Article: WSFC Privacy Policy

Article: WSFC Privacy Policy

Author: WSFC • Published: 09/25/2012

Washington State Fusion Center

Privacy Policy

Purpose Statement

The purpose of the Washington State Fusion Center (WSFC) Privacy Policy is to ensure that the collection, evaluation, analysis and dissemination of information and intelligence data regarding criminal activity is conducted in a manner that protects public safety while protecting civil rights, civil liberties and personal privacy. This policy has the express purpose of fulfilling that mission by ensuring strict adherence to all applicable federal and state constitutional rights, statutory, and regulatory protections while:

• Protecting the integrity of systems for the observation and reporting of terrorism-related criminal activity and information;

• Encouraging individuals or community groups to trust and cooperate with the justice system;

• Promoting governmental legitimacy and accountability; and

• Making the most effective use of public resources allocated to public safety agencies.

Policy Applicability and Legal Compliance

1. The WSFC will adopt a Concept of Operations and Standard Operating Procedures that are consistent with the provisions of this privacy policy, as well as all applicable state and federal constitutional rights and statutes and regulations, including 28 CFR Part 23.

2. All personnel assigned to the WSFC, including private contractors and authorized participating agencies will comply with the WSFC’s privacy policy while carrying out WSFC responsibilities at the direction of the WSFC and its representatives, or otherwise acting within the scope of their assigned WSFC duties. Nothing in this policy is, however, meant to preempt superseding federal or state laws, regulations, or constitutional provisions.

3. The WSFC will make this policy available on-line to personnel and authorized users and will provide a printed copy of this policy to all WSFC personnel, who will be required to sign both a written acknowledgement of receipt of this policy, as well as a written agreement to comply with the privacy policy.

4. It is the policy of WSFC, where relevant and appropriate, to provide the enhanced protections of the Information Sharing Environment (ISE) for terrorism-related information to all personal identifiable information shared by WSFC with authorized participating agencies.

Governance and Oversight

1. The WSFC Executive Board is responsible for approving WSFC policies and procedures and ensuring that audit and oversight mechanisms are in place to ensure compliance. The Director of the WSFC is responsible for approving an Interim Privacy Policy until the Executive Board can approve a final policy. The Director is also responsible for the day-to-day operations of the WSFC, including enforcement of this privacy policy. The Director will appoint a designated and trained internal Privacy and Civil Liberties Officer to monitor compliance with this policy and act as a resource. This person will also act as the liaison for the Information Sharing Environment.

2. The WSFC Executive Board will establish a privacy oversight mechanism to review and make recommendations regarding WSFC privacy policy and procedures to ensure that appropriate revisions are made in response to changes in technology, policy, or law, and to oversee a minimum of an annual audit of WSFC operations to determine compliance with this policy.

3. Personnel, contractors and others who fail to abide by provisions of this policy applicable to them may be denied access to information sharing mechanisms of the WSFC or other appropriate sanction as determined by the WSFC Executive Board, including potential termination of participation with the WSFC.

Information Collection, Retention and Dissemination Standards

1. The WSFC will only collect, analyze, retain or disseminate information that was lawfully obtained and is relevant to the investigation and prosecution of suspected criminal activity, threats to public safety or other legitimate criminal justice purpose. For purposes of this policy, “information” includes any information or intelligence “about an identifiable individual or organization that the WSFC may legally obtain, review, retain, etc., such as suspicious activity reports (SARs) and other tips and leads information, criminal histories, incident reports, public records, etc.” See Appendix C for SAR Guidelines that the WSFC will follow for this type of information.

2. The WSFC will not seek, retain or disseminate any information about individuals or organizations solely on the basis of their race, ethnicity, gender, age, sexual orientation or disability. This protection also extends to religious or political activities and beliefs. Since government actions can unintentionally inhibit the exercise of state and federal constitutional rights, this policy further specifically prohibits the collection, retention or dissemination of personal identifying information (PII) about an individual’s non-criminal participation in protected First Amendment activities such as speech, assembly and petition which may take various forms to include protests, rallies, etc., without a legitimate law enforcement purpose meeting the standards and procedures of this policy.

3. Any criminal information related to protected First Amendment activities shall be first reviewed by the Privacy and Civil Liberties Officer and then specifically approved by the WSFC Director prior to retention or dissemination. In addition to applying the criminal standard, the review and approval shall ensure that any misdemeanor criminal conduct alleged has a legitimate law enforcement purpose and is relevant to the core responsibilities of the WSFC.

4. When the decision to retain information is made, it will be labeled, stored and disseminated in a manner that:

• Protects the right of privacy and civil liberties

• Protects confidential sources and methods

• Provides all legally required protections

Information will be assessed upon receipt to determine its nature, usability, and quality and labeled to indicate to the user the category of information, the nature of the source, and confidence levels, where appropriate. The labeling of retained information will be reevaluated when new information is collected that has an impact on the confidence in previously retained information.

5. All personal identifiable information collected by WSFC and shared through the ISE, shall include, where relevant and appropriate, the name of the originating agency, the information system from which the information is provided, the date the information was collected, and the title and contact information for the person in the originating agency to whom inquiries should be directed.

6. All personal identifiable information with access restrictions will be so labeled when it is disseminated to reflect limitations on access and sensitivity of disclosure. Those limitations will be updated when the WSFC receives new information that impacts those access restrictions or there is a change in the use of the information affecting access or disclosure limitations.

7. Information gathering and investigative techniques used by the WSFC and information originating agencies shall be in compliance with and will adhere to applicable constitutional provisions, statutes and regulations. Intelligence information shall be collected, stored and disseminated in compliance with 28 CFR Part 23 (Appendix A), and the LEIU Criminal Intelligence File Guidelines (Appendix B), including the Third Party Rule, as well as all applicable federal and state constitutional provisions.

Information Quality Assurance

1. The WSFC will make every reasonable effort to ensure that, prior to retaining or disseminating information, the information is accurate and complete, and includes the context in which the information was received. This will include labeling information to identify, where relevant and appropriate, its source and level of quality, including confidence in the information (source reliability and content validity), accuracy, completeness, currency, and whether it has been verified.

2. The WSFC will investigate and correct or delete, in a timely manner, any alleged errors and deficiencies in the information the fusion center has retained or disseminated, whether by internal discovery or external complaint of error. If the WSFC discovers that information it has received from an originating agency is inaccurate or otherwise unreliable, it will notify the originating agency in writing, including electronic notification. This will include written (electronic) notification to any individual or entity that the WSFC knows has received the incorrect information. To facilitate these notifications, the WSFC will develop a computer system that tracks the dissemination of information and intelligence and any corrections (including related new information) or deletions.

3. All criminal intelligence information will be electronically marked with its purge date upon entry into a criminal intelligence database and validated for retention purposes or purged at least every five years. Information and intelligence that is no longer relevant, including criminal intelligence information no longer eligible to be retained under 28 CFR Part 23, will be electronically purged, returned to the originating agency as appropriate, or otherwise archived as required by law. Source agencies will not be notified of pending purge dates.

4. Records about an individual or organization from two or more sources will not be merged unless there is sufficient identifying information to reasonably conclude that the information is about the same individual or organization. The set of identifiers sufficient to allow merging will consist of all available attributes that can contribute to a higher accuracy of match. If the information is insufficient to allow merging of the record, the information may be associated if accompanied by a clear statement that it has not been adequately established that the information relates to the same individual or organization.

5. Public records will be provided to requestors, unless exempt from disclosure under chapter 42.56 RCW, the Washington State Public Records Act, or other statutes governing disclosure. Records will not be provided to any requestor until the agency that created the records is notified and has a reasonable period of time to review and assess exemptions and to make its position on disclosure known. When information is exempt from disclosure and an individual or group has a complaint or other objection to the accuracy of information regarding that person or group, the WSFC will acknowledge the complaint and: (a) if the information originates from the WSFC, the WSFC will investigate the complaint and either confirm the information, correct it, or remove it from an information database; or (b) if the information does not originate from the WSFC, the complaint will be referred to the source agency for investigation. A record of all such requests, and any confirmation or correction/removal action taken, will be maintained by the WSFC. Pending investigation and resolution, the information complained about will not be disseminated by the WSFC.

6. The WSFC Director will ensure that all complaints about information originating from the WSFC are fully investigated and appropriate action is taken in response to the investigation.

Information Security

1. Credentialed, role-based criteria are crucial for information security and privacy protections. Access limitations, along with an inquiry log and audit trail maintained by WSFC for WSFC databases, will identify and limit:

• The authorized user making an inquiry, the subject of the inquiry, and the information that the user has accessed;

• Whether the authorized user can enter, change, delete or print information or took any of these actions; and

• To whom information can be disseminated and under what circumstances.

Only qualified individuals with the appropriate credentials and training will analyze information acquired or accessed by the center.

These restrictions will be reevaluated whenever the WSFC receives additional information which merits a change in information restrictions, such as a national security classification.

2. Access to or disclosure of records collected or retained by the WSFC will be provided only to persons who are authorized to have such access in accordance with all applicable federal and state laws, and/or in furtherance of legitimate public safety purposes. All WSFC personnel, including contractors will undergo a full background investigation in addition to a security clearance investigation for those individuals having access to classified information.

3. Any information disseminated by the WSFC will contain dissemination restriction language appropriate for the particular type of material, such as “law enforcement sensitive,” and “third-party” rule restrictions.

4. The WSFC Director shall appoint a security officer. The Security Officer shall receive appropriate training and shall work in concert with the FBI security manager to ensure compliance with information security procedures. These security procedures will include:

• Secure internal and external safeguards against network intrusions;

• Information will be stored so that it cannot be modified, accessed, destroyed or purged except by authorized personnel with the appropriate background investigations and security clearances; and

• Appropriate physical security safeguards are in place to protect information.

5. Unless legal or security restrictions prohibit it, or unless it would compromise a legitimate law enforcement purpose, such as an ongoing investigation, source or method, etc., (a) the WSFC will follow RCW 42.56.590 in the event of a data security breach; and (b) the WSFC will protect sensitive government records and private information consistent with chapter 42.56 RCW, the Washington Public Records Act.

Accountability and Enforcement

1. The public has a right to know the information and privacy safeguards of the WSFC. The WSFC’s privacy policy will be made available upon request and will be posted on a public web portal to be developed.

2. To enable oversight and enforcement of these provisions, the WSFC will implement a computerized record system that maintains an audit trail of all access and dissemination of WSFC records. This audit trail will be maintained a minimum of five years.

3. In addition to being provided a copy of this policy, all WSFC personnel will be required to participate in training regarding adhering to this policy. This training will include, at a minimum, the purpose of the policy, substance and intent of the provisions of the policy, impact of infractions, and possible penalties for violations. Personnel authorized to share personal identifiable information in the ISE shall receive specialized training regarding WSFC requirements and policies for the collection, disclosure and use of this information. User agencies, not the WSFC, are responsible for providing appropriate training, such as how to handle intelligence or law enforcement sensitive information, e.g., the Third Party Rule, to their personnel submitting information to WSFC or who have access to protected information disseminated by WSFC.

4. All personnel assigned to the WSFC have a duty to uphold the privacy and civil liberties protections in this policy, to cooperate with audits and reviews by oversight officials with responsibility for information sharing, and to report violations of WSFC policies related to protected information to the WSFC Privacy and Civil Liberties Officer, who shall serve as the initial receiving point for inquiries and complaints about privacy and civil liberties concerns, and who will receive reports of suspected or confirmed violations. The WSFC Director is responsible for ensuring adherence to this policy.

5. The WSFC Executive Board will ensure that an annual audit is conducted to review compliance with WSFC information systems requirements and the WSFC Privacy Policy. The panel will report its findings to the Executive Board along with any recommendations for corrective action or policy modification. If suggestions for policy modification are approved, the Policy will be updated annually to reflect those suggestions and any other modification required in response to changes in applicable law, technology, or the purpose and use of information systems.

For more information Contact: Doug Larm at 1-877-843-9522 or