DAR File No. 43665

Public Safety, Criminal Investigations and Technical Services, Criminal Identification

Rule R722-900

Access to Bureau Records

Notice of Proposed Rule

(Amendment)

DAR File No.: 43665
Filed: 04/24/2019 04:10:22 PM

RULE ANALYSIS

Purpose of the rule or reason for the change:

The changes made to the FBI Criminal Justice Information System (CJIS) policy require that a fingerprint background check be completed before access to CJIS information or unescorted access to secure or controlled locations where CJIS information is maintained is granted to an employee of an agency as defined in Section R722-900-3. The new requirement is being incorporated into the rule.

Summary of the rule or change:

Vendor entity has been added to the definition of "agency"; specifies that the background check is required prior to an individual being granted access to CJIS information rather than allowing the background check to be completed within 30 days after access has already been granted; adds requirement for a terminal agency coordinator (TAC) to notify the bureau if their agency intends to employ an individual with a criminal history prior to access to CJIS information being activated; and adds authorization to suspend or revoke access if an employee violates any provision contained within the applicable signed agreement.

Statutory or constitutional authorization for this rule:

• Section 53-10-108
• Section 53-10-102

Anticipated cost or savings to:

the state budget:

BCI does not anticipate any costs or savings to the state budget as a result of this administrative rule change because a background check is already required in order to obtain access to CJIS information. This rule change only specifies that the background check is required prior to an individual being granted access to CJIS information rather than allowing the background check to be completed within 30 days after access has already been granted.

local governments:

BCI does not anticipate any costs or savings to local governments as a result of this administrative rule change because a background check is already required in order to obtain access to CJIS information. This rule change only specifies that the background check is required prior to an individual being granted access to CJIS information rather than allowing the background check to be completed within 30 days after access has already been granted.

small businesses:

BCI does not anticipate any costs or savings to small businesses as a result of this administrative rule change because a background check is already required in order to obtain access to CJIS information. This rule change only specifies that the background check is required prior to an individual being granted access to CJIS information rather than allowing the background check to be completed within 30 days after access has already been granted.

persons other than small businesses, businesses, or local governmental entities:

BCI does not anticipate any costs or savings to persons other than small businesses, businesses or local government entities as a result of this administrative rule change because a background check is already required in order to obtain access to CJIS information. This rule change only specifies that the background check is required prior to an individual being granted access to CJIS information rather than allowing the background check to be completed within 30 days after access has already been granted.

Compliance costs for affected persons:

BCI does not anticipate any compliance costs for affected persons as a result of this rule amendment because those who are required to obtain a background check are already required to pay a fee for this service. The rule only specifies that the background check is required prior to obtaining access to CJIS information, rather than within 30 days after access has been granted.

Comments by the department head on the fiscal impact the rule may have on businesses:

There are no small or non-small businesses in Utah that will be impacted by this rule change because the only change being made in this rule is a change to the time frame in which a background check is conducted for an individual who is required to have a background check in order to access CJIS information. This rule change will not impact the fees already required to obtain a background check. The Commissioner of the Department of Public Safety, Jess L. Anderson, has reviewed and approved this fiscal analysis.

Jess L. Anderson, Commissioner

The full text of this rule may be inspected, during regular business hours, at the Office of Administrative Rules, or at:

Public Safety
Criminal Investigations and Technical Services, Criminal Identification
3888 W 5400 S
TAYLORSVILLE, UT 84118

Direct questions regarding this rule to:

• Kim Gibb at the above address, by phone at 801-556-8198, by FAX at 801-964-4482, or by Internet E-mail at kgibb@utah.gov
• Nicole Borgeson at the above address, by phone at 801-281-5072, by FAX at , or by Internet E-mail at nshepherd@utah.gov
• Greg Willmore at the above address, by phone at 801-965-4533, by FAX at , or by Internet E-mail at gwillmor@utah.gov

Interested persons may present their views on this rule by submitting written comments to the address above no later than 5:00 p.m. on:

06/14/2019

This rule may become effective on:

06/21/2019

Authorized by:

Greg Willmore, Division Director

Appendix 1: Regulatory Impact Summary Table*

Fiscal Costs	FY 2019	FY 2020	FY 2021
State Government	$0	$0	$0
Local Government	$0	$0	$0
Small Businesses	$0	$0	$0
Non-Small Businesses	$0	$0	$0
Other Person	$0	$0	$0
Total Fiscal Costs:	$0	$0	$0
Fiscal Benefits
State Government	$0	$0	$0
Local Government	$0	$0	$0
Small Businesses	$0	$0	$0
Non-Small Businesses	$0	$0	$0
Other Persons	$0	$0	$0
Total Fiscal Benefits:	$0	$0	$0
Net Fiscal Benefits:	$0	$0	$0

 

*This table only includes fiscal impacts that could be measured. If there are inestimable fiscal impacts, they will not be included in this table. Inestimable impacts for State Government, Local Government, Small Businesses and Other Persons are described above. Inestimable impacts for Non - Small Businesses are described below.

 

Appendix 2: Regulatory Impact to Non - Small Businesses

There are no non-small businesses in Utah that will be impacted by these rule changes because the only change being made in this rule is a change to the time frame in which a background check is conducted for an individual who is required to have a background check in order to access CJIS information. These rule changes will not impact the fees already required to obtain a background check.

 

The Commissioner of the Department of Public Safety, Jess L. Anderson, has reviewed and approved this fiscal analysis.

 

 

R722. Public Safety, Criminal Investigations and Technical Services, Criminal Identification.

R722-900. Access to Bureau Records.

R722-900-1. Purpose.

The purpose of this rule is to establish procedures whereby criminal justice agencies, qualified entities, and individuals may obtain access to bureau records.

 

R722-900-2. Authority.

This rule is authorized by Subsections 53-10-108(9) and (10).

 

R722-900-3. Definitions.

(1) Terms used in this rule are found in Section 53-10-102.

(2) In addition:

(a) "agency" means a criminal justice agency as defined in Subsection 53-10-102(9) and 28 U.S.C. Subsection 534(e), a vendor entity, or a non-criminal entity authorized to access CJIS under state or federal law;

(b) "bureau" means the Utah Bureau of Criminal Identification within the Department of Public Safety established by Section 53-10-201;

(c) "CJIS" means the Criminal Justice Information System administered by the FBI;

(d) "entity" means an entity qualified to access criminal history information under state or federal law;

(e) "entity id" means an entity's unique identifier that is used to access criminal history information;

(f) "FBI" means the Federal Bureau of Investigation within the United States Department of Justice;

(g) "login id" means a unique identifier in UCJIS for a user or non-user;

(h) "misuse" means the access, use, disclosure, or dissemination of records for a purpose prohibited or not permitted by statute, rule, regulation, or policy of a governmental entity;

(i) "NCIC" means the National Crime Information Center;

(j) "non-user" means a person working for or with an agency, who does not have direct access to UCJIS but has indirect access to records, including individuals who may:

(i) access computer systems or programs used to access UCJIS files; or

(ii) have unrestricted access to a location containing UCJIS records or a computer with UCJIS access;

(k) "ORI" means originating agency identifier;

(l) "provider" means a law enforcement agency as defined in Subsection 53-1-102(1)(c), the Utah Attorney General's Office, a county attorney's office, a district attorney's office, or a city prosecutor's office;

(m) "records" means records created, maintained, or to which access is granted by the bureau, including criminal history information;

(n) "right of access program" means a program established under Subsection 53-10-108(9) in which a provider makes an individual's UCH and warrant of arrest information available to the subject of the record;

(o) "TAC" means an agency's terminal agency coordinator;

(p) "UCH" means Utah Criminal History;

(q) "UCJIS" means Utah Criminal Justice Information System, which includes the Criminal Justice Information System; and

(r) "user" means a person working for or with an agency who has direct access to UCJIS or who obtains UCJIS records from a person who has direct access.

 

R722-900-4. Direct Access to UCJIS for Agencies.

(1) An agency seeking direct access to UJCIS shall submit a completed Criminal Justice Agency Application Packet to the bureau.

(2)(a) The bureau shall submit the agency's information to the FBI, which shall determine whether the agency meets the requirements for access to CJIS records established by the FBI.

(b) If the FBI determines the agency is entitled to access any CJIS records, the FBI shall assign the agency an ORI and the bureau shall notify the agency in writing what records it may access on UCJIS using the assigned ORI.

(c)(i) If the FBI determines that the agency is not entitled to access records on CJIS, the bureau shall notify the agency of the FBI's decision and refer the agency to the agencies whose records are available on UCJIS to determine if the agency may have access to those records.

(ii) If the agency is granted access to any records on UJCIS, the bureau shall assign the agency an ORI and notify the agency in writing which records the agency may access using that ORI.

(iii) If the agency is not entitled to access any records on UCJIS, the bureau shall notify the agency in writing and provide notice of the right to appeal pursuant to R722-900-10.

(3)(a) Within 30 days after an agency is granted access to records on UCJIS, it shall submit the following documents to the bureau:

(i) a Criminal Justice Agency Agreement, signed by the agency administrator; and

(ii) a CJIS fingerprint submission form with a legible FD258 fingerprint card for the TAC, which shall be retained in the FBI Rap Back System in accordance with Subsection 53-10-108(14).

(b) The bureau shall conduct a fingerprint-based criminal history background check of the TAC.

(c) If the bureau determines that the TAC meets all the requirements for access to UCJIS, the TAC shall complete the new TAC orientation training provided by the bureau within six months.

(d) If the bureau determines that the TAC does not meet the requirements for access to UCJIS, the bureau shall notify the agency and the TAC in writing including notice of the right to appeal pursuant to R722-900-10.

(4)(a) The agency TAC [shall]may conduct a criminal history check using the name and date of birth of each user or non-user at the agency when making determination concerning employment by the agency.

(b) [If the criminal history check indicates that the user or non-user does not have any criminal history, t]The TAC shall create an account on UCJIS and assign the user or non-user a login id.

(c) [Within 30 days of assigning a login id to a user or non-user, the TAC shall submit to the bureau:]Before a user or non-user is allowed unescorted access to CJIS information or unescorted access to secure or controlled locations with CJIS information, the individual must be approved by the bureau to access CJIS information.

(d) In order to obtain approval to access CJIS information, the TAC must submit to the bureau:

(i) a UCJIS User Agreement for each user and non-user; and

(ii) a CJIS fingerprint submission form with a legible FD258 fingerprint card for all users and non-users employed at the agency, which shall be retained in the FBI Rap Back System in accordance with Subsection 53-10-108(14).

[(d)](e) The bureau shall conduct a fingerprint-based criminal history background check for all users and non-users employed at the agency.

[(e)](f) If the bureau determines that a user or non-user meets the requirements for access to CJIS, the bureau shall notify the TAC that the user or non-user has been approved.

(i) If the individual is approved by the bureau, but has a criminal record, the agency TAC shall notify the bureau that it intends to employ the individual before access to CJIS may be activated.

[(f)](g) If the bureau determines a user or non-user does not meet the requirements for access to CJIS, the bureau shall notify the user or non-user, the TAC, and the agency administrator in writing which includes the right to appeal pursuant to R722-900-10.

(5)(a) Within six months of assigning a login id to a user or non-user, the TAC shall train the user or non-user in accordance with the BCI Operations Manual.

(b) Upon completion of the training, the TAC shall administer a test to the users and submit to the bureau a signed testing agreement form from each user indicating that the user passed all of the required training and testing.

(6)(a) The TAC shall attend the annual TAC training meeting and provide updates to all users and non-user at the agency based on the training.

(b) The TAC shall be responsible for ensuring that all users or non-users at the agency complete all training required by the bureau.

(c) The TAC shall be responsible for ensuring that all users at the agency complete all re-testing required by the bureau.

(d) The bureau may suspend or revoke a TAC's, user's, non-user's access to records if the TAC, user, or non-user fails to complete the required training or testing.

 

R722-900-5. Access for Entities.

(1)(a) An entity seeking access to criminal background check information for employment background checks or other screening purposes shall submit a completed Qualified Entity Application Packet to the bureau, which includes the following:

(i) a Qualified Entity Application Form;

(ii) documentation that it is a business, organization, or governmental entity that is qualified to access criminal background check information;

(iii) a description of why the entity is seeking to conduct employment background checks or other screenings;

(iv) billing information; and

(v) contact information for:

(A) the entity's administrator; and

(B) a point of contact.

(2)(a) The bureau shall review the entity's application to determine whether the entity meets the requirements for access to criminal background check information found in state or federal law.

(b) The bureau may request additional documentation from the entity to verify whether the entity is qualified to access criminal history information.

(c) If the bureau determines that an entity is qualified to access criminal background check information, it shall notify the entity in writing and assign it an entity id.

(d) If the bureau determines the entity is not qualified to access criminal background check information, the bureau shall notify the entity of the bureau's decision in writing and provide notice of the right to appeal pursuant to R722-900-10.

(3)(a) Once an entity has been granted access to criminal background check information, it shall submit the following documents to the bureau:

(i) a Qualified Entity Agreement, signed by the entity administrator; and

(ii) a signed Qualified Entity Employee Agreement for each employee of the entity who will have access to criminal background check information.

(b) Any employee of the entity who has access to criminal background check information shall successfully complete all training and testing required by the bureau.

(c) The bureau may suspend or revoke access to criminal background check information if an employee of an entity fails to complete the required training and testing or violates any provision contained within the signed Qualified Entity Agreement or signed Qualified Entity Employee Agreement.

 

R722-900-6. Individual Right of Access.

(1) An individual may review his or her own criminal history record information contained in a UCH, by submitting a completed Criminal History Record Application to the bureau along with:

(a) a set of fingerprints which have been verified with photo identification at the time the fingerprints were taken;

(b) a copy of a government issued photo identification; and

(c) payment of the processing fee required by Subsection 53-10-108(9)(b).

(2)(a) An individual may challenge the completeness and accuracy of the information contained in the individual's UCH by submitting a completed Application to Challenge Criminal History Records to the bureau along with:

(i) the challenge fee; and

(ii) documentation to establish what information is missing or incorrect on the UCH.

(b) The challenge process shall be an informal adjudicative proceeding under Section 63G-4-203.

(c)(i) If the bureau determines that the individual's criminal history record information is incomplete or inaccurate, the bureau shall amend the UCH.

(ii) The bureau shall send the individual a letter notifying the individual of the changes made to the individual's UCH and a copy of the individual's corrected UCH.

(d)(i) If the bureau determines that the criminal history record information is correct, the bureau shall notify the individual in writing that the UCH shall not be amended.

(ii) An individual may appeal the bureau's decision not to amend a record to district court in accordance with Section 63G-4-402.

(e) If the bureau determines that the individual seeking to challenge the information in the UCH is not the subject of the record, the bureau shall notify the individual in writing.

 

R722-900-7. Right of Access Programs.

(1) A provider seeking to establish a right of access program shall submit a completed Right of Access Contract.

(2)(a) The bureau shall review the Right of Access Provider Contract to determine whether the provider may conduct a right of access program.

(b) The bureau may request additional information from the provider to determine whether the provider may conduct a right of access program.

(c) If the bureau determines that a provider is qualified to conduct a right of access program, it shall notify the provider in writing.

(d) If the bureau determines the provider is not qualified to conduct a right of access program, it shall notify the provider of the bureau's decision in writing.

 

R722-900-8. Audits.

(1)(a) All agencies and entities shall submit to audits conducted by the bureau.

(b) Upon request, an agency and entity shall complete the Pre-audit Request within 30 days from the date it is sent by the bureau.

(c) An agency and entity shall complete the Audit Survey within 30 days from the date it is sent out by the bureau.

(d) The bureau shall review the information submitted by the agency and entity to determine if the agency and entity is in compliance with applicable state and federal statutes, rules, and regulations.

(e) The bureau shall notify the agency and entity of the audit results in writing and give the agency, entity, or provider an opportunity to rectify any issues it found during the audit.

(f) The bureau may suspend or revoke an agency's access to UCJIS or an entity's access to criminal background check information if it fails to comply with the audit or rectify issues found during the audit.

 

R722-900-9. Misuse.

(1) Anyone who has reason to believe that records have been misused may submit a written complaint to the bureau.

(2)(a) The bureau shall conduct a review of its records to determine if there is any evidence to support the complaint.

(b) If the bureau finds evidence indicating records may have been accessed, used, disclosed, or disseminated, the bureau shall notify the agency TAC or entity point of contact and request that an internal review be conducted.

(3) The agency or entity shall be responsible for conducting an internal review to determine if there has been misuse of a record and submit its findings to the bureau within 30 days.

(4)(a) If the agency or entity determines there was misuse, the agency or entity shall submit a corrective action plan to the bureau.

(b) The bureau shall review the corrective action plan to determine if the action taken by the agency or entity was sufficient to address the misuse.

(5) If the bureau finds that an agency, entity, TAC, user, non-user, or employee of an agency or entity misused records, the bureau may:

(a) suspend or revoke the access of the agency, entity, TAC, user, non-user, or employee of an agency or entity; and

(b) refer the matter to the appropriate law enforcement agency for investigation and prosecution.

(6) The bureau may suspend or revoke access to records by an agency, entity, TAC, user, non-user, or employee of an agency or entity if the agency, entity, TAC, user, non-user, or employee of an agency or entity fails to comply with any terms of the signed agreement.

 

R722-900-10. Appeal.

(1)(a) An agency or entity denied access to records may appeal the bureau's decision by sending a written request for review to the bureau within 30 days of the date of the denial of access.

(b) An agency or entity may appeal the bureau's decision to deny a TAC, user, or non-user access to records by sending a written request for review to the bureau within 30 days of the date of the denial of access.

(2) A request for review shall include:

(a) a description of the grounds for review; and

(b) supporting documentation.

(3)(a) The bureau director or the director's designee shall review the request for review and issue a written decision within 30 days from the date of the appeal.

(b) If the bureau's decision to deny an agency or entity is upheld, the bureau shall notify the agency or entity of the right to appeal to the district court by complying with the requirements in Section 63G-4-402.

(c) If the bureau's decision to deny a TAC, user, or non-user is upheld, there shall be no further right of appeal.

 

KEY: access to records, UCJIS, criminal justice agencies, qualified entities

Date of Enactment or Last Substantive Amendment: [December 22, 2015]2019

Notice of Continuation: December 20, 2017

Authorizing, and Implemented or Interpreted Law: 53-10-102; 53-10-108