Missouri Information Analysis Center
MIAC
Privacy, Civil Liberties, and Civil Rights Policy
Table of Contents:
I. Mission/Purpose.......................................................
II. Scope and Compliance.............................................
III. Oversight....................................................................
IV. Information................................................................
V. Quality Assurance....................................................
VI. The Analytical Function...........................................
VII. Inquiry, Complaints, and Redress.........................
VIII. Security.....................................................................
IX. Retention, Purge, and Destruction.........................
X. Accountability...........................................................
XI. Training of Personnel...............................................
I. Mission/Purpose
The Missouri information Analysis Center is tasked with the collection, collation, analysis and dissemination of information to appropriate agencies and individuals, in an effort to mitigate criminal and terrorist activities and respond to natural and man-made disasters in a way that enhances public safety. Equally important is our mission to safeguard the privacy, civil rights, and civil liberties of any individual. Toward that end, the MIAC administers the Missouri Statewide Police Intelligence Network (MoSPIN) and facilitates the flow of information through a network of in-house analysts. Although MIAC administers MoSPIN, it is important to note that MIAC and MoSPIN are not one in the same. They are complimentary programs designed to individually assist other agencies in the public safety effort. The end result is enhancement of the public safety effort and the safeguarding of individual privacy, civil liberties, and civil rights. This detailed policy documents those efforts.
II. Scope and Compliance
All MIAC employees, whether full, part-time, or temporarily assigned, will receive, be trained in and comply with this policy. Internal MIAC and Missouri State Highway Patrol operating policies govern operation and comply with all applicable laws. Agencies and individual users of MIAC work products will comply with applicable sections of this policy and be notified of that requirement as an attachment to the individual work products. All MIAC users, personnel providing information technology services, and private contractors will be directed to the MIAC website for review of this policy and will comply with all federal and state privacy laws cited in the appendix to this policy.
MIAC will post a copy of this policy for public review and make additional copies available to any interested party, public or private. Applicable laws protecting civil rights, liberties and privacy are as follows:
Federal Statutes: 28 CFR Part 23,
State Statutes: RSMo. 610.010, 610.021 through 610.025, 610.027 through 610.030, 610.032, 610.035, 610.100, 610.105 1n3 106, 610.110, 610.115, 610.120, 610.150, 610.200 and 109.180 and 109.190.
III. Oversight
The Director, or his/her designee, has overall responsibility for MIAC operations and its compliance with this policy. A MIAC Assistant Director or Senior Analyst is designated as a "Privacy Officer" whose duties will include training assurance, reception and evaluation of errors and violations of this policy, act as a repository for complaints from the general public regarding this policy, and ensure the MIAC adheres to the provisions of the ISE privacy Guidelines. The Director, Privacy Officer, or authorized designee will comply with the enforcement standards outlined in section X of this policy. This oversight policy is not designed to override the responsibilities of the Superintendent of the Missouri State Highway Patrol and in no way encroaches on the Superintendent's authority. This policy enhances, and is in addition to the already established General Orders of the Missouri State Highway Patrol.
The MIAC Director and Assistant Directors act as the agency's Privacy Committee and when necessary, interact with privacy advocacy groups to address issues with MIAC's information collection, retention, and dissemination processes.
IV. Information
In fulfilling its public safety role, MIAC may actively seek, analyze, disseminate and retain information that is based on criminal predicate, reasonably suspected terrorism nexus, or that which negatively impacts public safety. Such information must be relevant to investigation, prosecution, and/or mitigation of genuine public safety incidents. In order to provide law enforcement, public safety and other affected agencies with useable strategic intelligence, MIAC may also engage in research toward that end. All MIAC employees will ensure that information is verifiable, collected in a lawful manner, and lawfully disseminated. The limitations on the quality of the information will be noted if a source is of doubtful credibility. MIAC may retain preliminary information such as tips and leads, and suspicious activity, providing the information is arguably of public safety interest. Such information will be disseminated as soon as practical to agencies with a vested public safety/enforcement interest. MIAC will not seek or retain information about individuals or organizations based solely on religious, political, or social views and/or activities. This prohibition also applies to information based solely on race, ethnicity, citizenship, place of origin, age, disability, gender, or sexual orientation.
Information received in MIAC will be categorized as to its nature, such as whether the information is of general public safety interest, tips and leads, or criminal intelligence. This information may include the source of the information, the credibility if known, and the validity of the content, if known. Such information will be entered into an activity-tracking database. Upon entry into the activity-tracking database, consideration must also be given to the type of investigation/incident, the protection of sources of information, status and sensitivity of an ongoing investigation, and privacy protection legally required due to the individual's status as a child, sex abuse victim, resident of a substance abuse/mental health treatment program or resident of a domestic abuse shelter. Dissemination of any type of information will be based on a "need/right to know." In the event information pertains to particular classes of citizens or protected persons MIAC will indicate that Privacy Protection is legally required due to the individual's status as a child, sexual abuse victim, resident of a substance abuse/mental health treatment program, or a resident of a domestic abuse shelter.
During receipt, storage, or dissemination of information, MIAC personnel will assess the information for sensitivity, evaluate to determine its credibility, label the information as either unsubstantiated/uncorroborated if the validation or reliability is uncertain, and document the information received/disseminated. As vetted employees of the Missouri State Highway Patrol, MIAC analysts are credentialed to access law enforcement sensitive information. Disclosure of law enforcement sensitive information will only be made to those agencies/individuals employed by other law enforcement agencies, or those with a responsibility for criminal investigations. Tips and Leads information will be clearly labeled as such and be retained long enough to validate the source and reliability of the information. Tips and Leads information will be afforded the same level of physical and technical security as that given to information containing reasonable suspicion.
Information received, analyzed, and disseminated at the MIAC will include at a minimum, indicators for type of criminal investigation, tips and leads, source information, requestor identification, reliability of the source and validity of the content, sensitivity, juvenile information, and protected status information. Information may be reclassified whenever new information is added that would increase/decrease the sensitivity of disclosure.
MIAC will comply with and adhere to the following regulations and guidelines:
1. 28 CFR Part 23 regarding criminal intelligence information;
2. Criminal Justice Guidelines established by the Department of Justice.
3. State statute and Missouri State Highway Patrol General Orders and policy.
In providing information, MIAC contributors are governed by the laws and rules of their individual agencies as well as by applicable state and federal laws and are notified through an attached statement that the information is subject to state and federal laws restricting access, use, or disclosure. MIAC analysts will not knowingly seek, receive, accept, disseminate, or retain information from an entity that is legally prohibited from obtaining or disclosing that information, or who has illegally gathered the information.
V. Quality Assurance
MIAC will make every reasonable effort to ensure that information is derived from reputable sources, is accurate, reasonably up-to-date, and complete given the circumstances. Analysts will investigate suspected errors and deficiencies to the best of their ability and if authorized, correct deficient information. Every effort should be made to notify the original owner of the information as to any errors or deficiencies. Under no circumstances will an analyst use information known to be erroneous, misleading, or unreliable. MIAC will notify recipient agencies in the most efficient method possible when information previously disseminated is found to be in error or deficient in some way.
VI. Collation and Analysis
All MIAC employees have successfully passed a background check, may possess an appropriate security clearance, and have been selected, approved, trained according to MIAC and Missouri State Highway Patrol standards, and are authorized to seek, accept, retain, and disseminate appropriate information. This information undergoes analysis in order to enhance public safety, assist in investigations and prosecutions, and provide tactical and strategic intelligence services to authorized recipients.
If, during analysis, information from disparate sources regarding an individual or organization is determined to be of such validity and quantity to lead a reasonable person to conclude that the individuals or organizations are one in the same, an analyst may merge the information. If the information from disparate sources is only a partial match, the recipient agency will be notified of that fact. If the additional information impacts the validity and reliability of the original information the information retained may be reevaluated.
VII. Inquiry, Complaints, and Redress
Inquiries to MIAC will be screened by the receiving analyst to ensure the requestor is credentialed for the information, and authorized to have access for legitimate law enforcement and public safety purposes. Such assurance may be initiated by recontact with the requesting agency or through verification from a third party. In certain cases, approval from the originator of the information may be needed before dissemination of that information. Information that is considered open-source or public record, may be released outside the public safety community if such disclosure will further the MIAC mission and the recipient has a valid "need to know." In addition, MIAC personnel will not disclose the existence or non-existence of information to any entity if such disclosure would violate federal or state statutes.
MIAC personnel will not sell, publish, exchange or disclose information for commercial purposes, or provide information to unauthorized persons. Permission to distribute Law Enforcement Sensitive information to a Non-Law Enforcement public safety entity will be sought from the owner of that information before any release.
Certain other records will not be disclosed to the public:
1. Public Records required by law to be kept confidential.
2. Certain investigative records of law enforcement agencies.
3. Certain public records, the release of which could aid in the planning and commission of a
terrorist act. Example: Critical Infrastructure information, incl. vulnerability assessment,
security planning, proprietary information, and threat assessments.
4. Certain records owned and controlled by another agency.
Upon satisfactory verification of identity, an individual is entitled to know of the existence of, and to review information, including that from ISE* sources, about him/her retained by MIAC as long as such disclosure would not violate federal or state laws. The individual may obtain a copy of the information for the purpose of challenging its accuracy. Access to this information will be processed through the Missouri State Highway Patrol's records section and official records officer. The MIAC response to these requests will be within a reasonable time. These types of requests will not be honored if such disclosure would compromise an ongoing investigation, compromise a source of information, constitute a release of criminal intelligence, the information does not reside within MIAC, or MIAC does not own, or did not originate the information or if such disclosure would violate federal or state laws.
If an individual has complaints or objections as to the accuracy of information retained, MIAC will inform the individual of complaint reporting/corrections procedure and document that complaint. If that information originated with another agency, MIAC will notify the originating agency, including ISE* sources, and coordinate complaint/corrections procedure. If the information has been provided to the complainant, the originating agency must make a determination to correct the information, remove the record, or assert a basis for denial. All progress in the redress procedure will be documented.
The individual to whom information has been disclosed will be provided notification of reason for denial. The individual will also be informed of the appeals process when MIAC, or the originating agency has declined to correct the challenged information.
VIII. Security
The MIAC Assistant Directors or Senior Analyst will be designated as the center's security officers/ISE Privacy official and will ensure the center operates in a secure manner free from facility and network intrusion. Access to MIAC databases from outside the facility will only be allowed over secure networks. MIAC will store information in such a way that it cannot be accessed, modified, destroyed, or purged by unauthorized personnel.
If an individual's personal information retained by MIAC is compromised, MIAC will notify that individual without delay, provided that notification does not compromise an ongoing investigation. Missouri State Highway Patrol Division of Drug and Crime Control (DDCC) officers will be notified of the compromise to provide investigative assistance. If the security breach was directed toward MIAC Databases, Information Systems personnel will be notified in addition to DDCC investigators.
Individual MIAC Analysts are required to secure ongoing work products within their workspaces at the end of any shift. Wall postings that could possibly compromise the integrity of any investigation or inadvertently reveal personal information should be secured. Visitors through MIAC must provide adequate identification and a valid need to visit, and any maintenance personnel must be escorted.
IX. Retention, Purge, and Destruction
The Missouri Statewide Police Intelligence Network (MoSPIN) is the official Intelligence database utilized by MIAC personnel and administered by MIAC. MoSPIN retains its own retention and purge mechanism in compliance with 28 CFR Part 23. A separate Privacy Policy is in place for MoSPIN. Purge dates are electronically set by the MoSPIN system on an ongoing basis. The MoSPIN system provides automatic notification of upcoming purge dates for each intelligence entry based on the original entry date.
Information that has no further investigative or research value or is found to be in error will be destroyed, purged or returned to the owner. This task will be accomplished at least every 5 years unless the information is re-validated. Notification may or may not be made to the owner of the information, depending on previous agreements.
Such information will be purged electronically from files and destruction and/or redaction of that information will be implemented in hard file backup systems if applicable. MIAC Analysts tasked with such destruction are trained in compliance with 28 CFR Part 23 and need no prior approval for the destruction, redaction, and purge of information.
X. Accountability and Enforcement
MIAC will remain open and accountable to the public regarding information collection practices. A MIAC Privacy policy is posted to the public website at www.miacx.org. Written documentation of the MIAC Privacy policy is available to those who do not have Internet access.
The Director of MIAC with guidance from the Missouri State Highway Patrol legal counsel or Missouri Attorney General's Office, is responsible for responding to inquiries and complaints about privacy, civil rights and civil liberties within the center.
MIAC undergoes independent audits by both the Missouri State Highway Patrol's Communications Division and the Research and Development Division in their annual Staff Inspections.
The MIAC Privacy Officer will review and update the provisions of this policy annually and make appropriate changes in response to changes in the laws, technology, and use of the informational systems. Changes in public expectations may be considered in any review of this policy.
If any MIAC personnel are found to be non-compliant with the provisions of the MIAC privacy policy, the MIAC Director will be notified immediately and will immediately notify the Director of the Division of Drug and Crime Control and suspend access to MIAC Databases, pending a thorough investigation. Further punitive actions will be taken in accordance with Missouri State Highway Patrol policy, general orders, or other administrative rules.
If MIAC users are found to be non-compliant with the provisions of the MIAC privacy policy, the Director or Assistant Directors will request the employer of that user to initiate proceedings to discipline the user, enforce policy provisions, and ensure the integrity of future MIAC usage. Certain cases of abuse may require MIAC to refer the matter to appropriate law enforcement authorities for investigation and possible criminal prosecution.
MIAC reserves the right to limit personnel having access to the systems, and to withhold or suspend service to any agency or individual violating the MIAC Privacy policy. MoSPIN operating procedures ensure user identification, information accessed, and users agree to abide by MoSPIN Privacy Policy.
XI. Training
MIAC will require all employees, including full, part-time, and temporary to participate in training regarding the implementation of this policy. Additional training may be provided by Missouri State Highway Patrol staff attorneys, Missouri Attorney General's Office, and the United States Attorney's Office as to applicable state and federal privacy laws. MIAC privacy policy training will include, but not be limited to the following: Purposes of the Privacy policy, the intent of all provisions of the policy, the application of policy in day-to-day work, and the potential impact of user abuse of information systems. MIAC employees will be familiar with reporting mechanisms regarding violations of the policy, and repercussions, including the potential for dismissal, criminal, and individual civil liability.
* ISE is the Information Sharing Environment-The agencies, policies, procedure, and technologies linked to facilitate terrorism and homeland security information sharing.
