DAR File No. 39892

Public Safety, Criminal Investigations and Technical Services, Criminal Identification

Rule R722-900

Access to Bureau Records

Notice of Proposed Rule

(Amendment)

DAR File No.: 39892
Filed: 10/29/2015 08:51:37 PM

RULE ANALYSIS

Purpose of the rule or reason for the change:

This amendment clarifies the ability of the Bureau of Criminal Identification within the Department of Public Safety to retain the fingerprints of certain applicants in both local and national databases for notification of subsequent criminal history entries in said databases pursuant to Subsection 53-10-108(14). The retention of fingerprints is in a program known as Rap Back System.

Summary of the rule or change:

Clarification of the ability of the Bureau of Criminal Identification within the Department of Public Safety to retain the fingerprints of certain applicants in both local and national databases for notification of subsequent criminal history entries in said databases pursuant to Subsection 53-10-108(14). The retention of fingerprints is in a program known as Rap Back System.

State statutory or constitutional authorization for this rule:

• Subsection 53-10-108(14)

Anticipated cost or savings to:

the state budget:

There is no aggregate anticipated cost or savings to the state budget. This rule change is a clarification of the ability of the Bureau of Criminal Identification within the Department of Public Safety to retain the fingerprints of certain applicants in both local and national databases for notification of subsequent criminal history entries in said databases pursuant to Subsection 53-10-108(14). Thus, no aggregate cost or savings to the state budget is anticipated.

local governments:

There is no aggregate anticipated cost or savings to local government. This rule change is a clarification of the ability of the Bureau of Criminal Identification within the Department of Public Safety to retain the fingerprints of certain applicants in both local and national databases for notification of subsequent criminal history entries in said databases pursuant to Subsection 53-10-108(14). Thus, no aggregate cost or savings to local government is anticipated.

small businesses:

There is no aggregate anticipated cost or savings to small businesses. This rule change is a clarification of the ability of the Bureau of Criminal Identification within the Department of Public Safety to retain the fingerprints of certain applicants in both local and national databases for notification of subsequent criminal history entries in said databases pursuant to Subsection 53-10-108(14). Thus, no aggregate cost or savings to small businesses is anticipated.

persons other than small businesses, businesses, or local governmental entities:

There will be a cost of $5 (local) and $13 (national) fees for the retention of fingerprints of persons in said databases. The $5 fee will cover the cost and maintenance for retention in the local (Western Identification Network - WIN) database and the $13 fee will cover the cost and maintenance for retention in the national (FBI) database.

Compliance costs for affected persons:

Entities that are eligible under state and federal statute to participate in the retention programs may require retention of fingerprints in said databases for purposes of employment, volunteers, licensing, and other authorized purposes. Persons whose fingerprints are retained in the local and national databases will be required to pay fees of $5 and $13, respectively, for retention in said databases.

Comments by the department head on the fiscal impact the rule may have on businesses:

This should not have any particular fiscal impact on business. This rule clarifies the authority to retain fingerprints and collect fees associated with the enrollment of authorized fingerprints in local and national databases. The fees apply to individual persons.

Keith D. Squires, Commissioner

The full text of this rule may be inspected, during regular business hours, at the Division of Administrative Rules, or at:

Public Safety
Criminal Investigations and Technical Services, Criminal Identification
3888 W 5400 S
TAYLORSVILLE, UT 84118

Direct questions regarding this rule to:

• Alice Moffat at the above address, by phone at 801-965-4939, by FAX at 801-965-4944, or by Internet E-mail at aerickso@utah.gov
• Kim Gibb at the above address, by phone at 801-556-8198, by FAX at 801-964-4482, or by Internet E-mail at kgibb@utah.gov

Interested persons may present their views on this rule by submitting written comments to the address above no later than 5:00 p.m. on:

12/15/2015

This rule may become effective on:

12/22/2015

Authorized by:

Alice Moffat, Bureau Chief

R722. Public Safety, Criminal Investigations and Technical Services, Criminal Identification.

R722-900. Access to Bureau Records.

R722-900-1. Purpose.

The purpose of this rule is to establish procedures whereby criminal justice agencies, qualified entities, and individuals may obtain access to bureau records.

 

R722-900-2. Authority.

This rule is authorized by Subsections 53-10-108([7]9) and ([8]10).

 

R722-900-3. Definitions.

(1) Terms used in this rule are found in Section 53-10-102.

(2) In addition:

(a) "agency" means a criminal justice agency as defined in Subsection 53-10-102(9) and 28 U.S.C. Subsection 534(e), or a non-criminal entity authorized to access CJIS under state or federal law;

(b) "bureau" means the Utah Bureau of Criminal Identification within the Department of Public Safety established by Section 53-10-201;

(c) "CJIS" means the Criminal Justice Information System administered by the FBI;

(d) "entity" means an entity qualified to access criminal history information under state or federal law;

(e) "entity id" means an entity's unique identifier that is used to access criminal history information;

(f) "FBI" means the Federal Bureau of Investigation within the United States Department of Justice;

(g) "login id" means a unique identifier in UCJIS for a user or non-user;

(h) "misuse" means the access, use, disclosure, or dissemination of records for a purpose prohibited or not permitted by statute, rule, regulation, or policy of a governmental entity;

(i) "NCIC" means the National Crime Information Center;

(j) "non-user" means a person working for or with an agency, who does not have direct access to UCJIS but has indirect access to records, including individuals who may:

(i) access computer systems or programs used to access UCJIS files; or

(ii) have unrestricted access to a location containing UCJIS records or a computer with UCJIS access;

(k) "ORI" means originating agency identifier;

(l) "provider" means a law enforcement agency as defined in Subsection 53-1-102(1)(c), the Utah Attorney General's Office, a county attorney's office, a district attorney's office, or a city prosecutor's office;

(m) "records" means records created, maintained, or to which access is granted by the bureau, including criminal history information;

(n) "right of access program" means a program established under Subsection 53-10-108([8]9) in which a provider makes an individual's UC[C]H and warrant of arrest information available to the subject of the record;

(o) "TAC" means an agency's terminal agency coordinator;

(p) "UC[C]H" means Utah [Computerized] Criminal History;

(q) "UCJIS" means Utah Criminal Justice Information System, which includes the Criminal Justice Information System; and

(r) "user" means a person working for or with an agency who has direct access to UCJIS or who obtains UCJIS records from a person who has direct access.

 

R722-900-4. Direct Access to UCJIS for Agencies.

(1) An agency seeking direct access to UJCIS shall submit a completed Criminal Justice Agency Application Packet to the bureau.

(2)(a) The bureau shall submit the agency's information to the FBI, which shall determine whether the agency meets the requirements for access to CJIS records established by the FBI.

(b) If the FBI determines the agency is entitled to access any CJIS records, the FBI shall assign the agency an ORI and the bureau shall notify the agency in writing what records it may access on UCJIS using the assigned ORI.

(c)(i) If the FBI determines that the agency is not entitled to access records on CJIS, the bureau shall notify the agency of the FBI's decision and refer the agency to the agencies whose records are available on UCJIS to determine if the agency may have access to those records.

(ii) If the agency is granted access to any records on UJCIS, the bureau shall assign the agency an ORI and notify the agency in writing which records the agency may access using that ORI.

(iii) If the agency is not entitled to access any records on UCJIS, the bureau shall notify the agency in writing and provide notice of the right to appeal pursuant to R722-900-10.

(3)(a) Within 30 days after an agency is granted access to records on UCJIS, it shall submit the following documents to the bureau:

(i) a Criminal Justice Agency Agreement, signed by the agency administrator; and

(ii) a CJIS fingerprint submission form with a legible FD258 fingerprint card for the TAC , which shall be retained in the FBI Rap Back System in accordance with Subsection 53-10-108(14).

(b) The bureau shall conduct a fingerprint-based criminal history background check of the TAC.

(c) If the bureau determines that the TAC meets all the requirements for access to UCJIS, the TAC shall complete the new TAC orientation training provided by the bureau within six months.

(d) If the bureau determines that the TAC does not meet the requirements for access to UCJIS, the bureau shall notify the agency and the TAC in writing including notice of the right to appeal pursuant to R722-900-10.

(4)(a) The agency TAC shall conduct a criminal history check using the name and date of birth of each user or non-user at the agency.

(b) If the criminal history check indicates that the user or non-user does not have any criminal history, the TAC shall create an account on UCJIS and assign the user or non-user a login id.

(c) Within 30 days of assigning a login id to a user or non-user, the TAC shall submit to the bureau:

(i) a UCJIS User Agreement for each user and non-user; and

(ii) a CJIS fingerprint submission form with a legible FD258 fingerprint card for all users and non-users employed at the agency, which shall be retained in the FBI Rap Back System in accordance with Subsection 53-10-108(14).

(d) The bureau shall conduct a fingerprint-based criminal history background check for all users and non-users employed at the agency.

(e) If the bureau determines that a user or non-user meets the requirements for access to CJIS, the bureau shall notify the TAC that the user or non-user has been approved.

(f) If the bureau determines a user or non-user does not meet the requirements for access to CJIS, the bureau shall notify the user or non-user, the TAC, and the agency administrator in writing which includes the right to appeal pursuant to R722-900-10.

(5)(a) Within six months of assigning a login id to a user or non-user, the TAC shall train the user or non-user in accordance with the BCI Operations Manual.

(b) Upon completion of the training, the TAC shall administer a test to the users and submit to the bureau a signed testing agreement form from each user indicating that the user passed all of the required training and testing.

(6)(a) The TAC shall attend the annual TAC training meeting and provide updates to all users and non-user at the agency based on the training.

(b) The TAC shall be responsible for ensuring that all users or non-users at the agency complete all training required by the bureau.

(c) The TAC shall be responsible for ensuring that all users at the agency complete all re-testing required by the bureau.

(d) The bureau may suspend or revoke a TAC's, user's, non-user's access to records if the TAC, user, or non-user fails to complete the required training or testing.

 

R722-900-5. Access for Entities.

(1)(a) An entity seeking access to criminal background check information for employment background checks or other screening purposes shall submit a completed Qualified Entity Application Packet to the bureau, which includes the following:

(i) a Qualified Entity Application Form;

(ii) documentation that it is a business, organization, or governmental entity that is qualified to access criminal background check information;

(iii) a description of why the entity is seeking to conduct employment background checks or other screenings;

(iv) billing information; and

(v) contact information for:

(A) the entity's administrator; and

(B) a point of contact.

(2)(a) The bureau shall review the entity's application to determine whether the entity meets the requirements for access to criminal background check information found in state or federal law.

(b) The bureau may request additional documentation from the entity to verify whether the entity is qualified to access criminal history information.

(c) If the bureau determines that an entity is qualified to access criminal background check information, it shall notify the entity in writing and assign it an entity id.

(d) If the bureau determines the entity is not qualified to access criminal background check information, the bureau shall notify the entity of the bureau's decision in writing and provide notice of the right to appeal pursuant to R722-900-10.

(3)(a) Once an entity has been granted access to criminal background check information, it shall submit the following documents to the bureau:

(i) a Qualified Entity Agreement, signed by the entity administrator; and

(ii) a signed Qualified Entity Employee Agreement for each employee of the entity who will have access to criminal background check information.

(b) Any employee of the entity who has access to criminal background check information shall successfully complete all training and testing required by the bureau.

(c) The bureau may suspend or revoke access to criminal background check information if an employee of an entity fails to complete the required training and testing.

 

R722-900-6. Individual Right of Access.

(1) An individual may review his or her own criminal history record information contained in a UC[C]H, by submitting a completed Criminal History Record Application to the bureau along with:

(a) a set of fingerprints which have been verified with photo identification at the time the fingerprints were taken;

(b) a copy of a government issued photo identification; and

(c) payment of the processing fee required by Subsection 53-10-108([8]9)(b).

(2)(a) An individual may challenge the completeness and accuracy of the information contained in the individual's UC[C]H by submitting a completed Application to Challenge Criminal History Records to the bureau along with:

(i) the challenge fee; and

(ii) documentation to establish what information is missing or incorrect on the UC[C]H.

(b) The challenge process shall be an informal adjudicative proceeding under Section 63G-4-203.

(c)(i) If the bureau determines that the individual's criminal history record information is incomplete or inaccurate, the bureau shall amend the UC[C]H.

(ii) The bureau shall send the individual a letter notifying the individual of the changes made to the individual's UC[C]H and a copy of the individual's corrected UC[C]H.

(d)(i) If the bureau determines that the criminal history record information is correct, the bureau shall notify the individual in writing that the UC[C]H shall not be amended.

(ii) An individual may appeal the bureau's decision not to amend a record to district court in accordance with Section 63G-4-402.

(e) If the bureau determines that the individual seeking to challenge the information in the UC[C]H is not the subject of the record, the bureau shall notify the individual in writing.

 

R722-900-7. Right of Access Programs.

(1) A provider seeking to establish a right of access program shall submit a completed Right of Access Contract.

(2)(a) The bureau shall review the Right of Access Provider Contract to determine whether the provider may conduct a right of access program.

(b) The bureau may request additional information from the provider to determine whether the provider may conduct a right of access program.

(c) If the bureau determines that a provider is qualified to conduct a right of access program, it shall notify the provider in writing.

(d) If the bureau determines the provider is not qualified to conduct a right of access program, it shall notify the provider of the bureau's decision in writing.

 

R722-900-8. Audits.

(1)(a) All agencies and entities shall submit to audits conducted by the bureau.

(b) Upon request, an agency and entity shall complete the Pre-audit Request within 30 days from the date it is sent by the bureau.

(c) An agency and entity shall complete the Audit Survey within 30 days from the date it is sent out by the bureau.

(d) The bureau shall review the information submitted by the agency and entity to determine if the agency and entity is in compliance with applicable state and federal statutes, rules, and regulations.

(e) The bureau shall notify the agency and entity of the audit results in writing and give the agency, entity, or provider an opportunity to rectify any issues it found during the audit.

(f) The bureau may suspend or revoke an agency's access to UCJIS or an entity's access to criminal background check information if it fails to comply with the audit or rectify issues found during the audit.

 

R722-900-9. Misuse.

(1) Anyone who has reason to believe that records have been misused may submit a written complaint to the bureau.

(2)(a) The bureau shall conduct a review of its records to determine if there is any evidence to support the complaint.

(b) If the bureau finds evidence indicating records may have been accessed, used, disclosed, or disseminated, the bureau shall notify the agency TAC or entity point of contact and request that an internal review be conducted.

(3) The agency or entity shall be responsible for conducting an internal review to determine if there has been misuse of a record and submit its findings to the bureau within 30 days.

(4)(a) If the agency or entity determines there was misuse, the agency or entity shall submit a corrective action plan to the bureau.

(b) The bureau shall review the corrective action plan to determine if the action taken by the agency or entity was sufficient to address the misuse.

(5) If the bureau finds that an agency, entity, TAC, user, non-user, or employee of an agency or entity misused records, the bureau may:

(a) suspend or revoke the access of the agency, entity, TAC, user, non-user, or employee of [the]an agency or entity; and

(b) refer the matter to the appropriate law enforcement agency for investigation and prosecution.

(6) The bureau may suspend or revoke access to records by an agency, entity, TAC, user, non-user, or employee of [the]an agency or entity if the agency, entity, TAC, user, non-user, or employee of [the]an agency or entity fails to comply with any terms of the signed agreement.

 

R722-900-10. Appeal.

(1)(a) An agency or entity denied access to records may appeal the bureau's decision by sending a written request for review to the bureau within 30 days of the date of the denial of access.

(b) An agency or entity may appeal the bureau's decision to deny a TAC, user, or non-user access to records by sending a written request for review to the bureau within 30 days of the date of the denial of access.

(2) A request for review shall include:

(a) a description of the grounds for review; and

(b) supporting documentation.

(3)(a) The bureau director or the director's designee shall review the request for review and issue a written decision within 30 days from the date of the appeal.

(b) If the bureau's decision to deny an agency or entity is upheld, the bureau shall notify the agency or entity of the right to appeal to the district court by complying with the requirements in Section 63G-4-402.

(c) If the bureau's decision to deny a TAC, user, or non-user is upheld, there shall be no further right of appeal.

 

KEY: access to records, UCJIS, criminal justice agencies, qualified entities

Date of Enactment or Last Substantive Amendment: [August 21, 2013]2015

Notice of Continuation: April 10, 2013

Authorizing, and Implemented or Interpreted Law: 53-10-102; 53-10-108