5 key data security best practices for law enforcement agencies
When processing applicant background investigations, law enforcement agencies may need to adhere to CJIS standards and other regulations to ensure compliance with privacy, security and recordkeeping legal requirements
Article developed by Miller Mendel in collaboration with Police1 BrandFocus Staff
Data breaches are becoming increasingly common, each time putting the personal information of thousands of people at risk. In response, privacy and data security policy is increasingly stricter, giving individuals more rights over their personal data. Failure to keep pace with new policies can mean steep regulatory fines, increased risk of lawsuits and public relations challenges for any organization.
Law enforcement agencies are not exempt from privacy and data security standards, or immune to data breaches or the related fallout from these kinds of attacks. Law enforcement hiring entails collection and processing of extremely sensitive applicant personal data. When using background investigation software, it is critical that law enforcement agencies take measures to respect and protect the data and privacy of job applicants.
The FBI’s Criminal Justice Information Services (CJIS) Division sets the minimum requirements for handling and storing records that fall within the scope of its jurisdiction. In addition to CJIS requirements, agencies must adhere to general and industry-specific data privacy and security obligations in place in their specific state and local jurisdictions. CJIS requirements relate only to specific information, whereas state law controlling data privacy, data security and other topics, like public records, likely imposes more significant, broader legal compliance requirements.
The rules governing law enforcement agency privacy and data security practices vary across the nation, and the technology is always at least one step ahead. When agencies outsource parts or all of their business or operational practices to a background investigation software service provider, the agency must be sure to use a secure, compliant platform like eSOPH from Miller Mendel, which provides a secure way to collect and share applicant information without losing first-level control and ownership of that data.
Miller Mendel works closely with legal counsel specializing in data privacy and security to ensure that the eSOPH background investigation software meets the strictest standards and compliance. Miller Mendel’s continuous investment in privacy and data security best practices adds immediate value for government agencies using eSOPH.
Consider the following five key data privacy and data security best practices for law enforcement agencies using software for their background investigation process, and how eSOPH is designed to help your agency meet them:
1. PROVIDE NOTICE AND GAIN CONSENT
The foundation of applicant privacy is clear, easy-to-understand notice and consent, says Emily Maass, an attorney specializing in privacy and data security who works closely with Miller Mendel to develop and maintain the eSOPH privacy and data security program.
“A primary tenet of privacy law is providing notice to your end users – in this case the applicant – that is clear and thorough, and that makes sense to them,” she said. “There’s no point in giving someone notice if it’s written in dense legalese or buried in a document that is too long to read through and understand.”
Miller Mendel has designed eSOPH to provide notice and gain consent throughout the application process, walking the applicant through each step with clear notices through pop-ups and brief descriptions. eSOPH provides this notice and collects applicant consent to collect and use of the applicant’s data for the agency’s recruiting purposes. Miller Mendel applies the same standards of the third-party service providers used to offer eSOPH functions such as credit reporting and social media screening.
2. BUILD TRUST WITH PRIVACY CONTROLS
In addition to complying with regulations, law enforcement agencies can build applicant trust and avoid increased legal risk by making sure the agency uses software that supports applicant privacy rights and does not commercialize applicant personal data in any way, says Maass.
Many online platforms collect and process consumer data and then share or sell it for marketing and advertising purposes. This practice can be lucrative for the software company and downstream recipients of the data, says Maass, but it is not necessarily an appropriate or legitimate use of personal information in the context of police employment background investigations, especially with a government agency.
Unless data sharing is essential for the software to function for your agency’s benefit, applicants should be able to opt out of sharing their data with anyone other than the agency to which they applied or the third-party service providers that help the software to function, says Maass.
In other words, a police officer applicant should not be required to answer very sensitive questions and list all their family members in personal history forms if that data is then going be commercialized in any fashion, by the software provider.
“They might feel that they have been required or coerced to allow a private software company to sell or share their data or to waive their privacy rights in order to be considered for a job with a government agency,” she said. “Those concepts don’t coincide with public trust, and Miller Mendel understands that agencies don’t want to lose qualified applicants because they’re being asked to allow a third party to commercialize their very sensitive and private data.”
Miller Mendel designed eSOPH to support the agency’s recruiting process and uphold applicant privacy rights. This means never asking the applicant to waive their right to privacy and never commercializing applicant personal information. eSOPH is designed to function while supporting the agency’s privacy best practices and gives the agency first-level control over applicant data. The agency can instruct eSOPH to share applicant data with the agency’s recipients, but the recipient must be verified first, and even then the recipient cannot download the applicant data and only has access to view it for three days or a shorter period determined by the agency.
3. OWN YOUR AGENCY’S DATA AND CONTROL ITS USE
Maintaining ownership and first-level control of the data you collect from applicants is critical to ensuring compliance with privacy and public records regulations. This is a key practice, says Maass, because data shared outside the agency is outside the agency’s control, and its security and eventual deletion, often required by law, is difficult or impossible to verify. With eSOPH, the licensing agreement is very clear: The agency maintains ownership and first-level control of all data and the distribution thereof.
“When third parties can access or save applicant data without the agency or applicant’s control, the agency no longer controls the security measures for that data,” she said. “This means data like the applicant’s address, Social Security number, family members’ names and other private details of their lives are subject to the third party’s treatment and may be left vulnerable to a data breach. If there is a data breach, the agency may not be aware or able to notify the applicant.”
If the agency hires the applicant, then officer safety becomes a concern when your officer’s private information is held insecurely in the hands of third parties.
That said, sharing applicant data with untold third parties is not the same as comparing notes. The eSOPH system provides alerts so that background investigators receive a notice if an applicant is already in the system. Applicants are notified of this function during the system registration process. The investigator can see the agency or agencies applied to, date entered and position name. The investigator can then choose to reach out to the other agency to discuss the applicant – but they can’t simply view or download any part of the background investigation documents. eSOPH itself does not share applicants’ private, personal information with other agencies, but authorized representatives from your agency can digitally share specific information without an outside investigator, should your agency be OK with sharing information. As requirements change, your agency has the flexibility to adjust to those requirements.
“Other agencies can see very general information about an applicant’s application history, but that data set is limited to data elements that do not create privacy or security concerns,” said Maass. “There’s certainly no download ability of other background file information from other agencies or anything like that. Miller Mendel views this practice as a huge overstep of applicant privacy and the individual agency’s discretion.”
Put simply, an investigator using eSOPH can see if an applicant has applied with another agency, but the investigator cannot search the eSOPH database for an applicant or download the information submitted to another agency. Agencies using eSOPH own their data and are empowered to share information with an outside agency under a Terms of Access agreement between the two agencies. Each agency using eSOPH decides on a case-by-case basis whether and how much information to share with other agencies, and all transactions are logged with detailed information to address any audit need.
This closed system helps preserve data security by limiting access and reduces the likelihood that an applicant who submits their data through eSOPH may be subject to a data breach. Even if the receiving agency were to experience a data breach, says Maass, the potential impact on the applicant is mitigated under the eSOPH scenario.
“Since eSOPH only shows basic, non-sensitive applicant data, the potential risk to the applicant is less under eSOPH than with software that allows an applicant’s entire file to float around the internet,” she said.
4. COMPLY WITH PUBLIC RECORDS RULES
Applicant data is considered a public record under the law of many states, and although the requirements vary, law enforcement agencies are generally required to maintain applicant data as a public record for some specified period of time, and then destroy it after a specific time period.
“If an agency uses software that shares applicant data with third parties without the agency’s knowledge, the agency will struggle to track who has the record or how it’s secured,” said Maass. “At the end of the retention period, the agency will find it difficult or impossible to ensure proper record destruction.”
In many states, job applications to law enforcement agencies are public record, but certain pieces of personal information are often exempt from public records requests. For example, an applicant’s home address or health information might be exempt from disclosure under public records requests. If an agency uses software that shares applicant data with third parties, the agency may not be able to effectively assert an argument for a public records law exemption to prevent the applicant’s personal information from disclosure even if the information is confidential or otherwise legally protected.
Similarly, if agency data is the subject of a discovery request, the agency maintaining first level-control over its encrypted data held on third-party software is key to the agency controlling the discovery process. If the agency uses software that shares the data with third parties, the agency does not have first-level control over the data or the power to control the agency’s response to the discovery request.
Put differently, using software that functions like eSOPH empowers the agency to assert control to legal process, not the software company.
Under the eSOPH licensing agreement, the agency retains first-level control over applicant data, so the agency is empowered to assert exemptions from public records laws and discovery requests that apply, and the system provides a means for secure deletion when the time comes.
5. CHOOSE SOFTWARE THAT SUPPORTS YOUR LEGAL OBLIGATIONS
Law enforcement agencies are responsible for complying with the privacy and data security laws and regulations, as well as the internal policies, that apply to them. The CJIS policy is just one compliance aspect out of many. Outsourcing technical processes to a software platform does not relieve the agency of its legal obligations.
“If an agency uses software developed in a different jurisdiction or a different country, it may or may not meet all the standards that apply to your agency,” said Maass. “Legally, it is your agency’s responsibility to make sure any software used meets these standards. With Miller Mendel, eSOPH has settings defined at the agency level to allow each agency to meet the strictest privacy and data security standards as a best practice. As a result, eSOPH standards meet or exceed data privacy and security standards, including those set forth by CJIS for when information is uploaded that falls within the scope of CJIS.”
For example, the current CJIS policy requires 256-bit encryption in many cases for CJIS-covered data, but eSOPH uses 256-bit encryption at two more levels, depending on the data. eSOPH also provides clear, easy-to-read disclosures and notices to inform the applicants clearly and simply whether their data may be shared with third parties, who those third parties are, why they’re being asked these questions and how the information is going to be used, as well as what to expect from the agency and who to contact if they have questions.
“Those kinds of notices are really valuable if they’re in embedded into that user experience in a way that is reader-friendly, user-friendly and easy to navigate,” said Maass. “The goal is to provide eSOPH to agencies without commercializing applicant personal information and, overall, to avoid unwanted surprises for the agency and its applicants.”
For more information, visit eSOPH by Miller Mendel.