to ensure that NC GangNET is used appropriately given the notice provided. Further, because NC GangNET is a system where many law enforcement contexts apply, notice or the opportunity to consent to use would compromise the ability of law enforcement agencies to perform their missions and could put law enforcement officers at risk. Question 27: What are the procedures that allow individuals to gain access to their information? Individuals may request access to records from the GangNET user or agency they suspect may have entered data by following the procedures of that agency. NO PRINTED MATERIAL WILL BE PROVIDED. All or some of the requested information may be exempt from access pursuant to the Privacy Act in order to prevent harm to law enforcement investigations or interests. Providing individual access to records contained in NC GangNET could inform the subject of an actual or potential criminal, civil, or regulatory violation investigation or reveal investigative interest on the part of that agency or another agency. Access to the records could also permit the individual who is the subject of a record to impede the investigation, to tamper with witnesses or evidence, and to avoid detection or apprehension. The limit of information may simply be the verbal confirmation that a subject is in the system and nothing else. Question 28: What are the privacy risks and what redress is available to individuals and how are those risks mitigated? Privacy Risk: There is a risk that an individual's record may be inaccurate and/or out-of-date. Mitigation: NC GangNET data is never used directly as evidence to prosecute crimes. NC GangNET is solely a data repository with limited search and analytical tools that help users identify individuals and organizations that may be involved in gang-related criminal activity. It is incumbent on the investigator that uses NC GangNET to fully check all original data sources (i.e., those agencies or officers who originally entered the information into NC GangNET). As a safeguard, when investigating potential violations of state and/or federal laws investigators are required to obtain and verify the original source data from the agency that collected the information to prevent inaccurate information from propagating. There is also a limited retention period for these records, and quality review checks that are performed to identify and correct records. These protections mitigate the risks posed to any individuals whose data may be in NC GangNET. Question 29: What procedures are in place to determine which users may access the system and are they documented? NC GangNET administrative management is responsible for ensuring that all personnel granted direct access to NC GangNET are appropriately trained and monitored. This is done by working with the NC GangNET administrator to establish user accounts, update user identification, role and access profiles as changes are needed. All users requesting access must be approved through the submission of both an agency and user agreement to the NC GangNET administrators. All sworn law enforcement agencies and officers are eligible for an NC GangNET account. Some non-agents, such as Law enforcement agency crime analysts that work on gang-related issues, have accounts as well. Other groups have access, including probation officers and correctional security threat group officers. Users, who access NC GangNET information from external GangNET portals, such as W/B HIDTA, are granted access through their host agency and do not have NC GangNET user accounts. All GangNET software packages with access to NC GangNET will have audit trails or access controls allowing for the tracking of information access. Each GangNET host agency is responsible for maintaining user accounts and ensuring compliance with applicable policies. There are three access control roles that NC GangNET users might be assigned. Generally, agency designated users have “read/write” access so as to allow them to search and update the NC GangNET database and run ad hoc reports. The majority of users (currently 81.5%) have a limited “read-only” account that allows them to search NC GangNET data, but not edit it. This role is used to ensure that individuals, such as some analysts, who do not need to edit the data, won't intentionally or inadvertently alter the NC GangNET data. Finally, administrators have full read and write access and the capacity to configure various parameters of the application. When NC GangNET access is given to W/B HIDTA participant agents, they have read-only access and cannot modify NC GangNET records. Question 30: Will Department contractors have access to the system? Contractors, including developers and information technology operations and maintenance staff from SRA International, have administrative access to NC GangNET for the purpose of maintaining and upgrading the system. SRA International developers and IT staff of NC DPS are the only non-law enforcement or non-NC GangNET administrative individuals with access. NC DPS IT support staff do not have user accounts but do maintain the technical operation of the hardware and database. Question 31: What privacy training is provided to users either generally or specifically relevant to the program or system? All certified NC GangNET system users must sign a rules of behavior MOU agreement prior to training, which includes protecting sensitive information from disclosure to unauthorized individuals or groups. Training of a course of instruction that addresses, at a minimum: The definition of a criminal street gang. Accepted criteria for identifying gang members, associates, and entry of photographs. Criminal predicate/reasonable suspicion definitions. Federal, state and local law statutes and policies regarding criminal intelligence information. Responsibilities related to, and utilization of both the NC GangNET and W/B HIDTA systems. Question 32: What auditing measures and technical safeguards are in place to prevent misuse of NC GangNET data? Activities including subject name searches, vehicle, address, gang name, case number and contact number searches are audited. The enhanced auditing captures what new data was entered, what data existed before and after modification, and what data was deleted. In order to print from the system, a user is required to enter the purpose/reason. To comply with 28 C.F.R. Part 23, when a record is purged, all data related to that record is also purged including any audit records (i.e. the fact the record ever existed in the NC GangNET system has to be expunged). Security measures in place include ensuring access is only granted to authorized users and is password protected and user accounts are created on an individual basis to further secure user information. Question 33: Given the sensitivity and scope of the information collected, as well as any information sharing conducted on the system, what privacy risks were identified and how do the security controls mitigate them? Privacy Risk: There is a risk that personally identifiable information in NC GangNET will be accessed inappropriately. Mitigation: This risk is mitigated by security training including protecting sensitive information and by the use of audit mechanisms logging and monitoring user activity. The assignment of roles to users establishing their access levels based on agency input and training certifications and regular review of those roles along with system audit trails mitigates the risk that users will be able to access information inappropriately. Question 34: What is a gang intelligence system? The NC GangNET database is a web-based commercial software tool that allows data entry and data sharing between certified law enforcement agencies. It enhances the North Carolinas law enforcement capability to identify and investigate crimes by gang members and associates and other illegal gang-related activity. Question 35: Does the system employ technology which may raise privacy concerns? No.